[Snort-users] classification.config disagrees with manual?

Crow, Owen Owen_Crow at ...2639...
Mon Nov 19 09:15:10 EST 2001


The manual entry for Classtype (2.3.28) shows the default priorities for
different classifications.  The priority is a higher number for more
important classes.  For example a "Successful Administrator Privilege Gain"
has priority 11 while "Not Suspicious Traffic" has a priority of 0.

This seems to disagree with the classification.config found in
snortrules.tar.gz which only has priorities ranging from 1 to 4 where 1 is
the highest priority.  For example, "Successful Administrator Privilege
Gain" is 1 and "A TCP connection was detected" is 4.

Am I missing something in the docs to explain this?  I'm running 1.8.2 but
with the latest rules snapshot and the docs off the web
(http://www.snort.org/docs/writing_rules/).

I plan to eliminate all but the most important rules using a script to
comment out the ones with the wrong priority or class.  If there's a better
way, please let me know.  Monitoring WAN links is pretty noisy with all the
rules on...

Thanks,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.




More information about the Snort-users mailing list