[Snort-users] new classifications (followup)

Brian bmc at ...950...
Wed Oct 3 20:13:02 EDT 2001


Since a large number of people e-mailed me privately, I'll respond to
the list with our reasonings for the new classifications.

1) IDMEF is going to be a standard.  However, according to the last
   version I read IIRC, the classification scheme is a SUGGESTION not
   a standard.  There is NO standard of classifications.  The
   classifications (other than kickass-porn) comes from an initial 
   round of CIEL (CVE for IDS) classifications that we were kicking 
   around at MITRE.  It has some flaws, it needs some work, but for 
   our uses its good enough for now.  

2) With our current system, too many attacks get classified as "probe" 
   or "attempted-admin" without a good method of telling the difference 
   between two signatures of the same classification.  Because we use
   classification as a method of deciding default priorities for
   signatures, our current method requires a huge ammount of work for
   an IDS admin to prioritize things by what type of attack they are.

3) The classification "kickass-porn" is just a name.  The discription
   does not have to be the default.  BUT many people have asked (and 
   dragon has provided) for a method of tracking corperate policy
   based traffic.  Activities like job hunting sites, porn, distributed
   file sharing all fall into the 'policy' group of signatures.  We
   are slowly going to start providing signatures that look for this
   type of traffic.  Be on the lookout for additional classifications
   that deal with other signatures like these.

Keep in mind, the entire reason I am doing this is to make my life
easier.  I want to be able to configure my signatures with ease.  I
want to be able to raise and lower signature priorities by class
without a huge effort.

FYI, the signature development that I do?  Its all about me.  I need
it.  Since I know that I need it, I'm sure other people do as well. 
Things that bother me, I'm sure it bothers someone else as well.

So I share the wealth.

If anyone has any suggestions, let us know.  Since this benifits all
of us, this is something snorters should think about.

-brian




More information about the Snort-users mailing list