[Snort-users] new classifications (followup)
bmc at ...950...
Wed Oct 3 20:13:02 EDT 2001
Since a large number of people e-mailed me privately, I'll respond to
the list with our reasonings for the new classifications.
1) IDMEF is going to be a standard. However, according to the last
version I read IIRC, the classification scheme is a SUGGESTION not
a standard. There is NO standard of classifications. The
classifications (other than kickass-porn) comes from an initial
round of CIEL (CVE for IDS) classifications that we were kicking
around at MITRE. It has some flaws, it needs some work, but for
our uses its good enough for now.
2) With our current system, too many attacks get classified as "probe"
or "attempted-admin" without a good method of telling the difference
between two signatures of the same classification. Because we use
classification as a method of deciding default priorities for
signatures, our current method requires a huge ammount of work for
an IDS admin to prioritize things by what type of attack they are.
3) The classification "kickass-porn" is just a name. The discription
does not have to be the default. BUT many people have asked (and
dragon has provided) for a method of tracking corperate policy
based traffic. Activities like job hunting sites, porn, distributed
file sharing all fall into the 'policy' group of signatures. We
are slowly going to start providing signatures that look for this
type of traffic. Be on the lookout for additional classifications
that deal with other signatures like these.
Keep in mind, the entire reason I am doing this is to make my life
easier. I want to be able to configure my signatures with ease. I
want to be able to raise and lower signature priorities by class
without a huge effort.
FYI, the signature development that I do? Its all about me. I need
it. Since I know that I need it, I'm sure other people do as well.
Things that bother me, I'm sure it bothers someone else as well.
So I share the wealth.
If anyone has any suggestions, let us know. Since this benifits all
of us, this is something snorters should think about.
More information about the Snort-users