[Snort-users] new classifications (followup)
jforster at ...176...
Wed Oct 3 20:28:01 EDT 2001
I alter most of it currently, and I do like the new list.
I must say the 'kickass-porn' was a nice addition to the 'warez-kiddie'
and 'hates-his-job' classifications I already use. ;)
RapidNet, A Golden West Company
On Wed, 3 Oct 2001, Brian wrote:
> Since a large number of people e-mailed me privately, I'll respond to
> the list with our reasonings for the new classifications.
> 1) IDMEF is going to be a standard. However, according to the last
> version I read IIRC, the classification scheme is a SUGGESTION not
> a standard. There is NO standard of classifications. The
> classifications (other than kickass-porn) comes from an initial
> round of CIEL (CVE for IDS) classifications that we were kicking
> around at MITRE. It has some flaws, it needs some work, but for
> our uses its good enough for now.
> 2) With our current system, too many attacks get classified as "probe"
> or "attempted-admin" without a good method of telling the difference
> between two signatures of the same classification. Because we use
> classification as a method of deciding default priorities for
> signatures, our current method requires a huge ammount of work for
> an IDS admin to prioritize things by what type of attack they are.
> 3) The classification "kickass-porn" is just a name. The discription
> does not have to be the default. BUT many people have asked (and
> dragon has provided) for a method of tracking corperate policy
> based traffic. Activities like job hunting sites, porn, distributed
> file sharing all fall into the 'policy' group of signatures. We
> are slowly going to start providing signatures that look for this
> type of traffic. Be on the lookout for additional classifications
> that deal with other signatures like these.
> Keep in mind, the entire reason I am doing this is to make my life
> easier. I want to be able to configure my signatures with ease. I
> want to be able to raise and lower signature priorities by class
> without a huge effort.
> FYI, the signature development that I do? Its all about me. I need
> it. Since I know that I need it, I'm sure other people do as well.
> Things that bother me, I'm sure it bothers someone else as well.
> So I share the wealth.
> If anyone has any suggestions, let us know. Since this benifits all
> of us, this is something snorters should think about.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users