[Snort-users] new classifications (followup)

Jim Forster jforster at ...176...
Wed Oct 3 20:28:01 EDT 2001


I alter most of it currently, and I do like the new list.
I must say the 'kickass-porn' was a nice addition to the 'warez-kiddie'
and 'hates-his-job' classifications I already use.  ;)

Jim Forster
Network Administrator
RapidNet, A Golden West Company
-------------------------------


On Wed, 3 Oct 2001, Brian wrote:

> Since a large number of people e-mailed me privately, I'll respond to
> the list with our reasonings for the new classifications.
> 
> 1) IDMEF is going to be a standard.  However, according to the last
>    version I read IIRC, the classification scheme is a SUGGESTION not
>    a standard.  There is NO standard of classifications.  The
>    classifications (other than kickass-porn) comes from an initial 
>    round of CIEL (CVE for IDS) classifications that we were kicking 
>    around at MITRE.  It has some flaws, it needs some work, but for 
>    our uses its good enough for now.  
> 
> 2) With our current system, too many attacks get classified as "probe" 
>    or "attempted-admin" without a good method of telling the difference 
>    between two signatures of the same classification.  Because we use
>    classification as a method of deciding default priorities for
>    signatures, our current method requires a huge ammount of work for
>    an IDS admin to prioritize things by what type of attack they are.
> 
> 3) The classification "kickass-porn" is just a name.  The discription
>    does not have to be the default.  BUT many people have asked (and 
>    dragon has provided) for a method of tracking corperate policy
>    based traffic.  Activities like job hunting sites, porn, distributed
>    file sharing all fall into the 'policy' group of signatures.  We
>    are slowly going to start providing signatures that look for this
>    type of traffic.  Be on the lookout for additional classifications
>    that deal with other signatures like these.
> 
> Keep in mind, the entire reason I am doing this is to make my life
> easier.  I want to be able to configure my signatures with ease.  I
> want to be able to raise and lower signature priorities by class
> without a huge effort.
> 
> FYI, the signature development that I do?  Its all about me.  I need
> it.  Since I know that I need it, I'm sure other people do as well. 
> Things that bother me, I'm sure it bothers someone else as well.
> 
> So I share the wealth.
> 
> If anyone has any suggestions, let us know.  Since this benifits all
> of us, this is something snorters should think about.
> 
> -brian
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list