[Snort-users] Classification config

Roberto Suarez Soto robe at ...3881...
Wed Oct 31 11:17:02 EST 2001

	(this is quite a long message, due to the files/data included; I'm
sorry if it's not "good etiquette" here to do things like this O:-))

	I'm a bit puzzled for the changes I've seen to the classification
config in the daily ruleset. Now there seem to be new classifications, which I
have nothing against, but the priority looks like not related at all to the
prior classifications; in fact, it looks as in the old classification more
priority was more danger, and in the new classification is completely the
opposite. I'll try to explain myself better:

	The "usual" classification.config had these contents:

config classification: not-suspicious,Not Suspicious Traffic,0
config classification: unknown,Unknown Traffic,1
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,3
config classification: successful-recon-limited,Information Leak,4
config classification: successful-recon-largescale,Large Scale Information Leak,5
config classification: attempted-dos,Attempted Denial of Service,6
config classification: successful-dos,Denial of Service,7
config classification: attempted-user,Attempted User Privilege Gain,8
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
config classification: successful-user,Successful User Privilege Gain,9
config classification: attempted-admin,Attempted Administrator Privilege Gain,10
config classification: successful-admin,Successful Administrator Privilege Gain,11

	And the new classification.config add to the former these new ones:

config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentually vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1

	My puzzling comes when I see that now, a CodeRed v2 access has
priority 1. That's ok with the new classification, but if we look the old one
we see that it's only "unknown traffic", instead of "attempted-user" or
"attempted-admin" (as I think it should be). I usually filter alerts by
priority, beginning in priority 2 or 3; and with the new classifications, I'd
be missing very important stuff.

	So, is there something I'm missing? I've looked at the news section in
snort.org, but nothing is told. Maybe that's the price to pay for being at the
bleeding edge of the ruleset, but I'd like to be at least a little informed of
it :-)

	Sorry if this has been issued in another mail or place O:-) Any "RTFM"
indication pointing to appropiate sources would be gladly appreciated.

Roberto Suarez Soto					Alfa21 Outsourcing
    robe at ...3881...				     http://www.alfa21.com

More information about the Snort-users mailing list