[Snort-users] Snort and creating new classtypes

Roman Danyliw roman at ...438...
Tue Sep 3 06:07:04 EDT 2002


This is the expected (if not necessarily the desired) behavior.  Meta
information about a signature (e.g., classification, priority) is stored in the
database the first time that an event matching this signature is encountered. 
Without an update to the revision number of the signature to denote that
something has changed, the meta information will not be updated despite a manual
update to the configuration file.

ACID should probably provide primatives to manipulate signature classifications.

Roman

On Thu, 29 Aug 2002 10:11:03 -0600, Matthew Wagenknecht
<Matthew.Wagenknecht at ...6755...> wrote :

> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> 
> In the snort rules, a number of virus rules have misc-activity. I want to
> move all virus signatures to a new classtype called virus. I created a new
> line in classifications.config like the following::
> 
> config classification: virus,Virus Detection,1
> 
> However when in ACID, it shows up under unclassified. Is there something
> else I need to do or is this and ACID issue?
> 
> 
> 
> ..:: Matt ::..  
> 
> 
> 




More information about the Snort-users mailing list