[Snort-users] Changing a Classification
rgraham at ...8016...
Fri Jan 24 08:06:02 EST 2003
I using Demarc instead of ACID. I went ahead and recreated the kickass-porn
classification with the same ID as before and then renamed it to just Porn
using sql. This seemed to do the trick.
Thanks for your help
From: Kenneth G. Arnold [mailto:bkarnold at ...8060...]
Sent: Friday, January 24, 2003 9:47 AM
To: Graham, Robert
Subject: Re: [Snort-users] Changing a Classification
I presume that you are referring to the actual snort alerts file? If so I
can't help you. If you are referring to the output of ACID then you need
to know that the classifications are stored in the database for each
signature and I don't think they change once you change the classification
in the snort rules. You can change them with sql however.
On Thu, 23 Jan 2003, Graham, Robert wrote:
> I created a new classification to replace "kickass-porn" with a
> classification of just "Porn". I gave it a description and priority and
> changed the classtype to Porn in the signatures and restarted snort. The
> result of this caused some signatures to classify it as "Porn" and some to
> classify it as "kick-Ass Porn". I double checked the classtype and they
> all set to "Porn". I then deleted the "kickass-Porn" classification,
> restarted snort, and now it reports some of the porn alerts as
> classification "-" and others as "Porn". What I'm I doing wrong?
> Snort Version: 1.8.6 (Build 105)
> OS: Redhat 7.2
> Demarc Interface
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users