[Snort-users] Changing a Classification

Graham, Robert rgraham at ...8016...
Fri Jan 24 08:06:02 EST 2003


I using Demarc instead of ACID.  I went ahead and recreated the kickass-porn
classification with the same ID as before and then renamed it to just Porn
using sql.  This seemed to do the trick.

Thanks for your help

-----Original Message-----
From: Kenneth G. Arnold [mailto:bkarnold at ...8060...]
Sent: Friday, January 24, 2003 9:47 AM
To: Graham, Robert
Subject: Re: [Snort-users] Changing a Classification

I presume that you are referring to the actual snort alerts file?  If so I
can't help you.  If you are referring to the output of ACID then you need
to know that the classifications are stored in the database for each
signature and I don't think they change once you change the classification
in the snort rules.  You can change them with sql however.

On Thu, 23 Jan 2003, Graham, Robert wrote:

> I created a new classification to replace "kickass-porn" with a
> classification of just "Porn".  I gave it a description and priority and
> changed the classtype to Porn in the signatures and restarted snort.  The
> result of this caused some signatures to classify it as "Porn" and some to
> classify it as "kick-Ass Porn".  I double checked the classtype and they
> all set to "Porn".  I then deleted the "kickass-Porn" classification,
> restarted snort, and now it reports some of the porn alerts as
> classification "-" and others as "Porn".  What I'm I doing wrong?
> Snort Version: 1.8.6 (Build 105)
> OS: Redhat 7.2
> Demarc Interface
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030124/8f1217d4/attachment.html>

More information about the Snort-users mailing list