[Snort-users] Bleedingsnort: Classification & Reference URL
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Wed Oct 13 00:50:33 EDT 2004
--On 12 October 2004 13:44 -0600 "Archibald, B. Jay @ CSW-SLC"
<jay.archibald at ...7650...> wrote:
> I have added signatures from bleedingsnort.com. I have noticed that all
> the alerts are being listed under the "unclassified" classification and
> the URL reference links are displayed as "URL" without a link.
> Could someone explain what I need to do to add the bleedingsnort
> classifications and get the reference links to work.
Only about 40% of the bleedingsnort rules have been classified.
In order to classify the rest, you will need to add 'classtype: xxx;' tags
to each of the unclassified rules. Similarly, to get the references to
work, you will need to research the background to each rule and add a
'reference: reftype,url;' tag. This is a non-trivial amount of work.
Note, however, that you can use oinkmaster to automatically classify rules
for you, based upon, say, the contents of the msg tag:
modifysid * "(msg:\"(BLEEDING.EDGE )*CHAT.*)classtype:([^;]*);(.*)" | "$1
will add 'classtype:chat-protocol;' to all rules that have a message that
begins with an optional 'BLEEDING EDGE' then 'CHAT'. Note that
chat-protocol is a classification type that I use locally; you could do the
same, by adding to classification.config, or you could use one of the
standard classifications listed in that file.
> Jay Archibald
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users