[Snort-users] Bleedingsnort: Classification & Reference URL

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Oct 13 00:50:33 EDT 2004


--On 12 October 2004 13:44 -0600 "Archibald, B. Jay @ CSW-SLC" 
<jay.archibald at ...7650...> wrote:

> I have added signatures from bleedingsnort.com.  I have noticed that all
> the alerts are being listed under the "unclassified" classification and
> the URL reference links are displayed as "URL" without a link.
>
> Could someone explain what I need to do to add the bleedingsnort
> classifications and get the reference links to work.

Only about 40% of the bleedingsnort rules have been classified.

In order to classify the rest, you will need to add 'classtype: xxx;' tags 
to each of the unclassified rules. Similarly, to get the references to 
work, you will need to research the background to each rule and add a 
'reference: reftype,url;' tag. This is a non-trivial amount of work.

Note, however, that you can use oinkmaster to automatically classify rules 
for you, based upon, say, the contents of the msg tag:

modifysid * "(msg:\"(BLEEDING.EDGE )*CHAT.*)classtype:([^;]*);(.*)" | "$1 
classtype:chat-protocol;$4"

will add 'classtype:chat-protocol;' to all rules that have a message that 
begins with an optional 'BLEEDING EDGE' then 'CHAT'. Note that 
chat-protocol is a classification type that I use locally; you could do the 
same, by adding to classification.config, or you could use one of the 
standard classifications listed in that file.

> Thanks,
> Jay Archibald

HTH,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list