[Snort-users] Bleedingsnort: Classification & Reference URL

Esler, Joel - Contractor joel.esler at ...9426...
Wed Oct 13 06:19:49 EDT 2004

I am assuming you are referring to ACID in this instance? The url thing
is easy..  While Snort added the "url" feature to allow ANY Url to be
used as a reference, ACID wasn't updated to follow suit...

In your acid_conf.php there is a section entitled "Signature

You will see arrays for bugtraq, snort, cve, arachnids... And the like,
however, if you come down to your final line, change the ";" to a ","
then add the following line:

"url"       => array("http://", ""));

Underneath it will make the "url" part look right...

As far as classification goes, you have to compare classification.config
with the classification that is in the rule itself, it will classify the
rule if your rule has the "classtype:" modifier in it.

Joel Esler, GCIA

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Archibald,
B. Jay @ CSW-SLC
Sent: Tuesday, October 12, 2004 3:44 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Bleedingsnort: Classification & Reference URL

I have added signatures from bleedingsnort.com.  I have noticed that all
the alerts are being listed under the "unclassified" classification and
the URL reference links are displayed as "URL" without a link.

Could someone explain what I need to do to add the bleedingsnort
classifications and get the reference links to work.


Jay Archibald

This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give
us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find
out more http://productguide.itmanagersjournal.com/guidepromo.tmpl
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list