[Snort-users] snort classification Question

waldo kitty wkitty42 at ...14940...
Tue Aug 21 22:59:27 EDT 2012


On 8/21/2012 21:47, Joel Esler wrote:
> I'm not going to do that. You need to read the manual for how the rules work and
> then you need to read the references found in the rules themselves. We're not
> going to explain 22,000+ rules. :)
>
> Thanks, but you need to read some documentation.

the key factor is that there is no reference other than the one conf file... 
other than that, any rule writer is free to use any classification the desire 
for their rule... there are times that the MSG of a rule gives more information 
than the classification... especially considering that there are only really 3 
classification numericals used...

>
> --
> Joel Esler
> Sent from my iPad
>
> On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari <smhjafari68 at ...11827...
> <mailto:smhjafari68 at ...11827...>> wrote:
>
>> Yes . But
>> I want reference for my need. Because I think that is too much .
>> Thanks
>>
>> On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler at ...1935...
>> <mailto:jesler at ...1935...>> wrote:
>>
>>     So, to be clear, you want me to explain all the rules to you?
>>
>>
>>     On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari <smhjafari68 at ...11827...
>>     <mailto:smhjafari68 at ...11827...>> wrote:
>>
>>>
>>>         You'd have to look in the rules themselves for what rules use this
>>>         classification. For instance, non-standard-protocol, actually only
>>>         has one rule that uses it.
>>>
>>>         The classifications are assigned by the VRT member who writes the
>>>         rule, and then when it's published it's reviewed to see if that makes
>>>         sense.
>>>
>>>     yes I want the things that you said . But where can I find this? In other
>>>     words where rule writers put their classification's explain on?
>>>     Also I want some explain about ALL snort alerts consist : Type ,
>>>     mechanism , effect And its resource .
>>>
>>>     I have these two question . And I want reference for these. Can you help me?
>>>
>>>     Thanks
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list