[Snort-users] snort classification Question

mohamad hosein jafari smhjafari68 at ...11827...
Tue Aug 21 23:52:02 EDT 2012


thanks

So does'nt you have more information than explanation of alerts ?
Or do rule writers write more explanation than alert Msg explanation in any
reference?




On Tue, Aug 21, 2012 at 7:59 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 8/21/2012 21:47, Joel Esler wrote:
> > I'm not going to do that. You need to read the manual for how the rules
> work and
> > then you need to read the references found in the rules themselves.
> We're not
> > going to explain 22,000+ rules. :)
> >
> > Thanks, but you need to read some documentation.
>
> the key factor is that there is no reference other than the one conf
> file...
> other than that, any rule writer is free to use any classification the
> desire
> for their rule... there are times that the MSG of a rule gives more
> information
> than the classification... especially considering that there are only
> really 3
> classification numericals used...
>
> >
> > --
> > Joel Esler
> > Sent from my iPad
> >
> > On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari <
> smhjafari68 at ...11827...
> > <mailto:smhjafari68 at ...11827...>> wrote:
> >
> >> Yes . But
> >> I want reference for my need. Because I think that is too much .
> >> Thanks
> >>
> >> On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler at ...1935...
> >> <mailto:jesler at ...1935...>> wrote:
> >>
> >>     So, to be clear, you want me to explain all the rules to you?
> >>
> >>
> >>     On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari <
> smhjafari68 at ...11827...
> >>     <mailto:smhjafari68 at ...11827...>> wrote:
> >>
> >>>
> >>>         You'd have to look in the rules themselves for what rules use
> this
> >>>         classification. For instance, non-standard-protocol, actually
> only
> >>>         has one rule that uses it.
> >>>
> >>>         The classifications are assigned by the VRT member who writes
> the
> >>>         rule, and then when it's published it's reviewed to see if
> that makes
> >>>         sense.
> >>>
> >>>     yes I want the things that you said . But where can I find this?
> In other
> >>>     words where rule writers put their classification's explain on?
> >>>     Also I want some explain about ALL snort alerts consist : Type ,
> >>>     mechanism , effect And its resource .
> >>>
> >>>     I have these two question . And I want reference for these. Can
> you help me?
> >>>
> >>>     Thanks
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120821/7cb547da/attachment.html>


More information about the Snort-users mailing list