[Snort-users] snort classification Question

mohamad hosein jafari smhjafari68 at ...11827...
Wed Aug 22 00:19:20 EDT 2012


thanks

But I read and did the work that you said and at last I found the links
like these links :
http://www.aldeid.com/wiki/Snort-alerts
http://www.genome.ist.i.kyoto-u.ac.jp/snsn/130/54/21/dest130.54.21.199-all.html
http://www.snort.org/search/results?limit=25&page=1&q=TCP

And Also first I want to write some rules and classify alerts . but it had
overlap and I think that was not complete
So I read snort rules to know why snort team create these classtype . That
was reson that I want to know snort classtype . also alert's name and
explanation is not enough for my request . so I need more explain for each
classtype that is in this link :
http://manual.snort.org/node31.html#SECTION00444000000000000000

Thanks

On Tue, Aug 21, 2012 at 9:08 PM, Mike Hale <eyeronic.design at ...11827...>wrote:

> Mohamad,
>
> You're asking a really broad question.  The rule alert is fairly self
> explanatory.
>
> A better way to obtain your answer is to do the following:
>
> - Read the documentation governing Snort rules
> - Understand the documentation governing Snort rules
> - Write some rules yourself and understand what they do
> - Look at the rules you have questions about and, using your newfound
> knowledge, understand what they do.
>
> If you still don't understand what specific rules do, then feel free
> to post a question; you'll likely get an answer.
>
>
> On Tue, Aug 21, 2012 at 8:52 PM, mohamad hosein jafari
> <smhjafari68 at ...11827...> wrote:
> > thanks
> >
> > So does'nt you have more information than explanation of alerts ?
> > Or do rule writers write more explanation than alert Msg explanation in
> any
> > reference?
> >
> >
> >
> >
> > On Tue, Aug 21, 2012 at 7:59 PM, waldo kitty <wkitty42 at ...14940...>
> > wrote:
> >>
> >> On 8/21/2012 21:47, Joel Esler wrote:
> >> > I'm not going to do that. You need to read the manual for how the
> rules
> >> > work and
> >> > then you need to read the references found in the rules themselves.
> >> > We're not
> >> > going to explain 22,000+ rules. :)
> >> >
> >> > Thanks, but you need to read some documentation.
> >>
> >> the key factor is that there is no reference other than the one conf
> >> file...
> >> other than that, any rule writer is free to use any classification the
> >> desire
> >> for their rule... there are times that the MSG of a rule gives more
> >> information
> >> than the classification... especially considering that there are only
> >> really 3
> >> classification numericals used...
> >>
> >> >
> >> > --
> >> > Joel Esler
> >> > Sent from my iPad
> >> >
> >> > On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari
> >> > <smhjafari68 at ...11827...
> >> > <mailto:smhjafari68 at ...11827...>> wrote:
> >> >
> >> >> Yes . But
> >> >> I want reference for my need. Because I think that is too much .
> >> >> Thanks
> >> >>
> >> >> On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler at ...1935...
> >> >> <mailto:jesler at ...1935...>> wrote:
> >> >>
> >> >>     So, to be clear, you want me to explain all the rules to you?
> >> >>
> >> >>
> >> >>     On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari
> >> >> <smhjafari68 at ...11827...
> >> >>     <mailto:smhjafari68 at ...11827...>> wrote:
> >> >>
> >> >>>
> >> >>>         You'd have to look in the rules themselves for what rules
> use
> >> >>> this
> >> >>>         classification. For instance, non-standard-protocol,
> actually
> >> >>> only
> >> >>>         has one rule that uses it.
> >> >>>
> >> >>>         The classifications are assigned by the VRT member who
> writes
> >> >>> the
> >> >>>         rule, and then when it's published it's reviewed to see if
> >> >>> that makes
> >> >>>         sense.
> >> >>>
> >> >>>     yes I want the things that you said . But where can I find this?
> >> >>> In other
> >> >>>     words where rule writers put their classification's explain on?
> >> >>>     Also I want some explain about ALL snort alerts consist : Type ,
> >> >>>     mechanism , effect And its resource .
> >> >>>
> >> >>>     I have these two question . And I want reference for these. Can
> >> >>> you help me?
> >> >>>
> >> >>>     Thanks
> >> >>
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Live Security Virtual Conference
> >> > Exclusive live event will cover all the ways today's security and
> >> > threat landscape has changed and how IT managers can respond.
> >> > Discussions
> >> > will include endpoint security, mobile security and the latest in
> >> > malware
> >> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest
> >> > Snort news!
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> Discussions
> >> will include endpoint security, mobile security and the latest in
> malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120821/36e50ad1/attachment.html>


More information about the Snort-users mailing list