[Snort-users] snort classification Question

Mike Hale eyeronic.design at ...11827...
Wed Aug 22 00:25:55 EDT 2012


"but it had overlap and I think that was not complete"
That's okay.  This is how you learn.  :)

Find a specific rule that you have a question about.  I'm sorry to say
that I don't have the requisite skill to explain them to you, but if
you have a specific part of the rule (or a specific attribute) that
you have a question on, I think you'll get a good response.

Joel is an amazing resource to the Snort community, but his time is
limited, which is why you need to get the specifcs.

On Tue, Aug 21, 2012 at 9:19 PM, mohamad hosein jafari
<smhjafari68 at ...11827...> wrote:
> thanks
>
> But I read and did the work that you said and at last I found the links like
> these links :
> http://www.aldeid.com/wiki/Snort-alerts
> http://www.genome.ist.i.kyoto-u.ac.jp/snsn/130/54/21/dest130.54.21.199-all.html
> http://www.snort.org/search/results?limit=25&page=1&q=TCP
>
> And Also first I want to write some rules and classify alerts . but it had
> overlap and I think that was not complete
> So I read snort rules to know why snort team create these classtype . That
> was reson that I want to know snort classtype . also alert's name and
> explanation is not enough for my request . so I need more explain for each
> classtype that is in this link :
> http://manual.snort.org/node31.html#SECTION00444000000000000000
>
> Thanks
>
> On Tue, Aug 21, 2012 at 9:08 PM, Mike Hale <eyeronic.design at ...11827...>
> wrote:
>>
>> Mohamad,
>>
>> You're asking a really broad question.  The rule alert is fairly self
>> explanatory.
>>
>> A better way to obtain your answer is to do the following:
>>
>> - Read the documentation governing Snort rules
>> - Understand the documentation governing Snort rules
>> - Write some rules yourself and understand what they do
>> - Look at the rules you have questions about and, using your newfound
>> knowledge, understand what they do.
>>
>> If you still don't understand what specific rules do, then feel free
>> to post a question; you'll likely get an answer.
>>
>>
>> On Tue, Aug 21, 2012 at 8:52 PM, mohamad hosein jafari
>> <smhjafari68 at ...11827...> wrote:
>> > thanks
>> >
>> > So does'nt you have more information than explanation of alerts ?
>> > Or do rule writers write more explanation than alert Msg explanation in
>> > any
>> > reference?
>> >
>> >
>> >
>> >
>> > On Tue, Aug 21, 2012 at 7:59 PM, waldo kitty <wkitty42 at ...14940...>
>> > wrote:
>> >>
>> >> On 8/21/2012 21:47, Joel Esler wrote:
>> >> > I'm not going to do that. You need to read the manual for how the
>> >> > rules
>> >> > work and
>> >> > then you need to read the references found in the rules themselves.
>> >> > We're not
>> >> > going to explain 22,000+ rules. :)
>> >> >
>> >> > Thanks, but you need to read some documentation.
>> >>
>> >> the key factor is that there is no reference other than the one conf
>> >> file...
>> >> other than that, any rule writer is free to use any classification the
>> >> desire
>> >> for their rule... there are times that the MSG of a rule gives more
>> >> information
>> >> than the classification... especially considering that there are only
>> >> really 3
>> >> classification numericals used...
>> >>
>> >> >
>> >> > --
>> >> > Joel Esler
>> >> > Sent from my iPad
>> >> >
>> >> > On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari
>> >> > <smhjafari68 at ...11827...
>> >> > <mailto:smhjafari68 at ...11827...>> wrote:
>> >> >
>> >> >> Yes . But
>> >> >> I want reference for my need. Because I think that is too much .
>> >> >> Thanks
>> >> >>
>> >> >> On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler at ...1935...
>> >> >> <mailto:jesler at ...1935...>> wrote:
>> >> >>
>> >> >>     So, to be clear, you want me to explain all the rules to you?
>> >> >>
>> >> >>
>> >> >>     On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari
>> >> >> <smhjafari68 at ...11827...
>> >> >>     <mailto:smhjafari68 at ...11827...>> wrote:
>> >> >>
>> >> >>>
>> >> >>>         You'd have to look in the rules themselves for what rules
>> >> >>> use
>> >> >>> this
>> >> >>>         classification. For instance, non-standard-protocol,
>> >> >>> actually
>> >> >>> only
>> >> >>>         has one rule that uses it.
>> >> >>>
>> >> >>>         The classifications are assigned by the VRT member who
>> >> >>> writes
>> >> >>> the
>> >> >>>         rule, and then when it's published it's reviewed to see if
>> >> >>> that makes
>> >> >>>         sense.
>> >> >>>
>> >> >>>     yes I want the things that you said . But where can I find
>> >> >>> this?
>> >> >>> In other
>> >> >>>     words where rule writers put their classification's explain on?
>> >> >>>     Also I want some explain about ALL snort alerts consist : Type
>> >> >>> ,
>> >> >>>     mechanism , effect And its resource .
>> >> >>>
>> >> >>>     I have these two question . And I want reference for these. Can
>> >> >>> you help me?
>> >> >>>
>> >> >>>     Thanks
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > Live Security Virtual Conference
>> >> > Exclusive live event will cover all the ways today's security and
>> >> > threat landscape has changed and how IT managers can respond.
>> >> > Discussions
>> >> > will include endpoint security, mobile security and the latest in
>> >> > malware
>> >> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Snort-users mailing list
>> >> > Snort-users at lists.sourceforge.net
>> >> > Go to this URL to change user options or unsubscribe:
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> > Snort-users list archive:
>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >> > Please visit http://blog.snort.org to stay current on all the latest
>> >> > Snort news!
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Live Security Virtual Conference
>> >> Exclusive live event will cover all the ways today's security and
>> >> threat landscape has changed and how IT managers can respond.
>> >> Discussions
>> >> will include endpoint security, mobile security and the latest in
>> >> malware
>> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort
>> >> news!
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort
>> > news!
>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
>



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0




More information about the Snort-users mailing list