[Snort-users] snort classification Question

beenph beenph at ...11827...
Wed Aug 22 00:29:44 EDT 2012


And if you read a little more down the manual  you will find the
following which should answer part of your question.


<SNIP>
3.4.7 priority
The priority tag assigns a severity level to rules. A classtype rule
assigns a default priority (defined by the config classification
option) that may be overridden with a priority rule. Examples of each
case are given below.


3.4.7.1 Format

    priority:<priority integer>;


3.4.7.2 Examples

    alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt"; flags:A+; \
        content:"/cgi-bin/phf"; priority:10;)

    alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; \
        dsize:>128; classtype:attempted-admin; priority:10 );


</SNIP>

On Wed, Aug 22, 2012 at 12:19 AM, mohamad hosein jafari
<smhjafari68 at ...11827...> wrote:
> thanks
>
> But I read and did the work that you said and at last I found the links like
> these links :
> http://www.aldeid.com/wiki/Snort-alerts
> http://www.genome.ist.i.kyoto-u.ac.jp/snsn/130/54/21/dest130.54.21.199-all.html
> http://www.snort.org/search/results?limit=25&page=1&q=TCP
>
> And Also first I want to write some rules and classify alerts . but it had
> overlap and I think that was not complete
> So I read snort rules to know why snort team create these classtype . That
> was reson that I want to know snort classtype . also alert's name and
> explanation is not enough for my request . so I need more explain for each
> classtype that is in this link :
> http://manual.snort.org/node31.html#SECTION00444000000000000000
>
> Thanks
>
> On Tue, Aug 21, 2012 at 9:08 PM, Mike Hale <eyeronic.design at ...11827...>
> wrote:
>>
>> Mohamad,
>>
>> You're asking a really broad question.  The rule alert is fairly self
>> explanatory.
>>
>> A better way to obtain your answer is to do the following:
>>
>> - Read the documentation governing Snort rules
>> - Understand the documentation governing Snort rules
>> - Write some rules yourself and understand what they do
>> - Look at the rules you have questions about and, using your newfound
>> knowledge, understand what they do.
>>
>> If you still don't understand what specific rules do, then feel free
>> to post a question; you'll likely get an answer.
>>
>>
>> On Tue, Aug 21, 2012 at 8:52 PM, mohamad hosein jafari
>> <smhjafari68 at ...11827...> wrote:
>> > thanks
>> >
>> > So does'nt you have more information than explanation of alerts ?
>> > Or do rule writers write more explanation than alert Msg explanation in
>> > any
>> > reference?
>> >
>> >
>> >
>> >
>> > On Tue, Aug 21, 2012 at 7:59 PM, waldo kitty <wkitty42 at ...14940...>
>> > wrote:
>> >>
>> >> On 8/21/2012 21:47, Joel Esler wrote:
>> >> > I'm not going to do that. You need to read the manual for how the
>> >> > rules
>> >> > work and
>> >> > then you need to read the references found in the rules themselves.
>> >> > We're not
>> >> > going to explain 22,000+ rules. :)
>> >> >
>> >> > Thanks, but you need to read some documentation.
>> >>
>> >> the key factor is that there is no reference other than the one conf
>> >> file...
>> >> other than that, any rule writer is free to use any classification the
>> >> desire
>> >> for their rule... there are times that the MSG of a rule gives more
>> >> information
>> >> than the classification... especially considering that there are only
>> >> really 3
>> >> classification numericals used...
>> >>
>> >> >
>> >> > --
>> >> > Joel Esler
>> >> > Sent from my iPad
>> >> >
>> >> > On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari
>> >> > <smhjafari68 at ...11827...
>> >> > <mailto:smhjafari68 at ...11827...>> wrote:
>> >> >
>> >> >> Yes . But
>> >> >> I want reference for my need. Because I think that is too much .
>> >> >> Thanks
>> >> >>
>> >> >> On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler at ...1935...
>> >> >> <mailto:jesler at ...1935...>> wrote:
>> >> >>
>> >> >>     So, to be clear, you want me to explain all the rules to you?
>> >> >>
>> >> >>
>> >> >>     On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari
>> >> >> <smhjafari68 at ...11827...
>> >> >>     <mailto:smhjafari68 at ...11827...>> wrote:
>> >> >>
>> >> >>>
>> >> >>>         You'd have to look in the rules themselves for what rules
>> >> >>> use
>> >> >>> this
>> >> >>>         classification. For instance, non-standard-protocol,
>> >> >>> actually
>> >> >>> only
>> >> >>>         has one rule that uses it.
>> >> >>>
>> >> >>>         The classifications are assigned by the VRT member who
>> >> >>> writes
>> >> >>> the
>> >> >>>         rule, and then when it's published it's reviewed to see if
>> >> >>> that makes
>> >> >>>         sense.
>> >> >>>
>> >> >>>     yes I want the things that you said . But where can I find
>> >> >>> this?
>> >> >>> In other
>> >> >>>     words where rule writers put their classification's explain on?
>> >> >>>     Also I want some explain about ALL snort alerts consist : Type
>> >> >>> ,
>> >> >>>     mechanism , effect And its resource .
>> >> >>>
>> >> >>>     I have these two question . And I want reference for these. Can
>> >> >>> you help me?
>> >> >>>
>> >> >>>     Thanks
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > Live Security Virtual Conference
>> >> > Exclusive live event will cover all the ways today's security and
>> >> > threat landscape has changed and how IT managers can respond.
>> >> > Discussions
>> >> > will include endpoint security, mobile security and the latest in
>> >> > malware
>> >> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Snort-users mailing list
>> >> > Snort-users at lists.sourceforge.net
>> >> > Go to this URL to change user options or unsubscribe:
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> > Snort-users list archive:
>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >> > Please visit http://blog.snort.org to stay current on all the latest
>> >> > Snort news!
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Live Security Virtual Conference
>> >> Exclusive live event will cover all the ways today's security and
>> >> threat landscape has changed and how IT managers can respond.
>> >> Discussions
>> >> will include endpoint security, mobile security and the latest in
>> >> malware
>> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort
>> >> news!
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort
>> > news!
>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list