[Snort-users] snort classification Question

mohamad hosein jafari smhjafari68 at ...11827...
Wed Aug 22 04:23:31 EDT 2012


who can help me in my needs?

On Tue, Aug 21, 2012 at 9:32 PM, mohamad hosein jafari <
smhjafari68 at ...11827...> wrote:

> I need more information about these classtypes :
> """
> tcp-connection
> unknown
> protocol-command-decode
> icmp-event
> web-application-activity
> non-standard-protocol
> policy-violation
> """
> I need your help in these classtypes and I have more information about and
> some alert that was in these categories
>
> Thanks
>
>
>
> On Tue, Aug 21, 2012 at 9:25 PM, Mike Hale <eyeronic.design at ...11827...>wrote:
>
>> "but it had overlap and I think that was not complete"
>> That's okay.  This is how you learn.  :)
>>
>> Find a specific rule that you have a question about.  I'm sorry to say
>> that I don't have the requisite skill to explain them to you, but if
>> you have a specific part of the rule (or a specific attribute) that
>> you have a question on, I think you'll get a good response.
>>
>> Joel is an amazing resource to the Snort community, but his time is
>> limited, which is why you need to get the specifcs.
>>
>> On Tue, Aug 21, 2012 at 9:19 PM, mohamad hosein jafari
>> <smhjafari68 at ...11827...> wrote:
>> > thanks
>> >
>> > But I read and did the work that you said and at last I found the links
>> like
>> > these links :
>> > http://www.aldeid.com/wiki/Snort-alerts
>> >
>> http://www.genome.ist.i.kyoto-u.ac.jp/snsn/130/54/21/dest130.54.21.199-all.html
>> > http://www.snort.org/search/results?limit=25&page=1&q=TCP
>> >
>> > And Also first I want to write some rules and classify alerts . but it
>> had
>> > overlap and I think that was not complete
>> > So I read snort rules to know why snort team create these classtype .
>> That
>> > was reson that I want to know snort classtype . also alert's name and
>> > explanation is not enough for my request . so I need more explain for
>> each
>> > classtype that is in this link :
>> > http://manual.snort.org/node31.html#SECTION00444000000000000000
>> >
>> > Thanks
>> >
>> > On Tue, Aug 21, 2012 at 9:08 PM, Mike Hale <eyeronic.design at ...11827...>
>> > wrote:
>> >>
>> >> Mohamad,
>> >>
>> >> You're asking a really broad question.  The rule alert is fairly self
>> >> explanatory.
>> >>
>> >> A better way to obtain your answer is to do the following:
>> >>
>> >> - Read the documentation governing Snort rules
>> >> - Understand the documentation governing Snort rules
>> >> - Write some rules yourself and understand what they do
>> >> - Look at the rules you have questions about and, using your newfound
>> >> knowledge, understand what they do.
>> >>
>> >> If you still don't understand what specific rules do, then feel free
>> >> to post a question; you'll likely get an answer.
>> >>
>> >>
>> >> On Tue, Aug 21, 2012 at 8:52 PM, mohamad hosein jafari
>> >> <smhjafari68 at ...11827...> wrote:
>> >> > thanks
>> >> >
>> >> > So does'nt you have more information than explanation of alerts ?
>> >> > Or do rule writers write more explanation than alert Msg explanation
>> in
>> >> > any
>> >> > reference?
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On Tue, Aug 21, 2012 at 7:59 PM, waldo kitty <
>> wkitty42 at ...14940...>
>> >> > wrote:
>> >> >>
>> >> >> On 8/21/2012 21:47, Joel Esler wrote:
>> >> >> > I'm not going to do that. You need to read the manual for how the
>> >> >> > rules
>> >> >> > work and
>> >> >> > then you need to read the references found in the rules
>> themselves.
>> >> >> > We're not
>> >> >> > going to explain 22,000+ rules. :)
>> >> >> >
>> >> >> > Thanks, but you need to read some documentation.
>> >> >>
>> >> >> the key factor is that there is no reference other than the one conf
>> >> >> file...
>> >> >> other than that, any rule writer is free to use any classification
>> the
>> >> >> desire
>> >> >> for their rule... there are times that the MSG of a rule gives more
>> >> >> information
>> >> >> than the classification... especially considering that there are
>> only
>> >> >> really 3
>> >> >> classification numericals used...
>> >> >>
>> >> >> >
>> >> >> > --
>> >> >> > Joel Esler
>> >> >> > Sent from my iPad
>> >> >> >
>> >> >> > On Aug 21, 2012, at 9:01 PM, mohamad hosein jafari
>> >> >> > <smhjafari68 at ...11827...
>> >> >> > <mailto:smhjafari68 at ...11827...>> wrote:
>> >> >> >
>> >> >> >> Yes . But
>> >> >> >> I want reference for my need. Because I think that is too much .
>> >> >> >> Thanks
>> >> >> >>
>> >> >> >> On Aug 22, 2012 2:54 AM, "Joel Esler" <jesler at ...1935...
>> >> >> >> <mailto:jesler at ...1935...>> wrote:
>> >> >> >>
>> >> >> >>     So, to be clear, you want me to explain all the rules to you?
>> >> >> >>
>> >> >> >>
>> >> >> >>     On Aug 21, 2012, at 3:16 PM, mohamad hosein jafari
>> >> >> >> <smhjafari68 at ...11827...
>> >> >> >>     <mailto:smhjafari68 at ...11827...>> wrote:
>> >> >> >>
>> >> >> >>>
>> >> >> >>>         You'd have to look in the rules themselves for what
>> rules
>> >> >> >>> use
>> >> >> >>> this
>> >> >> >>>         classification. For instance, non-standard-protocol,
>> >> >> >>> actually
>> >> >> >>> only
>> >> >> >>>         has one rule that uses it.
>> >> >> >>>
>> >> >> >>>         The classifications are assigned by the VRT member who
>> >> >> >>> writes
>> >> >> >>> the
>> >> >> >>>         rule, and then when it's published it's reviewed to see
>> if
>> >> >> >>> that makes
>> >> >> >>>         sense.
>> >> >> >>>
>> >> >> >>>     yes I want the things that you said . But where can I find
>> >> >> >>> this?
>> >> >> >>> In other
>> >> >> >>>     words where rule writers put their classification's explain
>> on?
>> >> >> >>>     Also I want some explain about ALL snort alerts consist :
>> Type
>> >> >> >>> ,
>> >> >> >>>     mechanism , effect And its resource .
>> >> >> >>>
>> >> >> >>>     I have these two question . And I want reference for these.
>> Can
>> >> >> >>> you help me?
>> >> >> >>>
>> >> >> >>>     Thanks
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> ------------------------------------------------------------------------------
>> >> >> > Live Security Virtual Conference
>> >> >> > Exclusive live event will cover all the ways today's security and
>> >> >> > threat landscape has changed and how IT managers can respond.
>> >> >> > Discussions
>> >> >> > will include endpoint security, mobile security and the latest in
>> >> >> > malware
>> >> >> > threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > Snort-users mailing list
>> >> >> > Snort-users at lists.sourceforge.net
>> >> >> > Go to this URL to change user options or unsubscribe:
>> >> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> > Snort-users list archive:
>> >> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >
>> >> >> > Please visit http://blog.snort.org to stay current on all the
>> latest
>> >> >> > Snort news!
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> ------------------------------------------------------------------------------
>> >> >> Live Security Virtual Conference
>> >> >> Exclusive live event will cover all the ways today's security and
>> >> >> threat landscape has changed and how IT managers can respond.
>> >> >> Discussions
>> >> >> will include endpoint security, mobile security and the latest in
>> >> >> malware
>> >> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> >> _______________________________________________
>> >> >> Snort-users mailing list
>> >> >> Snort-users at lists.sourceforge.net
>> >> >> Go to this URL to change user options or unsubscribe:
>> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> Snort-users list archive:
>> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >>
>> >> >> Please visit http://blog.snort.org to stay current on all the
>> latest
>> >> >> Snort
>> >> >> news!
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Live Security Virtual Conference
>> >> > Exclusive live event will cover all the ways today's security and
>> >> > threat landscape has changed and how IT managers can respond.
>> >> > Discussions
>> >> > will include endpoint security, mobile security and the latest in
>> >> > malware
>> >> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> >> > _______________________________________________
>> >> > Snort-users mailing list
>> >> > Snort-users at lists.sourceforge.net
>> >> > Go to this URL to change user options or unsubscribe:
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> > Snort-users list archive:
>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >> > Please visit http://blog.snort.org to stay current on all the latest
>> >> > Snort
>> >> > news!
>> >>
>> >>
>> >>
>> >> --
>> >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>> >
>> >
>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120822/7d48b226/attachment.html>


More information about the Snort-users mailing list