[Snort-users] snort classification Question
jlay at ...13475...
Wed Aug 22 09:01:32 EDT 2012
I think in this case, you are the person who can help yourself :) This is the link that discusses class types found in snort:
That being shown, some class types are a bit subjective. Let's take "policy-violation" as an example. Let's say I see an alert for hotmail access:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:13;)
Now….does my organization have a policy against using hotmail? If so, then this is a valid alert, and I need to go talk to someone. If not, then this isn't relevant, and I should disable this rule.
At my work I use sguil and I've lumped a lot of these class types into a single category, "non=malicious". Read the link above, play around, and look at the actual packet content of the alert to see how it fits into a class-type. Hope that helps.
On Aug 22, 2012, at 2:23 AM, mohamad hosein jafari <smhjafari68 at ...11827...> wrote:
> who can help me in my needs?
> On Tue, Aug 21, 2012 at 9:32 PM, mohamad hosein jafari <smhjafari68 at ...5119...827...> wrote:
> I need more information about these classtypes :
> I need your help in these classtypes and I have more information about and some alert that was in these categories
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users