[Snort-users] snort classification Question

James Lay jlay at ...13475...
Wed Aug 22 09:01:32 EDT 2012


I think in this case, you are the person who can help yourself :)  This is the link that discusses class types found in snort:


That being shown, some class types are a bit subjective.  Let's take "policy-violation" as an example.  Let's say I see an alert for hotmail access:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:13;)

Now….does my organization have a policy against using hotmail?  If so, then this is a valid alert, and I need to go talk to someone.  If not, then this isn't relevant, and I should disable this rule.

At my work I use sguil and I've lumped a lot of these class types into a single category, "non=malicious".  Read the link above, play around, and look at the actual packet content of the alert to see how it fits into a class-type.  Hope that helps.


On Aug 22, 2012, at 2:23 AM, mohamad hosein jafari <smhjafari68 at ...11827...> wrote:

> who can help me in my needs?
> On Tue, Aug 21, 2012 at 9:32 PM, mohamad hosein jafari <smhjafari68 at ...5119...827...> wrote:
> I need more information about these classtypes :
> """
> tcp-connection
> unknown
> protocol-command-decode
> icmp-event
> web-application-activity
> non-standard-protocol
> policy-violation
> """
> I need your help in these classtypes and I have more information about and some alert that was in these categories
> Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120822/20bda554/attachment.html>

More information about the Snort-users mailing list