[Snort-users] snort classification Question

mohamad hosein jafari smhjafari68 at ...11827...
Sat Aug 25 02:23:39 EDT 2012


thanks

But I said before first I decided to create category for alerts and I wrote
some but I saw I had some overlap on my rules and one alert can go to some
of my category . so I decided to use snort rules and I Check this rules and
understand why snort team create this category
I can check alerts one by one but that is too hard and I know it depends on
each alerts.

But as I said for example I don't know what is "non standard protocol " .
also I want to to know snort classify logics .

Thanks for your helps

On Sat, Aug 25, 2012 at 10:33 AM, Mike Hale <eyeronic.design at ...11827...>wrote:

> The answer is:  It Depends.
>
> You have to look at the specific rules to see what the alert was for.
>
> You see this, rigth?
>
> http://manual.snort.org/node31.html#SECTION00446000000000000000
>
> You see how in the rule it says "classtype"?  The rule author puts that
> there.
>
> You *have* to look at the rule to see why the classtype applies to the
> rule.  In fact...sometimes the classtype may be wrong.  You don't know
> until and unless you see the rule itself.
>
> Once again, you have to narrow down your question.
>
> On Fri, Aug 24, 2012 at 10:52 PM, mohamad hosein jafari
> <smhjafari68 at ...11827...> wrote:
> > yes  waldo  I said before . Snort  alert classify description is good
> but I
> > need more information .
> > for example :
> > one classify is "icmp-event   " and this description is :  Generic ICMP
> > event " . but I want to know more information  about this for example
> what
> > kind of ICMP event is in this classify? Or why this is one classify ? Or
> for
> > example " non standard procol" or so no .
> >
> > Thanks
> >
> > On Fri, Aug 24, 2012 at 6:48 AM, waldo kitty <wkitty42 at ...14940...>
> > wrote:
> >>
> >> On 8/23/2012 01:18, mohamad hosein jafari wrote:
> >>>
> >>> thanks james
> >>>
> >>>
> >>> yes joel but I said before that I need more information than that
> >>> description
> >>
> >>
> >> what, in those descriptions, is not clear? they are it... really... they
> >> are what all implementers and rule creators have to go by... there is
> and
> >> has never been anything else ;)
> >>
> >> what am i missing? possibly a language barrier?
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120825/965235da/attachment.html>


More information about the Snort-users mailing list