[Snort-users] snort classification Question

waldo kitty wkitty42 at ...14940...
Sun Aug 26 00:31:31 EDT 2012


On 8/25/2012 17:01, Mike Hale wrote:
> I'm sure those categories were created because, at the time of
> creating, they were the best method of classifying alerts on a macro
> level.  It's up to you, the rule author, to find one that best suits
> your rule.

one must also understand that these were created "on the fly" in the past and 
only recently have they been expanded BUT they still use a level 1, 2 or 3 
rating where level 1 is the worst and level 3 is the least... in the past, there 
was also a level zero which was, AFAICR, what the built-in processors emitted... 
i know that this is one of the reasons why i undertook to rewrite the Guardian 
Active Response mod that many have used in conjunction with snort so as to have 
an automated response system that reacted to snort's alerts...

i'll let the rest of the message alone for now... i don't know that i have 
anything really to add to it... the main thing is that one must learn what the 
*rules* are triggering on and one */must/* tune their snort installation to 
their network and its activities... a perfect example is protecting a network of 
users where there is no servers in place at all... generally speaking, and 
looking at it from many folks' POV, you would not run server rules in that case...

but if you are like myself, you would because you would want to catch any 
unknown servers emitting traffic... there are two sides to the coin and many in 
the security industry only look at that traffic which affects their known 
services... so they don't catch the incessant attempts to connect to port 3306 
(as an example) when there is no port 3306 available on their networks... but my 
thinking is that anyone trying to connect to port 3306 is exhibiting nefarious 
and unwanted activity... if they lead off with attempts to connect to port 3306, 
what other ports are they going to be probing/attacking? why not catch them 
testing your home doorknob to see if it is unlocked and block them there before 
they get a chance to probe some other port and find it open to their attacks??




More information about the Snort-users mailing list