[Snort-users] snort classification Question
wkitty42 at ...14940...
Sun Aug 26 00:31:31 EDT 2012
On 8/25/2012 17:01, Mike Hale wrote:
> I'm sure those categories were created because, at the time of
> creating, they were the best method of classifying alerts on a macro
> level. It's up to you, the rule author, to find one that best suits
> your rule.
one must also understand that these were created "on the fly" in the past and
only recently have they been expanded BUT they still use a level 1, 2 or 3
rating where level 1 is the worst and level 3 is the least... in the past, there
was also a level zero which was, AFAICR, what the built-in processors emitted...
i know that this is one of the reasons why i undertook to rewrite the Guardian
Active Response mod that many have used in conjunction with snort so as to have
an automated response system that reacted to snort's alerts...
i'll let the rest of the message alone for now... i don't know that i have
anything really to add to it... the main thing is that one must learn what the
*rules* are triggering on and one */must/* tune their snort installation to
their network and its activities... a perfect example is protecting a network of
users where there is no servers in place at all... generally speaking, and
looking at it from many folks' POV, you would not run server rules in that case...
but if you are like myself, you would because you would want to catch any
unknown servers emitting traffic... there are two sides to the coin and many in
the security industry only look at that traffic which affects their known
services... so they don't catch the incessant attempts to connect to port 3306
(as an example) when there is no port 3306 available on their networks... but my
thinking is that anyone trying to connect to port 3306 is exhibiting nefarious
and unwanted activity... if they lead off with attempts to connect to port 3306,
what other ports are they going to be probing/attacking? why not catch them
testing your home doorknob to see if it is unlocked and block them there before
they get a chance to probe some other port and find it open to their attacks??
More information about the Snort-users