[Snort-users] snort classification Question

mohamad hosein jafari smhjafari68 at ...11827...
Sun Aug 26 02:19:46 EDT 2012


thanks for your help Mike & Waldo

and I have another question about classification :
on snort site on search of this site ( http://www.snort.org/search ) we can
search alerts that are in one classify that we search
I did search on all snort classify But I did not find any result  WHY?
inappropriate-content
successful-dos
successful-recon-largescale
icmp-event
not-suspicious


thanks

On Sun, Aug 26, 2012 at 9:01 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 8/25/2012 17:01, Mike Hale wrote:
> > I'm sure those categories were created because, at the time of
> > creating, they were the best method of classifying alerts on a macro
> > level.  It's up to you, the rule author, to find one that best suits
> > your rule.
>
> one must also understand that these were created "on the fly" in the past
> and
> only recently have they been expanded BUT they still use a level 1, 2 or 3
> rating where level 1 is the worst and level 3 is the least... in the past,
> there
> was also a level zero which was, AFAICR, what the built-in processors
> emitted...
> i know that this is one of the reasons why i undertook to rewrite the
> Guardian
> Active Response mod that many have used in conjunction with snort so as to
> have
> an automated response system that reacted to snort's alerts...
>
> i'll let the rest of the message alone for now... i don't know that i have
> anything really to add to it... the main thing is that one must learn what
> the
> *rules* are triggering on and one */must/* tune their snort installation to
> their network and its activities... a perfect example is protecting a
> network of
> users where there is no servers in place at all... generally speaking, and
> looking at it from many folks' POV, you would not run server rules in that
> case...
>
> but if you are like myself, you would because you would want to catch any
> unknown servers emitting traffic... there are two sides to the coin and
> many in
> the security industry only look at that traffic which affects their known
> services... so they don't catch the incessant attempts to connect to port
> 3306
> (as an example) when there is no port 3306 available on their networks...
> but my
> thinking is that anyone trying to connect to port 3306 is exhibiting
> nefarious
> and unwanted activity... if they lead off with attempts to connect to port
> 3306,
> what other ports are they going to be probing/attacking? why not catch them
> testing your home doorknob to see if it is unlocked and block them there
> before
> they get a chance to probe some other port and find it open to their
> attacks??
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120826/d22599a5/attachment.html>


More information about the Snort-users mailing list