[Snort-users] Identify classification ID

Gabriel Corre gabriel.corre at ...17281...
Fri Aug 14 05:19:30 EDT 2015


Hi all,

I'm reading my alerts + packets in the file "merged.log" created by :
"output unified2: filename merged.log, limit 128"  in "snort.conf"

Here is what I receive :
(Event)
        sensor id: 0    event id: 10    event second: 1439539372        event microsecond: 20723
        sig id: 4       gen id: 128     revision: 1      classification: 25
        priority: 2     ip source: *.*.*.*        ip destination: *.*.*.*
        src port: 22531 dest port: 22   protocol: 6     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 10    event second: 1439539372
        packet second: 1439539372       packet microsecond: 20723
        linktype: 1     packet_length: 118
[    0] 00 22 4D AD AB E0 1C E6 C7 52 07 40 08 00 45 00  ."M......R. at ...935...3...
[   16] 00 68 5C E8 40 00 78 06 03 71 3E F0 FE 39 05 C4  .h\. at ...17287...>..9..
[   32] 5F 49 58 03 00 16 08 10 8E 93 AF 81 33 0D 50 18  _IX.........3.P.
[   48] 0A 82 25 5F 00 00 F4 37 2D 61 21 B0 F5 F2 12 B6  ..%_...7-a!.....
[   64] 28 FE 7C 33 C9 43 66 B2 A9 78 1D 2E B3 86 B6 7A  (.|3.Cf..x.....z
[   80] 21 E6 A3 61 93 28 9F 5E 65 56 AA 0A AB F9 6D DC  !..a.(.^eV....m.
[   96] 4F 95 6E 38 DD A4 10 50 48 04 72 7B 44 75 AC 8C  O.n8...PH.r{Du..
[  112] 83 FF 0F 6C AE B0                                ...l..


It's quite fine since every options is described in Snort Manual P.259


However I'm not sure how to identify the classification option since it is just showing a number (e.g : classification: 25)
Thus my question is how could I identify the classification ? I had a look in « classification.config » :

********* THIS IS JUST A PART OF THE FILE ***********
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1


# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2


As you can see there isn't any ID number related with the one showed in the merged.log so how should I identify the classification?
I did count manually each classification lines manually and it seems to match but there should be a better/quicker way of doing it isn't it?

Cheers,

--

Gabriel Corré
Élève Ingénieur Réseaux, Ops - Core Infrastructure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150814/4da10140/attachment.html>


More information about the Snort-users mailing list