Snort mailing list archives
Re: [Snort-devel] classification changes
From: Brian Caswell <bmc () mitre org>
Date: Wed, 23 May 2001 09:53:31 -0400
Chris Green wrote:
[ is there anyone on devel that isn't on users? ]
no idea. Since this affects both developers AND users, I e-mailed both.
Attached is the classification.config that will be included with snort 1.8.1 (Well, included into CVS as soon as I can clean up the rules) If you have wishes/requests for default classifications, let me know ASAP. I will start changing rules within the next 2 days.Atleast keep the same order that was already defined where larger numerical magnitude means higher priority.
Thats a simple change in your classification.config Since many NIDS shops use RealSecure and snort, I've elected to make the default priorities follow sort of the same scheme. (With a bit more brain cells to classifying rules, that's for sure) If there is a generalized consent that we want priorities done in low to high instead of high to low, then I'll change it. NOTE: That means if you want it, you MUST speak up.
I don't think url-access/exploit are any different than attempted-user in the large scheme of things.
Actually, I do. One is an exploit. One is just a probe. I'm much more concerned if someone does /scripts/../../../winnt/cmd.exe than if they do /cgi-bin/phf
service-probe for like a bind.version attempted-admin for an root exploit attempted-user for an exploit that will give you nobody privledges host-mapping == os identification? That sounds like a specific information
host-mapping would contain NMAP probes, and things host -> many hosts targetting a single port. Actually, I will be releasing HOMER soon, an alert correlation engine that we at MITRE have developed. (See the SANS paper on Intrusion Detection & Data Mining) This classification is used by those things. -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- classification changes Brian Caswell (May 22)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: Re: [Snort-devel] classification changes Mike Johnson (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: classification changes Max Vision (May 23)
- Re: [Snort-devel] classification changes Joe McAlerney (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)