Snort mailing list archives
Re: classification changes
From: Max Vision <vision () whitehats com>
Date: Wed, 23 May 2001 08:01:17 -0700
At 02:11 AM 5/23/2001 -0400, Brian Caswell wrote:
I wrote some info about this before but had email problems and it seems to be gone (and not sent). Basically we came up with a good classification system last week that has so far been a good fit for all of the intrusion events. You can see this implemented at http://whitehats.com/ids/vision18.conf.gzWe are going to change the classification for the Snort.org ruleset. Sorry IDWG guys, your classifications. The IDWG classifications are just not viable. I tried. Its really bad. Attached is the classification.config that will be included with snort 1.8.1 (Well, included into CVS as soon as I can clean up the rules) If you have wishes/requests for default classifications, let me know ASAP. I will start changing rules within the next 2 days.
You can see an overview of how this breaks down at: http://whitehats.com/cgi/arachNIDS/BrowseTree?field=classtype&order=COUNT The system we came up with is the following 20 classifications: not suspicious (policy foo) suspicious (miscellaneous such as source routing ip opts) info / attempt,success,failed (information gathering) relay / attempt,success,failed (relay vuln like socks, spam, etc) data / attempt,success,failed (data integrity, such as snmp write) system / attempt,success,failed (system integrity, such as shell access) client / attempt,success,failed (client software attacks) data-or-info-attempt system-or-info-attempt relay-or-info-attemptThis allowed us to classify each known intrusion event. It was a struggle with the IDWG system. The last three categories were required since we have a lot of events where we can't see clearly which class the event is in. For example, a signature to catch just "phf" in uricontent data would catch either an information gathering probe (is phf there?) or a system integrity attempt (let's push this linefeed through and run some commands). So it would be inappropriate to pick one or the other unless there were several very specific variations of the signature to case each case. I can list some examples of why these classifications were chosen is anyone needs the info.
Max _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- classification changes Brian Caswell (May 22)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)
- Re: Re: [Snort-devel] classification changes Mike Johnson (May 23)
- Re: [Snort-devel] classification changes Brian Caswell (May 23)
- Re: classification changes Max Vision (May 23)
- Re: [Snort-devel] classification changes Joe McAlerney (May 23)
- Re: [Snort-devel] classification changes Chris Green (May 23)