Home page logo

snort logo Snort mailing list archives

Re: [Snort-sigs] [Emerging-Sigs] New Classification System Proposal
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 23 Dec 2010 14:39:10 -0500

On Dec 23, 2010, at 2:36 PM, Victor Julien wrote:
On 12/23/2010 08:25 PM, Joel Esler wrote:

(Apologize in advance for cross-posting)
Have some news to share from our side.  

After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping 
snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.

Just a couple items however:
1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you 
have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
2.  We don't use "_", so we'll translate those over to "-".
3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.

For example: Exploit-SQL_Injection will become exploit-sql-injection

I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the community 
updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog 

Hi Joel, how do you feel about having multiple classifications per
signature? Like sort of using classifications as "tags"?

It's an interesting idea.  I'll bring it up.  Thanks Victor.


Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]