Home page logo
/

snort logo Snort mailing list archives

Re: New Proposed Classification.config file setup
From: <Joshua.Kinard () us-cert gov>
Date: Fri, 24 Dec 2010 00:17:19 -0500


Having a class & subclass mechanism would be really useful, IMHO.  It's
cleaner-reading than constantly linking the two together via a hyphen
and essentially repeating the class over and over again.  I can think of
some saner categorization ways w/ a setup like this.

--J 

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com] 
Sent: Thursday, December 23, 2010 10:54 PM
To: Joel Esler
Cc: snort-sigs () lists sourceforge net; Emerging Sigs;
snort-users () lists sourceforge net; snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] New Proposed Classification.config file setup

On Thu, Dec 23, 2010 at 5:27 PM, Joel Esler <jesler () sourcefire com>
wrote:
As mentioned earlier, here's the proposed Classification.config file 
setup posted and available for download here:
http://blog.snort.org/2010/12/new-proposed-classificationconfig-file.h
tml Please take a look, leave comments preferably on the blog, but 
also here would be fine.


It appears that there's two levels of information here, why not have a
class and subclass?  For example:

classification: exploit-shellcode
classification: exploit-sql-injection
classification: exploit-browser

should maybe be

category: exploit; class: shellcode;
category: exploit; class: sql-injection;
category: exploit; class: browser;

Having the different levels of granularity could be useful for things
list real-time response mechanisms that act on just the category or
whatever.  Just thinking out loud here.

Furthermore, maybe we should be thinking about really fixing the
classification system with static value assignments for categories and
classes and mappings between values and human readable strings.  I
imagine this could make machine processing easier if we had output
options that could generate either (more easily) machine readable or
human readable data.  This would also make the runtime loading more
sane, no more classification.config line order-dependent
classifications.

I mean, if we're going to fix it why not fix it right?

Any log management/SIEM people paying attention on-list?  This is a
chance to make your lives easier if you've got any input!


Marty


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------
------
Learn how Oracle Real Application Clusters (RAC) One Node allows
customers to consolidate database storage, standardize their database
environment, and, should the need arise, upgrade to a full multi-node
Oracle RAC database without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]