Home page logo
/

snort logo Snort mailing list archives

Re: [Emerging-Sigs] [Snort-sigs] New Classification System Proposal
From: Darren Spruell <phatbuckett () gmail com>
Date: Thu, 23 Dec 2010 16:05:56 -0700

+1

I like the additional granularity this will provide although at the
expense of some complexity in rule creation and handling (thinking
SIEMs, etc.).

Nice bipartisan move with the various representative communities too,
well done! (Maybe US Congress could ... never mind).

DS

On Thu, Dec 23, 2010 at 2:02 PM, Matthew Jonkman
<jonkman () emergingthreatspro com> wrote:
Reminder (sorry to spam)

Go here to see the list, and leave comments, or discuss here on the list.
http://blog.emergingthreatspro.com/2010/12/new-classification-system-proposal.html

Matt


On Dec 23, 2010, at 3:51 PM, Matthew Jonkman wrote:

Certainly glad to hear that Joel! I think it'll be a good thing for us all to have similar classifications.

I'd like to encourage everyone that's interested to put in your suggestions for additions and changes now.

How about we call a January 12 2011 end date for suggestions? That gets us through the holidays and a week or more 
of everyone back to work before we and it.

(plus I'm in no hurry to start reclassifying 14,000 signatures... :) )

Matt

On Dec 23, 2010, at 2:25 PM, Joel Esler wrote:

All,

(Apologize in advance for cross-posting)
Have some news to share from our side.

After discussion internally, we (Sourcefire) also like this format and are going to update the official shipping 
snort.conf and the VRT rule sets to it as well.  We are creating a bug internally to do this, as we speak.

Just a couple items however:
1.  We've already started writing the new classification.conf file (with new priorities and descriptions).  If you 
have started on this, we'll be glad to use it, but we'll keep writing until we are told differently.
2.  We don't use "_", so we'll translate those over to "-".
3.  We also don't use uppercase in the keywords, so we'll translate those to lower case.

For example: Exploit-SQL_Injection will become exploit-sql-injection

I don't have a particular version of when we'll move over to the new format, but I'll be sure and keep the 
community updated as we move along this course on the blog (http://blog.snort.org) and the VRT blog 
(http://vrt-sourcefire.blogspot.com).

Please feel free to email me with any questions!  Thanks!

Joel Esler
Manager, OpenSource Community

On Dec 15, 2010, at 2:42 PM, Matthew Jonkman wrote:

Alienvault and Emerging Threats Pro have some very good news to share. Alienvault has been for some time working 
on and using a much more granular and expressive classification system for Snort and Suricata alerts. Emerging 
Threats and Emerging Threats Pro intend to adopt this classification system as an option for users, and we want to 
get your input. There are about 240 categories now, and we want to get everything added or changed that might be 
necessary while we're adopting the system.

The proposed classification system is available here as well as being at the end of this message:

http://www.emergingthreats.net/new_classifications_v1.txt

We welcome your comment on what to add or change in this classification system. The goal is to make correlation 
and analysis systems able to make better decisions based on classifications, and potentially even allow blocking 
decisions to be made by classtype. The current classifications in use are vague and haven't been updated for some 
time, and many systems are making decisions based on them without much distinction between categories. So we'd 
like to make that better.

Alienvault has done a lot of work in this area already and they'd like to push that out to the community. We'd 
like to take a week or two to let everyone look these over and comment, and then we'll get a version agreed upon 
and begin using that.

For Emerging Threats and Emerging Threats Pro users it'll take us some time to reclassify the rules, but we'll get 
it done. We will publish two versions of the ruleset, one with the old classifications, and one with the new. The 
old classifications will be included in the new classifications file so we don't have any issues with backward 
compatible rules.

We welcome other comments and concerns, but we're very excited about what Alienvault is donating to the community, 
and we're eager to implement!

Please feel free to comment on the blog (http://blog/emergingthreatspro.com) or here.


Exploit-Shellcode
Exploit-SQL_Injection
Exploit-Browser
Exploit-ActiveX
Exploit-Command_Execution
Exploit-Cross_Site_Scripting
Exploit-FTP
Exploit-File_Inclusion
Exploit-Windows
Exploit-Directory_Traversal
Exploit-Attack_Response
Exploit-Denial_Of_Service
Exploit-PDF
Exploit-Buffer_Overflow
Exploit-Spoofing
Exploit-Format_String
Exploit-Misc
Exploit-DNS
Exploit-Mail
Exploit-Samba
Exploit-Linux
Authentication-Bruteforce
Authentication-Bypass
Authentication-Login
Authentication-Failed
Authentication-Cleartext
Authentication-Logout
Authentication-Disclosure
Authentication-Default_Credentials
Access-Web_Application_Access
Access-File_Access
Access-Misc
Malware-Spyware
Malware-Adware
Malware-Fake_Antivirus
Malware-KeyLogger
Malware-Trojan
Malware-Virus
Malware-Worm
Malware-Generic
Malware-Backdoor
Policy-Porn
Policy-P2P
Policy-Instant_Messaging_Chat
Policy-Anonymity
Policy-Games
Policy-Other
Denial_Of_Service-Web_Application
Denial_Of_Service-Application
Denial_Of_Service-Flood
Denial_Of_Service-DDoS
Suspicious-Blacklist_Address
Suspicious-Web_Attack_or_Scan
Suspicious-Bad_Traffic
Suspicious-Network_Activity
Suspicious-Scada_Activity
Suspicious-DNS_Activity
Suspicious-SSH_Activity
Suspicious-NFS_Activity
Suspicious-Database_Activity
Suspicious-Netbios_Activity
Suspicious-RPC_Activity
Suspicious-Mail_Activity
Network-TFTP_Activity
Network-FTP_Activity
Network-SNMP_Activity
Network-SMTP_Activity
Network-Telnet_Activity
Recon-Misc
Recon-Scanner
Info-Misc
Network-NTP_Activity
Network-SIP_Activity
Network-DHCP_Activity
Access-Firewall_Permit
Access-Firewall_Deny
Access-ACL_Permit
Access-ACL_Deny
Authentication-Policy_Added
Authentication-Policy_Changed
Authentication-Policy_Deleted
Authentication-FTP_Login_Succeeded
Authentication-FTP_Login_Failed
Authentication-Password_Change_Failed
Authentication-Password_Change_Succeeded
Authentication-User_Created
Authentication-User_Deleted
Authentication-User_Changed
Authentication-Admin_Access
Authentication-Group_Added
Authentication-Group_Deleted
Authentication-Group_Changed
Authentication-Auth_Required
Authentication-Account_Lockout
Authentication-Account_Unlocked
Malware-Virus_Detected
Antivirus-Virus_Detected
Antivirus-Virus_Quarantine
Antivirus-Virus_Quarantine_Failed
System-Configuration_Error
Antivirus-Definitions_Updated
Antivirus-Definitions_Updated_Failed
Antivirus-Unknown_Event
Antivirus-Started
Antivirus-Disabled
Antivirus-Scan_Started
Antivirus-Scan_Finished
Antivirus-Error
Application-Web_Opened
Application-Web_Closed
Application-Web_Reset
Application-Web_Terminated
Application-Web_Denied
Application-Web_Redirected
Application-Web_Proxy
Application-Web_Error
Application-Web_Misc
Application-Web_Not_Found
Access-Traffic_Inbound
Access-Traffic_Outbound
Access-Firewall_Misc_Event
Suspicious-Network_Anomaly
Suspicious-DNS_Protocol_Anomaly
Suspicious-SSH_Protocol_Anomaly
Suspicious-Telnet_Protocol_Anomaly
Suspicious-HTTP_Protocol_Anomaly
Suspicious-Mail_Protocol_Anomaly
Suspicious-FTP_Protocol_Anomaly
Suspicious-Threshold_Exceeded
Denial_Of_Service-Other
Access-File_Blocked
Access-Tunnel_Connection
Access-Tunnel_Closed
System-Warning
System-Emergency
System-Critical
System-Error
System-Notification
System-Information
System-Debug
System-Alert
Access-Connection_Opened
Access-Connection_Closed
Access-Timeout
System-Service_Started
System-Service_Stopped
System-Process_Started
System-Process_Stopped
Application-Spam_Detected
Application-Mail_Dropped
System-Restart
System-Started
System-Stopped
System-Locked
System-Unlocked
Network-IKE_Activity
Network-H.323_Activity
Network-PPP_Activity
Network-OCSP_Activity
Network-L2TP_Activity
Network-RIP_Activity
Network-PPTP_Activity
Network-SSL_Activity
Network-IGMP_Activity
Network-IPSEC_Activity
Network-PKI_Activity
Voip-Call_Started
Voip-Call_Ended
Voip-Misc
Network-BOOTP_Activity
Alert-IDS_Alert
Alert-IPS_Alert
Alert-HostIDS_Alert
Application-Mail_Sent
Application-Mail_Server_Misc
Application-Mail_Received
Availability-State_Up
Availability-State_Down
Availability-State_Critical
Availability-State_Warning
Availability-State_Unknown
Availability-State_Unreachable
Application-VPN_Opened
Application-VPN_Closed
Application-VPN_Denied
Application-VPN_Misc
System-Configuration_Changed
Network-Misc
Policy-Phishing
Wireless-New_Network
Wireless-Client_Associated
Wireless-Flood
Wireless-Disassociation
Wireless-Deauthentication
Wireless-Anomaly
Wireless-Spoofing
Wireless-Scanner_Detected
Wireless-Misc
Wireless-Probe
Inventory-Service_Detected
Inventory-Service_Change
Inventory-Service_Misc
Inventory-Operating_System_Detected
Inventory-Operating_System_Change
Inventory-Operating_System_Misc
Inventory-Mac_Detected
Inventory-Mac_Change
Inventory-Mac_Misc
Policy-Check_Failed
Policy-Check_Passed
Network-High_Load
Authentication-Error
Application-Web_Modified
Authentication-Misc
Application-DHCP_Release
Application-DHCP_Misc
Application-DHCP_Request
Application-DHCP_Lease
Application-DHCP_Pool_Exhausted
Application-DHCP_Error
System-Software_Installed
Honeypot-Connection_Opened
Honeypot-Attack_Detected
Honeypot-Connection_Closed
Honeypot-Misc
Application-DNS_Succesful_Zone_Tranfer
Application-DNS_Zone_Transfer_Failed
Application-DNS_Misc
Application-FTP_Command_Executed
Application-FTP_Error
Application-FTP_Connection_Opened
Application-FTP_Connection_Closed
Application-FTP_Misc
Database-Login
Database-Login_Failed
Database-Query
Database-Logout
Database-Stop
Database-Start
Database-Error
Database-Misc


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!




-- 
Darren Spruell
phatbuckett () gmail com

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault