Home page logo

snort logo Snort mailing list archives

classification.config regression?
From: Gregory S Thomas <greg.thomas () pnnl gov>
Date: Fri, 24 May 2013 16:20:51 -0700

The classification.config file in the snort source tarball changed in (and has the same one as  Most of the changes are simply in capitalization, but it also removes 3 classifications that were introduced 
in 2.9.1 (file-format, malware-cnc, and client-side-exploit):

shell> diff snort- snort-
< config classification: shellcode-detect,Executable code was detected,1
< config classification: string-detect,A suspicious string was detected,3
< config classification: suspicious-filename-detect,A suspicious filename was detected,2
< config classification: suspicious-login,An attempted login using a suspicious username was detected,2
< config classification: system-call-detect,A system call was detected,2
< config classification: tcp-connection,A TCP connection was detected,4
< config classification: trojan-activity,A Network Trojan was detected, 1
< config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: shellcode-detect,Executable Code was Detected,1
config classification: string-detect,A Suspicious String was Detected,3
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
config classification: system-call-detect,A System Call was Detected,2
config classification: tcp-connection,A TCP Connection was Detected,4
config classification: trojan-activity,A Network Trojan was Detected, 1
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
< config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
< config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
< config classification: default-login-attempt,Attempt to login by a default username and password,2
< config classification: sdf,Senstive Data,2
< config classification: file-format,Known malicious file or file based exploit,1
< config classification: malware-cnc,Known malware command and control traffic,1
< config classification: client-side-exploit,Known client side exploit attempt,1
config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
config classification: sdf,Sensitive Data was Transmitted Across the Network,2

This latest classification.config causes snort to exit during startup when it encounters a (custom) rule that uses one 
of the now-missing classifications.  Will you restore the previous classification.config (from in the next 
release, or are we supposed to modify our rules?


Greg Thomas

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]