|
Home > Archive > Snort > September 2004 > [Snort-users] request for new Classification?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] request for new Classification?
|
|
| Rich Adamson 2004-09-22, 10:25 pm |
|
What's the proper way to request new Classification strings for the
classification.config file?
Would like to see something that describes 'very serious activity'
that needs to be escalated and resolved ASAP. For example, while
sniffing traffic on a DMZ where only https should reside, I'd like
to alert on ftp, telnet, or other rather generic protocols that should
_never_ occur (could be inbound or outbound).
On the backend of the alerting process, I'd like to initiate pager
alerts based on keywords, etc. Fully understand the keywords can be
part of the Msg, but none of the Classifications suggest anything
as serious as what might be happening.
Thoughts?
Rich
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Rich Adamson 2004-09-22, 10:25 pm |
| Yes, I know. But to further advance snort, it would seem to be
appropriate to add other classifications for the entire community.
------------------------
> Do you do know you can edit the classification.config file yourself?
>
> J
>
> -----Original Message-----
> What's the proper way to request new Classification strings for the
> classification.config file?
>
> Would like to see something that describes 'very serious activity' that
> needs to be escalated and resolved ASAP. For example, while sniffing
> traffic on a DMZ where only https should reside, I'd like to alert on
> ftp, telnet, or other rather generic protocols that should _never_ occur
> (could be inbound or outbound).
>
> On the backend of the alerting process, I'd like to initiate pager
> alerts based on keywords, etc. Fully understand the keywords can be part
> of the Msg, but none of the Classifications suggest anything as serious
> as what might be happening.
>
> Thoughts?
>
> Rich
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|