Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] bleedingmalware sigs and severity

from [Caracal GH] Network Security [Permanent Link]
Subject: [Snort-sigs] bleedingmalware sigs and severity
Date: Tue, 28 Sep 2004 17:23:10 +0200 
(msgs 5 & 6)


Burak, Matt and David,
To resume, there is a choice to be done between in-rule prioritizing and 
classification.
But, the less burden for admins and the highest flexibility would be to ADD (do 
not shout at me, pls...) a new category. Leave existing trojan-activity and 
have a new one called, for example low-impact-trojan (or whatever you see fit). 
This will allow admins to simply edit the classification.config to add this new 
class and give the priority they want.

And do you use oink to update your living classification.config ? Do not you 
use a real classification.config that you update manually and another one which 
is oinked (but not used) just to see what changes are ongoing ? IMHO, should be 
the config of choice...

Best regards,

G. Hostettler - Caracal
Personal e-mail: ghostettler@caracal.ch


It would be much

Message: 5
Date: Tue, 28 Sep 2004 09:09:32 +0300
From: Burak DAYIOGLU <dayioglu@metu.edu.tr>
To: mjonkman@infotex.com
CC: David Glosser <david_glosser@yahoo.com>,
        snort-sigs mailinglist <snort-sigs@lists.sourceforge.net>
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity

Matt Jonkman wrote:

David is correct, we will be putting priorities into all of the bleeding 
sigs, starting with the malware set. David has graciously volunteered to 
do the research to get them all prioritized. (Most of the bleeding 
admins don't use an analysis tool that pays attention to priorities, so 
we hadn't required them)

So going forward, if you post a rule try to prioritize it, or give us 
some idea of what the issue is so we can set one.


Please and please do not put priority labels to rules directly. Classify 
the rules and let the admins choose priority level of each and every 
class. If trojan-activity is less important for you decrease the 
priority level of the class from the classification configuration.

Or else we will be having headaches trying to match expectations of each 
and every sysadmin.

-bd


--__--__--

Message: 6
Date: Tue, 28 Sep 2004 06:46:45 -0400
From: David Glosser <david_glosser@yahoo.com>
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity
To: Burak DAYIOGLU <dayioglu@metu.edu.tr>, mjonkman@infotex.com
Cc: snort-sigs mailinglist <snort-sigs@lists.sourceforge.net>

The problem with changing the classification level for trojan-activity is
that ALL
rules which use that category (such as subseven) will then have their
priority
lowered.


----- Original Message ----- 
From: "Burak DAYIOGLU" <dayioglu@metu.edu.tr>
To: <mjonkman@infotex.com>
Cc: "David Glosser" <david_glosser@yahoo.com>; "snort-sigs mailinglist"
<snort-sigs@lists.sourceforge.net>
Sent: Tuesday, September 28, 2004 2:09 AM
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity



Matt Jonkman wrote:

David is correct, we will be putting priorities into all of the bleeding
sigs, starting with the malware set. David has graciously volunteered to
do the research to get them all prioritized. (Most of the bleeding
admins don't use an analysis tool that pays attention to priorities, so
we hadn't required them)

So going forward, if you post a rule try to prioritize it, or give us
some idea of what the issue is so we can set one.


Please and please do not put priority labels to rules directly. Classify
the rules and let the admins choose priority level of each and every
class. If trojan-activity is less important for you decrease the
priority level of the class from the classification configuration.

Or else we will be having headaches trying to match expectations of each
and every sysadmin.

-bd





--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] |3B|id, Daniel Roelker
Next by Date:  Re: [Snort-sigs] bleedingmalware sigs and severity, Matt Jonkman
Previous by Thread:  Re: [Snort-sigs] bleedingmalware sigs and severity, Alex Butcher, ISC/ISYS
Next by Thread:  Re: [Snort-sigs] bleedingmalware sigs and severity, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]