We haven't at bleeding done any alteration to priority so far, not in
rules or in the classification.config.
How about this: We add an individual priority up or down for those rules
that are out of the norm for the trojan-activity and leave the rest alone?
For one, that's less work for me. :) But it also lets us note that some
types of trojan-activity are higher risk than others.
That sit well with everyone that uses priorities?
Matt
Caracal GH wrote:
(msgs 5 & 6)
Burak, Matt and David,
To resume, there is a choice to be done between in-rule prioritizing and
classification.
But, the less burden for admins and the highest flexibility would be to ADD (do
not shout at me, pls...) a new category. Leave existing trojan-activity and
have a new one called, for example low-impact-trojan (or whatever you see fit).
This will allow admins to simply edit the classification.config to add this new
class and give the priority they want.
And do you use oink to update your living classification.config ? Do not you
use a real classification.config that you update manually and another one which
is oinked (but not used) just to see what changes are ongoing ? IMHO, should be
the config of choice...
Best regards,
G. Hostettler - Caracal
Personal e-mail: ghostettler@caracal.ch
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
