Scarily enough, I'm apt to agree with Brian here. (Mark the date, might
not happen again :) )
I recall now the discussions way back when on why priority is available
in a rule and as a class-type setting.
Thinking we shouldn't mess with the priorities locally, but make
available a good how-to for using oinkmaster to do so. It'd be
relatively simple to do so with the oink.
We should look at putting the less critical malware and spyware rules
into classifications other than trojan-activity. Maybe start calling
them policy violations.
Matt
Brian wrote:
On Tue, Sep 28, 2004 at 12:24:58PM -0500, Matt Jonkman wrote:
How about this: We add an individual priority up or down for those rules
that are out of the norm for the trojan-activity and leave the rest alone?
For one, that's less work for me. :) But it also lets us note that some
types of trojan-activity are higher risk than others.
That sit well with everyone that uses priorities?
You are missing the point of priority done via classifications. Your
priority system might be totally different than someone elses.
Snort currently ships with:
high = 1
medium = 2
low = 3
Many people set the priorities via classification to something totally
different.
high = 100
medium = 50
low = 0
If you set the priority to "1" because you think a specific rule is of
high priority, you have just fucked the priority up pretty badly for
those that use classification to assign priorities with a different
priority set.
Brian
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------
NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
