Re: [Snort-sigs] bleedingmalware sigs and severity

Caracal GH wrote:
> Burak, Matt and David,
> To resume, there is a choice to be done between in-rule prioritizing and 
> classification.
> But, the less burden for admins and the highest flexibility would be to ADD (do 
> not shout at me, pls...) a new category. Leave existing trojan-activity and 
> have a new one called, for example low-impact-trojan (or whatever you see fit). 
> This will allow admins to simply edit the classification.config to add this new 
> class and give the priority they want.

I totally agree with your suggestion, I was so panicked that I didn't 
even think about suggesting a solution but just yelled. Trojans *may* be 
grouped in two priority classes better the SigNazi (<wink>) choose the 
best names if he acknowledges the requirement.

> And do you use oink to update your living classification.config ? Do not you use a real classification.config that you update manually and another one which is oinked (but not used) just to see what changes are ongoing ? IMHO, should be the config of choice...

yes. ;)

-bd


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs