Dave,
BTW, snort ships with policy-violations set to Priority 1.
So for people using it "as is" as a first taste, they will get *many"
alerts...
May I suggest that both "low impact" trojans (and pests) as well as some
"low damage" viruses
detection rules be put into their own category. Be it named
"low-impact-whatever" or any other
"good" name. Suggest "low-impact-malware" which is more general.
And, Caracal is just the name of my company.
Mine is Gregoire. Or Greg.
"Dave, is it you ?"
HAL9000.
(Sorry, it was too tempting, won't do it again)
----- Original Message -----
From: "David Glosser" <david_glosser@yahoo.com>
To: <mjonkman@infotex.com>; "Brian" <bmc@snort.org>
Cc: <mjonkman@infotex.com>; "Caracal GH" <ghostettler@caracal.ch>;
<snort-sigs@lists.sourceforge.net>
Sent: Wednesday, September 29, 2004 4:19 AM
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity
Using a different classification for low-impact malware was one of the
options
Matt & I discussed. If it achieves the same goal, then I'm all for it. I
get paged
with high priority alerts and emailed once a day for medium and lower
priority...
As long as I don't get paged dozens of times a day for weatherbug
anymore..... ;)
1. Should a new catagory be made (low-impact-trojan, as suggested by
Caracal?
If so, should it
a) be added to the classification.config file? or
b) be added to a "local-classification.config" or
"bleeding-classification.config" file?
or
2) Use a lower-priority category, such as policy-violations?
Thanks
Dave
<--- snip --->
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
