Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] I have questions to ask for advice

from [???] Network Security [Permanent Link]
Subject: [Snort-sigs] I have questions to ask for advice
Date: Thu, 11 May 2006 14:48:08 +0800 
 
Dear all mailing list members:

                  I study in Cheng Kung University that located in Taiwan. I 
want to research snort rules about rules classification and have two questions 
to ask for advice. 

1. I look up snort rules that have a file named classification.conf, and it has 
thirty four class-types. I classify them into five types that I named by myself 
but I do not confirm that thirty four class-types mapping to five types are 
correct. Five types are exploration, break in, escalation, DOS and error 
message and those types are needed to me. Could you give me some advices that 
which type is located a wrong position (eg. “kickass-porn” is not exploration 
and it is another type). 

 2. The other question is that there are 1 to 4 original priorities in the 
“classification.config” ,but I want to classify these class-types such as 1 ~ 6 
levels. How can I classify priorities more in detail ? Or which documents can I 
research in ?




           Extremely thx for your help.    Erci Chen 

 

1.      exploration:

       Someone wants to explore weakness or just scan the host to get some 
information.

2.      break in:

       Attacker uses some tools or techniques to break in victim host.

3.      escalation:

       If attacker get into the victim host whether breaks in or not, he can 
modify some contents,limits of authority or control this victim host to attack 
another host.

4.      DOS:

       All of denial of services.

5.      error message

       Some unknown,bad or not-suspicious traffic





        1. exploration

Original  Classtype:                 Original priority 

kickass-porn                                   1

   web-application-attack                     1 

attempted-recon                              2 

rpc-portmap-decode                       2 

successful-recon-largescale              2 

successful-recon-limited                   2 

network-scan                                   3 

protocol-command-decode              3




2. break in

policy-violation                                     1

default-login-attempt                             2

misc-attack                                           2

suspicious-login                                     2




3. escalation

attempted-admin                                   1

shellcode-detect                                    1

unsuccessful-user                                   1

successful-admin                                    1

trojan-activity                                        1

attempted-user                                      1

successful-user                                      1

unusual-client-port-connection               2

system-call-detect                                 2

web-application-activity                        2

string-detect                                          3

misc-activity                                          3

 

   4. DOS

attempted-dos                                      2

denial-of-service                                   2

successful-dos                                      2

 

   5. error message

non-standard-protocol                          2

bad-unknown                                       2

suspicious-filename-detect                    2

not-suspicious                                      3

unknown                                              3
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] I have questions to ask for advice, ??? <=
Previous by Date:  [Snort-sigs] I have a question to ask, 陳建宏
Next by Date:  Re: [Snort-sigs] Rule Set Completness, Roland Turner
Previous by Thread:  [Snort-sigs] I have a question to ask, 陳建宏
Next by Thread:  [Snort-sigs] Rule documentation for SID 5323, A. J. Wright
Indexes:  [Date] [Thread] [Top] [All Lists]