90


Chapter 3     Working with Snort Rules


The  name is a name used for the classification. The name is used with the


classtype keyword in Snort rules. The description is a short description of the class


type. Priority is a number that shows the default priority of the classification, which can


be modified using a priority keyword inside the rule options. You can also place these


lines in snort.conf file as well. An example of this configuration parameter is as


follows:


config classification: DoS,Denial of Service Attack,2


In the above line the classification is DoS and the priority is 2. In Chapter 6, you


will see that classifications are used in ACID,


2


 which is a web based tool to analyze


Snort alert data. Now let us use this classification in a rule. The following rule uses


default priority with the classification DoS:


alert udp any any  > 192.168.1.0/24 6838 (msg:"DoS"; \


   content: "server";  classtype:DoS;)


The following is the same rule but we override the default priority used for the


classification.


alert udp any any  > 192.168.1.0/24 6838 (msg:"DoS"; \


   content: "server";  classtype:DoS; priority:1)


Using classifications and priorities for rules and alerts, you can distinguish


between high  and low risk alerts. This feature is very useful when you want to escalate


high risk alerts or want to pay attention to them first.


N O T E  Low priority numbers show high priority alerts.


If you look at the ACID browser window, as discussed in Chapter 6, you will see


the classification screens as shown in Figure 3 3. The second column in the middle part


of the screen displays different classifications for captured data.


Other tools also use the classification keyword to prioritize intrusion detection


data. A typical classification.config file is shown below. This file is distrib 


uted with the Snort 1.9.0. You can add your own classifications to this file and use them


in your own rules.


2.


ACID stands for Analysis Control for Intrusion Detection. It provides a web based user interface to 


analyze data generated by Snort.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved