'[Oisf-announce] New Classification System Finalization'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oisf-announce
Subject:    [Oisf-announce] New Classification System Finalization
From:       jonkman () emergingthreatspro ! com (Matthew Jonkman)
Date:       2011-01-31 19:28:19
Message-ID: 7C2F62CF-F62D-4734-837A-B36D734E4D67 () emergingthreatspro ! com
[Download RAW message or body]

As you may recall, Alienvault (http://www.alienvault.com), the home of OSSIM, has \
very generously offered to the snort and suricata communities the classification \
system they've developed to better categorize and react to IDS events. We're excited \
about this, especially in suricata, and we have already begun the changes required to \
allow us at Emerging Threats Pro and Emerging Threats Open to distribute the rulesets \
in both forms. 

We had called an end to comments by Jan 12, but discussion has continued mostly \
privately. A few points to iron out yet:

1. Sourcefire has proposed to change all underscores to dashes. 
I feel the underscores are an important differentiator. But older snort's may not \
handle that well. Suricata will handle them fine. But having differing systems is \
going to be a challenge of course. 

2. Sourcefire also proposes to lower-case everything.
Shouldn't be a big deal if no one objects.

3. We also need to assign priorities to the events. Sourcefire in the link below has \
proposed how they might look. We need feedback there.  Perhaps we put up a simple web \
app to let folks go through and prioritize and we can take the average over a few \
weeks of input?

-----------

Initial posts are here:
http://blog.emergingthreatspro.com/2010/12/new-classification-system-proposal.html

and here:
http://blog.snort.org/2011/01/classification-comments.html

The actual system is here as proposed by Alienvault:

http://www.emergingthreats.net/new_classifications_v1.txt

And a version proposed by Sourcefire. 
http://www.snort.org/assets/157/classifications.txt

-----------

I propose these steps as a way forward:

1. Lets get more feedback on the lists (the snort lists, the oisf lists, and the \
emerging lists).

2. We have an OISF brainstorming session at RSA in a week and a half \
(http://www.openinfosecfoundation.org/index.php/component/content/article/34-general-content/109-the-next-oisf-brainstorming-meeting)
 This is on the agenda there, lets get some more discussion and we will summarize \
this on the lists

Lets call the End of February the final date, adopt an official classification.conf \
and move forward!

Matt



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic