classification.config

   1 # $Id$
   2 # classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
   3 #
   4 # The following includes information for prioritizing rules
   5 #
   6 # Each classification includes a shortname, a description, and a default
   7 # priority for that classification.
   8 #
   9 # This allows alerts to be classified and prioritized.  You can specify
  10 # what priority each classification has.  Any rule can override the default
  11 # priority for that rule.
  12 #
  13 # Here are a few example rules:
  14 #
  15 #   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
  16 #       dsize: > 128; classtype:attempted-admin; priority:10;
  17 #
  18 #   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
  19 #             content:"expn root"; nocase; classtype:attempted-recon;)
  20 #
  21 # The first rule will set its type to "attempted-admin" and override
  22 # the default priority for that type to 10.
  23 #
  24 # The second rule set its type to "attempted-recon" and set its
  25 # priority to the default for that type.
  26 #
  27
  28 #
  29 # config classification:shortname,short description,priority
  30 #
  31
  32 config classification: not-suspicious,Not Suspicious Traffic,3
  33 config classification: unknown,Unknown Traffic,3
  34 config classification: bad-unknown,Potentially Bad Traffic, 2
  35 config classification: attempted-recon,Attempted Information Leak,2
  36 config classification: successful-recon-limited,Information Leak,2
  37 config classification: successful-recon-largescale,Large Scale Information Leak,2
  38 config classification: attempted-dos,Attempted Denial of Service,2
  39 config classification: successful-dos,Denial of Service,2
  40 config classification: attempted-user,Attempted User Privilege Gain,1
  41 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
  42 config classification: successful-user,Successful User Privilege Gain,1
  43 config classification: attempted-admin,Attempted Administrator Privilege Gain,1
  44 config classification: successful-admin,Successful Administrator Privilege Gain,1
  45
  46
  47 # NEW CLASSIFICATIONS
  48 config classification: rpc-portmap-decode,Decode of an RPC Query,2
  49 config classification: shellcode-detect,Executable code was detected,1
  50 config classification: string-detect,A suspicious string was detected,3
  51 config classification: suspicious-filename-detect,A suspicious filename was detected,2
  52 config classification: suspicious-login,An attempted login using a suspicious username was detected,2
  53 config classification: system-call-detect,A system call was detected,2
  54 config classification: tcp-connection,A TCP connection was detected,4
  55 config classification: trojan-activity,A Network Trojan was detected, 1
  56 config classification: unusual-client-port-connection,A client was using an unusual port,2
  57 config classification: network-scan,Detection of a Network Scan,3
  58 config classification: denial-of-service,Detection of a Denial of Service Attack,2
  59 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
  60 config classification: protocol-command-decode,Generic Protocol Command Decode,3
  61 config classification: web-application-activity,access to a potentially vulnerable web application,2
  62 config classification: web-application-attack,Web Application Attack,1
  63 config classification: misc-activity,Misc activity,3
  64 config classification: misc-attack,Misc Attack,2
  65 config classification: icmp-event,Generic ICMP event,3
  66 config classification: kickass-porn,SCORE! Get the lotion!,1
  67 config classification: policy-violation,Potential Corporate Privacy Violation,1
  68 config classification: default-login-attempt,Attempt to login by a default username and password,2