Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Warnings Up: classtype Previous: classtype   Contents

Format 

classtype: <class name>;
Attack classifications defined by Snort reside in the classification.config file. The file uses the following syntax: 

config classification:  <class name>,<class description>,<default priority>
These attack classifications are listed in Table [*]. They are currently ordered with 3 default priorities. A priority of 1 (high) is the most severe and 3 (low) is the least severe.

Table: Snort Default Classifications
Classtype Description Priority
attempted-admin Attempted Administrator Privilege Gain high
attempted-user Attempted User Privilege Gain high
kickass-porn SCORE! Get the lotion! high
policy-violation Potential Corporate Privacy Violation high
shellcode-detect Executable code was detected high
successful-admin Successful Administrator Privilege Gain high
successful-user Successful User Privilege Gain high
trojan-activity A Network Trojan was detected high
unsuccessful-user Unsuccessful User Privilege Gain high
web-application-attack Web Application Attack high
attempted-dos Attempted Denial of Service medium
attempted-recon Attempted Information Leak medium
bad-unknown Potentially Bad Traffic medium
default-login-attempt Attempt to login by a default username and password medium
denial-of-service Detection of a Denial of Service Attack medium
misc-attack Misc Attack medium
non-standard-protocol Detection of a non-standard protocol or event medium
rpc-portmap-decode Decode of an RPC Query medium
successful-dos Denial of Service medium
successful-recon-largescale Large Scale Information Leak medium
successful-recon-limited Information Leak medium
suspicious-filename-detect A suspicious filename was detected medium
suspicious-login An attempted login using a suspicious username was detected medium
system-call-detect A system call was detected medium
unusual-client-port-connection A client was using an unusual port medium
web-application-activity Access to a potentially vulnerable web application medium
icmp-event Generic ICMP event low
misc-activity Misc activity low
network-scan Detection of a Network Scan low
not-suspicious Not Suspicious Traffic low
protocol-command-decode Generic Protocol Command Decode low
string-detect A suspicious string was detected low
unknown Unknown Traffic low
tcp-connection A TCP connection was detected very low

Figure: Example Classtype Rules
\begin{figure}\begin{verbatim}alert tcp any any -> any 80 (msg:''EXPLOIT ntpdx... ...nt:''expn root''; nocase; classtype:attempted-recon;)\end{verbatim} \end{figure}

next up previous contents
Next: Warnings Up: classtype Previous: classtype   Contents
Steven Sturges 2007-10-04
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.