Thursday, December 23, 2010

New Proposed Classification.config file setup

I know we are all in the Holiday Season, so one last item for you all to look over while you are roasting in front of the fire..

Recently on the Emerging-Threats Mailing list, Matt Jonkman proposed a new classification system to replace the aging Snort classification system that's been in use for years. We saw this as a good idea and after some internal discussions, decided to head the same route.

So we propose the following classification.config system to the community for comment, and we want to hear the feedback! Especially on descriptions and priorities. I'll assemble all the comments on January 12th (a date suggested by Matt Jonkman) and create a new classification.config file which we will then include in the official Snort tarball and in the VRT rules tarball.

We've made two major changes to the classification system as proposed by the Emerging-Threats list:
  1. We've converted all Underscores to Hyphens
  2. We've made everything lowercase.

This was done to ensure compatibility with existing output modules (barnyard2, unified, unified2, barnyard, SnortUnified.pm, etc), GUI's (BASE, Snorby, Placid, etc), and internal (to Snort) parsers.

The proposed classification.config configuration parameters are available for download here:
http://www.snort.org/assets/157/classifications.txt, and are pasted below. Please leave comments on the blog, and we'll assemble them into a final product:


config classification: exploit-shellcode, A known shellcode payload was detected,1
config classification: exploit-sql-injection, A known SQL injection attack was detected,1
config classification: exploit-browser, A known client-side browser exploit was detected,1
config classification: exploit-activex, A known client-side ActiveX exploit was detected,1
config classification: exploit-command-execution, A known command execution exploit was detected,1
config classification: exploit-cross-site-Scripting, A known cross site scripting XSS attack was detected,2
config classification: exploit-ftp, A known exploit targeting ftp servers or clients was detected,1
config classification: exploit-file-inclusion, A known file inclusion attack was detected,2
config classification: exploit-windows, A known attack targeting Windows systems was detected,1
config classification: exploit-directory-traversal, A directory traversal attack was detected,2
config classification: exploit-attack-response, A known string indicating a host has been comprised was detected,1
config classification: exploit-denial-of-service, A known DoS or DDoS packet payload was detected,2
config classification: exploit-pdf, A known exploit targeting PDF files was detected, 1
config classification: exploit-buffer-overflow, A known exploit using a buffer overflow was detected,1
config classification: exploit-spoofing, A known spoofing attacker was detected,3
config classification: exploit-format-string, A known exploit utilizating a format string overflow was detected,1
config classification: exploit-misc, A known exploit targeting an unclassificated system was detected,2
config classification: exploit-dns, A known exploit targeting DNS systemes was detected,1
config classification: exploit-mail, A known exploit targeting Mail servers was detected,1
config classification: exploit-samba, A known exploit targeting Samba servers or clients was detected,1
config classification: exploit-linux, A known exploit targeting Linux based systems was detected,1
config classification: authentication-bruteforce, An attempt to bruteforce usernames and passwords was detected,2
config classification: authentication-bypass, An attempt to bypass login authentication was detected,2
config classification: authentication-login, A login attempt to any service or system was detected,4
config classification: authentication-Failed, A failed login attempt was detected,4
config classification: authentication-cleartext, A authentication request was detected in plain text,4
config classification: authentication-logout, A logout request was detected,4
config classification: authentication-disclosure, During an authentication request the username or password was disclosed,4
config classification: authentication-default-credentials, An attempt to login with publicly known default usernames or passwords was detected,4
config classification: access-web-application-access, A known web application was accessed,4
config classification: access-file-Access, A known default file was accessed,4
config classification: access-misc, What is an Access-Misc,4
config classification: malware-spyware, A known Spyware application was detected,2
config classification: malware-adware, A known Adware application was detected,2
config classification: malware-fake-Antivirus, A known Fake Anti-virus application was detected,1
config classification: malware-keylogger, A known KeyLogger application was detected,1
config classification: malware-trojan, A known Trojan was detected,1
config classification: malware-virus, A kown Virus was detected,1
config classification: malware-worm, A known Worm was detected,1
config classification: malware-generic, A known unclassified malware application was detected,2
config classification: malware-backdoor, A known backdoor was detected,1
config classification: policy-adult, A known Adult website or other system was accessed,4
config classification: policy-p2p, A known P2P application was detected,4
config classification: policy-instant-messaging-chat, A known Instant Messaging application was detected,4
config classification: policy-anonymity, A known privacy application was detected,4
config classification: policy-games, A known online game was detected,4
config classification: policy-other, A generic policy violation has occurred,4
config classification: denial-of-service-web-application, A known Denial of Service attack was detected against a web application,3
config classification: denial-of-service-application, A known Denial of Service attack was detected against an application,4
config classification: denial-of-service-flood, A known traffic flooding tool was detected,4
config classification: denial-of-service-ddos, A known DDoS tool was detected,4
config classification: suspicious-blacklist-address, A known malicious host was detected,2
config classification: suspicious-web-attack-or-scan, A known scanning tool was detected,2
config classification: suspicious-bad-traffic, Malformed or incorrectly formatted network traffic was detected,4
config classification: suspicious-network-activity, Strange or suspicious network traffic was detected,4
config classification: suspicious-scada-activity, SCADA traffic was detected,4
config classification: suspicious-dns-activity, Suspicious DNS traffic was detected,4
config classification: suspicious-ssh-activity, Suspicious SSH traffic was detected,4
config classification: suspicious-nfs-activity, Suspicious NFS traffic was detected,4
config classification: suspicious-database-activity, Suspicious database activity was detected,4
config classification: suspicious-netbios-activity, Suspicious netbios activity was detected,4
config classification: suspicious-rpc-Activity, Suspicious RPC activity was detected,4
config classification: suspicious-mail-activity, Suspicious Mail activity was detected,4
config classification: network-tftp-activity, TFTP traffic was detected,4
config classification: network-ftp-Activity, FTP traffic was detected,4
config classification: network-snmp-Activity, SNMP traffic was detected,4
config classification: network-smtp-Activity, SMTP traffic was detected,4
config classification: network-telnet-activity, Telnet activity was detected,4
config classification: recon-misc, A network probe was detected,4
config classification: recon-scanner, A network scanner was detected,4
config classification: network-ntp-activity, NTP traffic was detected,4
config classification: network-sip-activity, SIP traffic was detected,4
config classification: network-dhcp-activity, DHCP traffic was detected,4
config classification: access-firewall-permit, A firewall permit rule triggered,4
config classification: access-firewall-deny, A firewall deny rule triggered,4
config classification: access-acl-permit, A ACL permit rule was triggered,4
config classification: access-acl-deny, A ACL deny rule was triggered,4
config classification: authentication-policy-added, A policy addition occured,4
config classification: authentication-policy-changed, A policy change occured,4
config classification: authentication-policy-deleted, A policy delete occured,4
config classification: authentication-ftp-login-succeeded, A successful FTP login occured,4
config classification: authentication-ftp-login-failed, A failed ftp login occured,4
config classification: authentication-password-change-failed, A password change failure occured,4
config classification: authentication-password-change-succeeded, A password change occured,4
config classification: authentication-user-created, A new user was created,4
config classification: authentication-user-deleted, A user was deleted,4
config classification: authentication-user-changed, A user was changed,4
config classification: authentication-admin-access, An admin accessed the system,4
config classification: authentication-group-added, A new group was added to the system,4
config classification: authentication-group-deleted, A new group was deleted from the system,4
config classification: authentication-group-changed, A group was changed on the system,4
config classification: authentication-auth-required, Authentication is required for access,4
config classification: authentication-account-lockout, An account was locked,4
config classification: authentication-account-unlocked, An account was unlocked,4
config classification: antivirus-virus-detected, An Antivirus system detected a virus,2
config classification: antivirus-virus-quarantine, An Antivirus system quarantined a virus,2
config classification: antivirus-virus-quarantine-failed, An Antivirus system filed to quarantine a virus,1
config classification: system-configuration-error, A system has indicated it has a configuration error,2
config classification: antivirus-definitions-updated, A system updated its Antivirus definition,4
config classification: antivirus-definitions-updated-failed, A system failed to update its Antivirus definitions,2
config classification: antivirus-unknown-event, A unknown event occured,4
config classification: antivirus-started, A antivirus agent came online,4
config classification: antivirus-disabled, An Antivirus agent was disabled,2
config classification: antivirus-scan-started, An Antivirus scan was started,2
config classification: antivirus-scan-finished, An antivirus scan has completed,2
config classification: antivirus-error, A unclassified error occured on an Antivirus system,3
config classification: application-web-opened, A web browser was opened, 4
config classification: application-web-closed, A web browser was closed, 4
config classification: application-web-reset, A web site sent a reset to a client, 4
config classification: application-web-terminated, A web site was terminated with extreme predujice, 4
config classification: application-web-denied, Packet come in packet deny, 4
config classification: application-web-redirected, A web client was redirected to a new page,4
config classification: application-web-proxy, A web proxy was detected,4
config classification: application-web-error, A misc error was detected,4
config classification: application-web-misc, A Web misc was detected,4
config classification: application-web-not-found, A web application generated a not found error,4
config classification: access-traffic-inbound, Inbound traffic was detected,4
config classification: access-traffic-outbound, Outbound traffic was detected,4
config classification: access-firewall-misc-event, A unclassified event occured on the firewall,4
config classification: suspicious-network-anomaly, Something strange happened I don't know what,4
config classification: suspicious-dns-protocol-anomaly, A suspicious DNS sessions or packet was detected,3
config classification: suspicious-ssh-protocol-anomaly, A suspicious ssh session or packet was detected,3
config classification: suspicious-telnet-protocol-anomaly, A suspicious telnet session or packet was detected,3
config classification: suspicious-http-protocol-anomaly, A suspicious HTTP session or packet was detected,3
config classification: suspicious-mail-protocol-anomaly, A suspicious Mail session or packet was detected,3
config classification: suspicious-ftp-protocol-anomaly, A suspicious FTP session or packet was detected,4
config classification: suspicious-threshold-exceeded, A suspicious threshold was triggered,4
config classification: denial-of-service-other, A new type of Denial of Service was detected,4
config classification: access-file-blocked, Access to a file was blocked,4
config classification: access-tunnel-connection, Access to a tunnel was identified,4
config classification: access-tunnel-closed, Access to a tunnel was closed,4
config classification: aystem-warning, A system Warning message was detected,4
config classification: system-emergency, A system Emergency message was detected,4
config classification: system-critical, A system Critical message was detected,4
config classification: system-error, A system Error message was detected,4
config classification: system-notification, A system Notification message was detected,4
config classification: system-information, A system Information message was detected,4
config classification: system-debug, A system Debug message was detected,4
config classification: system-alert, A system Alert message was detected,4
config classification: access-connection-opened, A connection was opened,4
config classification: access-connection-closed, A connection was closed,4
config classification: access-timeout, A timeout occurred,4
config classification: system-service-started, A service started,4
config classification: system-service-stopped, A service stopped,4
config classification: system-process-started, A process started,4
config classification: system-process-stopped, A process stopped,4
config classification: application-spam-detected, Some dirty spammer was detected,4
config classification: application-mail-dropped, The mail system dropped or refused mail,4
config classification: system-restart, A system restart was detected,4
config classification: system-started, A system startup was detected,4
config classification: system-stopped, A system stop was detected,4
config classification: system-locked, A system being locked was detected,4
config classification: system-unlocked, A system be unlocked was detected,4
config classification: network-ike-activity, IKE traffic was identified,4
config classification: network-h.323-activity, H.323 traffic was identified,4
config classification: network-ppp-activity, PPP traffic was identified,4
config classification: network-ocsp-activity, OCSP traffic was identified,4
config classification: network-l2tp-activity, L2TP traffic was identified,4
config classification: network-rip-activity, RIP traffic was identified,4
config classification: network-pptp-activity, PPTP traffic was identified,4
config classification: network-ssl-activity, SSL traffic was identified,4
config classification: network-igmp-activity, IGMP traffic was identified,4
config classification: network-ipsec-activity, IPSEC traffic was identified,4
config classification: network-pki-activity, PKI traffic was identified,4
config classification: voip-call-started, A VOIP call was started,4
config classification: voip-call-ended, A VOIP call was completed,4
config classification: voip-misc, A VOIP event occurred,4
config classification: network-bootp-activity, BOOTP traffic was identified,4
config classification: alert-ids-alert, The IDS did something,4
config classification: alert-ips-alert, The IPS did something,4
config classification: alert-hids-alert, The HIDS did something,4
config classification: application-mail-sent, An email was sent,4
config classification: application-mail-server-misc, A Mail server did something,4
config classification: application-mail-received, An email was recieved,4
config classification: availability-state-up, A system or service is now up,4
config classification: availability-state-down, A system or service is now down,4
config classification: availability-state-critical, A system or service is not in a critical state,1
config classification: availability-state-warning, A system or service has issued a warning,3
config classification: availability-state-unknown, A system or service is in an unknown state,3
config classification: availability-state-unreachable, A system or service is unreachable,1
config classification: application-vpn-opened, A VPN session was opened,4
config classification: application-vpn-closed, A VPN session was closed,4
config classification: application-vpn-denied, A VPN session was denied,2
config classification: application-vpn-misc, Something happened on a VPN session,2
config classification: system-configuration-changed, A system changed its configuration,4
config classification: network-misc, Something happened on the network,4
config classification: policy-phishing, A phishing attempt was detected,4
config classification: wireless-new-network, A new wireless network has been detected,4
config classification: wireless-client-associated, A new client has connected to the wireless network,4
config classification: wireless-flood, The wireless network is currently being flooded,2
config classification: wireless-disassociation, A wireless client has been disassociated from the network,4
config classification: wireless-deauthentication, A wireless client has been deauthenticated,4
config classification: wireless-anomaly, Something strange occurred on the wireless network,4
config classification: wireless-spoofing, Spoofing has been detected on the wireless network,2
config classification: wireless-scanner-detected, A scanner was detected on the wireless network,2
config classification: wireless-misc, Something happened on the wireless network,2
config classification: wireless-probe, A probe attempt was identified on the wireless network,4
config classification: inventory-service-detected, A new service has been identified,4
config classification: inventory-service-change, A service has changed,4
config classification: inventory-service-misc, A Misc service was detected,4
config classification: inventory-operating-system-detected, A new operating system was detected,4
config classification: inventory-operating-system-change, A system changed,4
config classification: inventory-operating-system-misc, A system met a Misc,4
config classification: inventory-mac-detected, A unhackable computer was detected,1
config classification: inventory-mac-change, A MAC address changed,4
config classification: policy-check-failed, A Policy check has failed,1
config classification: policy-check-passed, A Policy check has passed,1
config classification: network-high-load, The network currently has a high load,1
config classification: authentication-error, An authentication error was detected,4
config classification: application-web-modified, A content modified proxy request was identified,4
config classification: application-dhcp-release, A DHCP lease was released,4
config classification: application-dhcp-request, A DHCP request was detected,4
config classification: application-dhcp-lease, A DHCP lease was allocated,4
config classification: application-dhcp-pool-exhausted, All DHCP addresses have been allocated,4
config classification: application-dhcp-error, A DHCP error was detected,4
config classification: system-software-installed, A software package was installed,4
config classification: honeypot-connection-opened, Something connected to the honeypot sweet new warez,4
config classification: honeypot-attack-detected, A known attack was detected on the honeypot,4
config classification: honeypot-connection-closed, A connection to the honeypot was closed,4
config classification: application-dns-succesful-zone-tranfer, A succesful DNS zone transfer was detected,4
config classification: application-dns-zone-transfer-failed, A failed DNS zone transfer was detected,4
config classification: application-ftp-command-executed, An FTP command was executed,4
config classification: application-ftp-error, An FTP error was detected,4
config classification: application-ftp-connection-opened, An ftp connection was opened,4
config classification: application-ftp-connection-closed, An ftp connection was closed,4
config classification: database-login, A database login was detected,4
config classification: database-login-failed, A failed database login was detected,4
config classification: database-query, A database query was executed,4
config classification: database-logout, A database logout was detected,4
config classification: database-stop, A database was stopped,4
config classification: database-start, A database was started,4
config classification: database-error, A database error occurred,4

5 comments:

  1. Why change underscores for hyphens? The difference was intentional: hyphens were concatenations for the parent category, underscores were concatenations for the subcategories. Changing them all to hyphens creates confusion in the event of a multi-word parent category.

    ReplyDelete
  2. So that all existing output modules and parsers don't have to recode themselves to maintain comparability. That's the only reason.

    ReplyDelete
  3. I just clocked the below in the list:
    "application-spam-detected, Some dirty spammer was detected,4"

    Lets keep the classtypes all corporate report friendly. I had enough problems explaining "Score! get the lotion" back in the early 2000's :)

    ReplyDelete
  4. Have you considered aligning the category names with CWE or another open standard?

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete