Recently on the Emerging-Threats Mailing list, Matt Jonkman proposed a new classification system to replace the aging Snort classification system that's been in use for years. We saw this as a good idea and after some internal discussions, decided to head the same route.
So we propose the following classification.config system to the community for comment, and we want to hear the feedback! Especially on descriptions and priorities. I'll assemble all the comments on January 12th (a date suggested by Matt Jonkman) and create a new classification.config file which we will then include in the official Snort tarball and in the VRT rules tarball.
We've made two major changes to the classification system as proposed by the Emerging-Threats list:
- We've converted all Underscores to Hyphens
- We've made everything lowercase.
This was done to ensure compatibility with existing output modules (barnyard2, unified, unified2, barnyard, SnortUnified.pm, etc), GUI's (BASE, Snorby, Placid, etc), and internal (to Snort) parsers.
The proposed classification.config configuration parameters are available for download here:
http://www.snort.org/assets/157/classifications.txt, and are pasted below. Please leave comments on the blog, and we'll assemble them into a final product:
config classification: exploit-shellcode, A known shellcode payload was detected,1config classification: exploit-sql-injection, A known SQL injection attack was detected,1config classification: exploit-browser, A known client-side browser exploit was detected,1config classification: exploit-activex, A known client-side ActiveX exploit was detected,1config classification: exploit-command-execution, A known command execution exploit was detected,1config classification: exploit-cross-site-Scripting, A known cross site scripting XSS attack was detected,2config classification: exploit-ftp, A known exploit targeting ftp servers or clients was detected,1config classification: exploit-file-inclusion, A known file inclusion attack was detected,2config classification: exploit-windows, A known attack targeting Windows systems was detected,1config classification: exploit-directory-traversal, A directory traversal attack was detected,2config classification: exploit-attack-response, A known string indicating a host has been comprised was detected,1config classification: exploit-denial-of-service, A known DoS or DDoS packet payload was detected,2config classification: exploit-pdf, A known exploit targeting PDF files was detected, 1config classification: exploit-buffer-overflow, A known exploit using a buffer overflow was detected,1config classification: exploit-spoofing, A known spoofing attacker was detected,3config classification: exploit-format-string, A known exploit utilizating a format string overflow was detected,1config classification: exploit-misc, A known exploit targeting an unclassificated system was detected,2config classification: exploit-dns, A known exploit targeting DNS systemes was detected,1config classification: exploit-mail, A known exploit targeting Mail servers was detected,1config classification: exploit-samba, A known exploit targeting Samba servers or clients was detected,1config classification: exploit-linux, A known exploit targeting Linux based systems was detected,1config classification: authentication-bruteforce, An attempt to bruteforce usernames and passwords was detected,2config classification: authentication-bypass, An attempt to bypass login authentication was detected,2config classification: authentication-login, A login attempt to any service or system was detected,4config classification: authentication-Failed, A failed login attempt was detected,4config classification: authentication-cleartext, A authentication request was detected in plain text,4config classification: authentication-logout, A logout request was detected,4config classification: authentication-disclosure, During an authentication request the username or password was disclosed,4config classification: authentication-default-credentials, An attempt to login with publicly known default usernames or passwords was detected,4config classification: access-web-application-access, A known web application was accessed,4config classification: access-file-Access, A known default file was accessed,4config classification: access-misc, What is an Access-Misc,4 config classification: malware-spyware, A known Spyware application was detected,2config classification: malware-adware, A known Adware application was detected,2config classification: malware-fake-Antivirus, A known Fake Anti-virus application was detected,1config classification: malware-keylogger, A known KeyLogger application was detected,1config classification: malware-trojan, A known Trojan was detected,1config classification: malware-virus, A kown Virus was detected,1config classification: malware-worm, A known Worm was detected,1config classification: malware-generic, A known unclassified malware application was detected,2config classification: malware-backdoor, A known backdoor was detected,1config classification: policy-adult, A known Adult website or other system was accessed,4config classification: policy-p2p, A known P2P application was detected,4config classification: policy-instant-messaging-chat, A known Instant Messaging application was detected,4config classification: policy-anonymity, A known privacy application was detected,4config classification: policy-games, A known online game was detected,4config classification: policy-other, A generic policy violation has occurred,4config classification: denial-of-service-web-application, A known Denial of Service attack was detected against a web application,3config classification: denial-of-service-application, A known Denial of Service attack was detected against an application,4config classification: denial-of-service-flood, A known traffic flooding tool was detected,4config classification: denial-of-service-ddos, A known DDoS tool was detected,4config classification: suspicious-blacklist-address, A known malicious host was detected,2config classification: suspicious-web-attack-or-scan, A known scanning tool was detected,2config classification: suspicious-bad-traffic, Malformed or incorrectly formatted network traffic was detected,4config classification: suspicious-network-activity, Strange or suspicious network traffic was detected,4config classification: suspicious-scada-activity, SCADA traffic was detected,4config classification: suspicious-dns-activity, Suspicious DNS traffic was detected,4config classification: suspicious-ssh-activity, Suspicious SSH traffic was detected,4config classification: suspicious-nfs-activity, Suspicious NFS traffic was detected,4config classification: suspicious-database-activity, Suspicious database activity was detected,4config classification: suspicious-netbios-activity, Suspicious netbios activity was detected,4config classification: suspicious-rpc-Activity, Suspicious RPC activity was detected,4config classification: suspicious-mail-activity, Suspicious Mail activity was detected,4config classification: network-tftp-activity, TFTP traffic was detected,4config classification: network-ftp-Activity, FTP traffic was detected,4config classification: network-snmp-Activity, SNMP traffic was detected,4config classification: network-smtp-Activity, SMTP traffic was detected,4config classification: network-telnet-activity, Telnet activity was detected,4config classification: recon-misc, A network probe was detected,4config classification: recon-scanner, A network scanner was detected,4config classification: network-ntp-activity, NTP traffic was detected,4config classification: network-sip-activity, SIP traffic was detected,4config classification: network-dhcp-activity, DHCP traffic was detected,4config classification: access-firewall-permit, A firewall permit rule triggered,4config classification: access-firewall-deny, A firewall deny rule triggered,4config classification: access-acl-permit, A ACL permit rule was triggered,4config classification: access-acl-deny, A ACL deny rule was triggered,4config classification: authentication-policy-added, A policy addition occured,4config classification: authentication-policy-changed, A policy change occured,4config classification: authentication-policy-deleted, A policy delete occured,4config classification: authentication-ftp-login-succeeded, A successful FTP login occured,4config classification: authentication-ftp-login-failed, A failed ftp login occured,4config classification: authentication-password-change-failed, A password change failure occured,4config classification: authentication-password-change-succeeded, A password change occured,4config classification: authentication-user-created, A new user was created,4config classification: authentication-user-deleted, A user was deleted,4config classification: authentication-user-changed, A user was changed,4config classification: authentication-admin-access, An admin accessed the system,4config classification: authentication-group-added, A new group was added to the system,4config classification: authentication-group-deleted, A new group was deleted from the system,4config classification: authentication-group-changed, A group was changed on the system,4config classification: authentication-auth-required, Authentication is required for access,4config classification: authentication-account-lockout, An account was locked,4config classification: authentication-account-unlocked, An account was unlocked,4 config classification: antivirus-virus-detected, An Antivirus system detected a virus,2config classification: antivirus-virus-quarantine, An Antivirus system quarantined a virus,2config classification: antivirus-virus-quarantine-failed, An Antivirus system filed to quarantine a virus,1config classification: system-configuration-error, A system has indicated it has a configuration error,2config classification: antivirus-definitions-updated, A system updated its Antivirus definition,4config classification: antivirus-definitions-updated-failed, A system failed to update its Antivirus definitions,2config classification: antivirus-unknown-event, A unknown event occured,4config classification: antivirus-started, A antivirus agent came online,4config classification: antivirus-disabled, An Antivirus agent was disabled,2config classification: antivirus-scan-started, An Antivirus scan was started,2config classification: antivirus-scan-finished, An antivirus scan has completed,2config classification: antivirus-error, A unclassified error occured on an Antivirus system,3config classification: application-web-opened, A web browser was opened, 4config classification: application-web-closed, A web browser was closed, 4config classification: application-web-reset, A web site sent a reset to a client, 4config classification: application-web-terminated, A web site was terminated with extreme predujice, 4config classification: application-web-denied, Packet come in packet deny, 4config classification: application-web-redirected, A web client was redirected to a new page,4config classification: application-web-proxy, A web proxy was detected,4config classification: application-web-error, A misc error was detected,4config classification: application-web-misc, A Web misc was detected,4config classification: application-web-not-found, A web application generated a not found error,4config classification: access-traffic-inbound, Inbound traffic was detected,4config classification: access-traffic-outbound, Outbound traffic was detected,4config classification: access-firewall-misc-event, A unclassified event occured on the firewall,4config classification: suspicious-network-anomaly, Something strange happened I don't know what,4config classification: suspicious-dns-protocol-anomaly, A suspicious DNS sessions or packet was detected,3config classification: suspicious-ssh-protocol-anomaly, A suspicious ssh session or packet was detected,3config classification: suspicious-telnet-protocol-anomaly, A suspicious telnet session or packet was detected,3config classification: suspicious-http-protocol-anomaly, A suspicious HTTP session or packet was detected,3config classification: suspicious-mail-protocol-anomaly, A suspicious Mail session or packet was detected,3config classification: suspicious-ftp-protocol-anomaly, A suspicious FTP session or packet was detected,4config classification: suspicious-threshold-exceeded, A suspicious threshold was triggered,4config classification: denial-of-service-other, A new type of Denial of Service was detected,4config classification: access-file-blocked, Access to a file was blocked,4config classification: access-tunnel-connection, Access to a tunnel was identified,4config classification: access-tunnel-closed, Access to a tunnel was closed,4config classification: aystem-warning, A system Warning message was detected,4config classification: system-emergency, A system Emergency message was detected,4config classification: system-critical, A system Critical message was detected,4config classification: system-error, A system Error message was detected,4config classification: system-notification, A system Notification message was detected,4config classification: system-information, A system Information message was detected,4config classification: system-debug, A system Debug message was detected,4config classification: system-alert, A system Alert message was detected,4config classification: access-connection-opened, A connection was opened,4config classification: access-connection-closed, A connection was closed,4config classification: access-timeout, A timeout occurred,4config classification: system-service-started, A service started,4config classification: system-service-stopped, A service stopped,4config classification: system-process-started, A process started,4config classification: system-process-stopped, A process stopped,4config classification: application-spam-detected, Some dirty spammer was detected,4config classification: application-mail-dropped, The mail system dropped or refused mail,4config classification: system-restart, A system restart was detected,4config classification: system-started, A system startup was detected,4config classification: system-stopped, A system stop was detected,4config classification: system-locked, A system being locked was detected,4config classification: system-unlocked, A system be unlocked was detected,4config classification: network-ike-activity, IKE traffic was identified,4config classification: network-h.323-activity, H.323 traffic was identified,4config classification: network-ppp-activity, PPP traffic was identified,4config classification: network-ocsp-activity, OCSP traffic was identified,4config classification: network-l2tp-activity, L2TP traffic was identified,4config classification: network-rip-activity, RIP traffic was identified,4config classification: network-pptp-activity, PPTP traffic was identified,4config classification: network-ssl-activity, SSL traffic was identified,4config classification: network-igmp-activity, IGMP traffic was identified,4config classification: network-ipsec-activity, IPSEC traffic was identified,4config classification: network-pki-activity, PKI traffic was identified,4config classification: voip-call-started, A VOIP call was started,4config classification: voip-call-ended, A VOIP call was completed,4config classification: voip-misc, A VOIP event occurred,4config classification: network-bootp-activity, BOOTP traffic was identified,4config classification: alert-ids-alert, The IDS did something,4config classification: alert-ips-alert, The IPS did something,4config classification: alert-hids-alert, The HIDS did something,4config classification: application-mail-sent, An email was sent,4config classification: application-mail-server-misc, A Mail server did something,4config classification: application-mail-received, An email was recieved,4config classification: availability-state-up, A system or service is now up,4config classification: availability-state-down, A system or service is now down,4config classification: availability-state-critical, A system or service is not in a critical state,1config classification: availability-state-warning, A system or service has issued a warning,3config classification: availability-state-unknown, A system or service is in an unknown state,3config classification: availability-state-unreachable, A system or service is unreachable,1config classification: application-vpn-opened, A VPN session was opened,4config classification: application-vpn-closed, A VPN session was closed,4config classification: application-vpn-denied, A VPN session was denied,2config classification: application-vpn-misc, Something happened on a VPN session,2config classification: system-configuration-changed, A system changed its configuration,4config classification: network-misc, Something happened on the network,4config classification: policy-phishing, A phishing attempt was detected,4config classification: wireless-new-network, A new wireless network has been detected,4config classification: wireless-client-associated, A new client has connected to the wireless network,4config classification: wireless-flood, The wireless network is currently being flooded,2config classification: wireless-disassociation, A wireless client has been disassociated from the network,4config classification: wireless-deauthentication, A wireless client has been deauthenticated,4config classification: wireless-anomaly, Something strange occurred on the wireless network,4config classification: wireless-spoofing, Spoofing has been detected on the wireless network,2config classification: wireless-scanner-detected, A scanner was detected on the wireless network,2config classification: wireless-misc, Something happened on the wireless network,2config classification: wireless-probe, A probe attempt was identified on the wireless network,4config classification: inventory-service-detected, A new service has been identified,4config classification: inventory-service-change, A service has changed,4config classification: inventory-service-misc, A Misc service was detected,4config classification: inventory-operating-system-detected, A new operating system was detected,4config classification: inventory-operating-system-change, A system changed,4config classification: inventory-operating-system-misc, A system met a Misc,4config classification: inventory-mac-detected, A unhackable computer was detected,1config classification: inventory-mac-change, A MAC address changed,4config classification: policy-check-failed, A Policy check has failed,1config classification: policy-check-passed, A Policy check has passed,1config classification: network-high-load, The network currently has a high load,1config classification: authentication-error, An authentication error was detected,4config classification: application-web-modified, A content modified proxy request was identified,4config classification: application-dhcp-release, A DHCP lease was released,4config classification: application-dhcp-request, A DHCP request was detected,4config classification: application-dhcp-lease, A DHCP lease was allocated,4config classification: application-dhcp-pool-exhausted, All DHCP addresses have been allocated,4config classification: application-dhcp-error, A DHCP error was detected,4config classification: system-software-installed, A software package was installed,4config classification: honeypot-connection-opened, Something connected to the honeypot sweet new warez,4config classification: honeypot-attack-detected, A known attack was detected on the honeypot,4config classification: honeypot-connection-closed, A connection to the honeypot was closed,4config classification: application-dns-succesful-zone-tranfer, A succesful DNS zone transfer was detected,4config classification: application-dns-zone-transfer-failed, A failed DNS zone transfer was detected,4config classification: application-ftp-command-executed, An FTP command was executed,4config classification: application-ftp-error, An FTP error was detected,4config classification: application-ftp-connection-opened, An ftp connection was opened,4config classification: application-ftp-connection-closed, An ftp connection was closed,4config classification: database-login, A database login was detected,4config classification: database-login-failed, A failed database login was detected,4config classification: database-query, A database query was executed,4config classification: database-logout, A database logout was detected,4config classification: database-stop, A database was stopped,4config classification: database-start, A database was started,4config classification: database-error, A database error occurred,4