92

Chapter 3     Working with Snort Rules

#

# This allows alerts to be classified and prioritized.  You can specify

# what priority each classification has.  Any rule can override the 

default

# priority for that rule.

#

# Here are a few example rules:

# 

#   alert TCP any any  > any 80 (msg: "EXPLOIT ntpdx overflow"; 

#       dsize: > 128; classtype:attempted admin; priority:10;

#

#   alert TCP any any  > any 25 (msg:"SMTP expn root"; flags:A+; \

#             content:"expn root"; nocase; classtype:attempted recon;)

#

# The first rule will set its type to "attempted admin" and override 

# the default priority for that type to 10.

#

# The second rule set its type to "attempted recon" and set its

# priority to the default for that type.

# 

#

# config classification:shortname,short description,priority

#

config classification: not suspicious,Not Suspicious Traffic,3

config classification: unknown,Unknown Traffic,3

config classification: bad unknown,Potentially Bad Traffic, 2

config classification: attempted recon,Attempted Information Leak,2

config classification: successful recon limited,Information Leak,2

config classification: successful recon largescale,Large Scale 

Information Leak,2

config classification: attempted dos,Attempted Denial of Service,2

config classification: successful dos,Denial of Service,2

config classification: attempted user,Attempted User Privilege Gain,1

config classification: unsuccessful user,Unsuccessful User Privilege 

Gain,1

config classification: successful user,Successful User Privilege Gain,1

config classification: attempted admin,Attempted Administrator 

Privilege Gain,1

config classification: successful admin,Successful Administrator 

Privilege Gain,1

# NEW CLASSIFICATIONS

config classification: rpc portmap decode,Decode of an RPC Query,2

config classification: shellcode detect,Executable code was detected,1