●classtypeを利用する

 優先順位の指定はルールオプションの「priority」で指定すればよいが、「classtype」を利用するには、「/etc/snort」以下にある「classification.config」を確認し、タイプを選択する。classification.configは下記のように記述されている。

config classification:タイプ名,優先順位

となる。

# vi classification.config

config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unus
ual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack
,2
config classification: non-standard-protocol,Detection of a non-standard protoco
l or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerab
le web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1

たとえば、web-application-attackであれば下記のように記述すればよい。

※ルールの例
tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"test access";flags:A+; content:"test"; classtype:web-application-attack;)
※ログ
07/15-07:12:54.716533[**] [1:0:0] test access [**] [Classification: web-application-attack] [Priority: 1] {TCP} 192.168.1.3:49965 -> 192.168.1.4:80

PREV 4/5 NEXT