[Oisf-devel] Unified2 - Classification ID Handling

Victor Julien victor at inliniac.net
Tue Jun 1 14:06:09 UTC 2010


Applied, thanks Firnsy!

firnsy wrote:
> G'day devs,
> 
> A new Suricata user identified an issue with the classification
> correlation between barnyard2 and suricata. Suspecting my code was at
> fault I did some digging in both code bases. 
> 
> It appears that the classification.config handling is a little different
> to that of Snort and thus not completely conforming to the unified2
> standard.
> 
> The unified2 alert record has a field for the classification_id which is
> an index to the classification configuration line inside the
> classification.config file (I believe counting starts at 1).
> 
> Attached for your reference and adaptation is the required patch to add
> this index (ie. "id") into the suricata base.
> 
> There maybe some quirks in the priority assignment of the classification
> directives but that's for another day.
> 
> Regards,
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list