[Oisf-devel] Unified2 - Classification ID Handling
firnsy
firnsy at securixlive.com
Wed May 26 07:25:14 EDT 2010
G'day devs,
A new Suricata user identified an issue with the classification
correlation between barnyard2 and suricata. Suspecting my code was at
fault I did some digging in both code bases.
It appears that the classification.config handling is a little different
to that of Snort and thus not completely conforming to the unified2
standard.
The unified2 alert record has a field for the classification_id which is
an index to the classification configuration line inside the
classification.config file (I believe counting starts at 1).
Attached for your reference and adaptation is the required patch to add
this index (ie. "id") into the suricata base.
There maybe some quirks in the priority assignment of the classification
directives but that's for another day.
Regards,
--
firnsy
www.securixlive.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unified2-add-classification-id.patch
Type: text/x-patch
Size: 6438 bytes
Desc: not available
Url : http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100526/28256bd7/unified2-add-classification-id-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100526/28256bd7/attachment-0001.bin
More information about the Oisf-devel
mailing list