[Oisf-devel] Unified2 - Classification ID Handling

[firnsy]

G'day devs,

A new Suricata user identified an issue with the classification
correlation between barnyard2 and suricata. Suspecting my code was at
fault I did some digging in both code bases. 

It appears that the classification.config handling is a little different
to that of Snort and thus not completely conforming to the unified2
standard.

The unified2 alert record has a field for the classification_id which is
an index to the classification configuration line inside the
classification.config file (I believe counting starts at 1).

Attached for your reference and adaptation is the required patch to add
this index (ie. "id") into the suricata base.

There maybe some quirks in the priority assignment of the classification
directives but that's for another day.

Regards,

-- 
firnsy
www.securixlive.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unified2-add-classification-id.patch
Type: text/x-patch
Size: 6438 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100526/28256bd7/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100526/28256bd7/attachment.sig>