[Oisf-devel] Classifications and Tags

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Mar 23 16:15:34 UTC 2011

So we've had discussions about the new classification scheme proposed and donated by Alienvault, that's been well received I think and we've added a few new categories to it. The most current version with a few things added is here:


The subsequent discussion about using tags in the metadata: directive is also an excellent idea. The fact that rules could then belong to more than one tag/category is a spectacular end result. To implement that though it'll require all of the end products to adapt. So that'll take some time. I think we should go down that road, but in the interim we should most definitely still use the new classifications.

We'll implement these in the ET Open and Pro rulesets for Snort rules and Suricata rules within the next two months, but will still publish the rulesets with the old classifications as well. This will make things a bit more complex, as you'll have to choose the ruleset that works for you, but this way we don't have to end of life anything that's out there and has the existing classifications hard coded, nor do we force any SIEM installations to freak out if they're not updated. They can continue to use the old classifications. 

If that works for everyone we'll go forward that way. Please keep suggesting new categories for the system, but I'm sure we'll have them added as we implement as well. 


Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-devel mailing list