[Oisf-devel] Classifications and Tags

Victor Julien victor at inliniac.net
Wed Mar 23 16:45:38 UTC 2011


On 03/23/2011 05:15 PM, Matthew Jonkman wrote:
> So we've had discussions about the new classification scheme proposed and donated by Alienvault, that's been well received I think and we've added a few new categories to it. The most current version with a few things added is here:
> 
> http://www.emergingthreats.net/new_classifications_v2.txt
> 
> The subsequent discussion about using tags in the metadata: directive is also an excellent idea. The fact that rules could then belong to more than one tag/category is a spectacular end result. To implement that though it'll require all of the end products to adapt. So that'll take some time. I think we should go down that road, but in the interim we should most definitely still use the new classifications.

Can't seem to find what rule language extension was proposed. Can you
detail that some more?

Cheers,
Victor

> We'll implement these in the ET Open and Pro rulesets for Snort rules and Suricata rules within the next two months, but will still publish the rulesets with the old classifications as well. This will make things a bit more complex, as you'll have to choose the ruleset that works for you, but this way we don't have to end of life anything that's out there and has the existing classifications hard coded, nor do we force any SIEM installations to freak out if they're not updated. They can continue to use the old classifications. 
> 
> If that works for everyone we'll go forward that way. Please keep suggesting new categories for the system, but I'm sure we'll have them added as we implement as well. 
> 
> Matt
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630 x110
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list