classification.config

Revision 1540, 3.4 kB (checked in by mbr, 3 years ago)
added classification.config in anticipation of being able to elevate psad danger levels based on specific logging prefixes

Line
1	# $Id: classification.config,v 1.11 2003/10/20 15:03:03 chrisgreen Exp $
2	# The following includes information for prioritizing rules
3	#
4	# Each classification includes a shortname, a description, and a default
5	# priority for that classification.
6	#
7	# This allows alerts to be classified and prioritized. You can specify
8	# what priority each classification has. Any rule can override the default
9	# priority for that rule.
10	#
11	# Here are a few example rules:
12	#
13	# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
14	# dsize: > 128; classtype:attempted-admin; priority:10;
15	#
16	# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
17	# content:"expn root"; nocase; classtype:attempted-recon;)
18	#
19	# The first rule will set its type to "attempted-admin" and override
20	# the default priority for that type to 10.
21	#
22	# The second rule set its type to "attempted-recon" and set its
23	# priority to the default for that type.
24	#
25
26	#
27	# config classification:shortname,short description,priority
28	#
29
30	config classification: not-suspicious,Not Suspicious Traffic,3
31	config classification: unknown,Unknown Traffic,3
32	config classification: bad-unknown,Potentially Bad Traffic, 2
33	config classification: attempted-recon,Attempted Information Leak,2
34	config classification: successful-recon-limited,Information Leak,2
35	config classification: successful-recon-largescale,Large Scale Information Leak,2
36	config classification: attempted-dos,Attempted Denial of Service,2
37	config classification: successful-dos,Denial of Service,2
38	config classification: attempted-user,Attempted User Privilege Gain,1
39	config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
40	config classification: successful-user,Successful User Privilege Gain,1
41	config classification: attempted-admin,Attempted Administrator Privilege Gain,1
42	config classification: successful-admin,Successful Administrator Privilege Gain,1
43
44
45	# NEW CLASSIFICATIONS
46	config classification: rpc-portmap-decode,Decode of an RPC Query,2
47	config classification: shellcode-detect,Executable code was detected,1
48	config classification: string-detect,A suspicious string was detected,3
49	config classification: suspicious-filename-detect,A suspicious filename was detected,2
50	config classification: suspicious-login,An attempted login using a suspicious username was detected,2
51	config classification: system-call-detect,A system call was detected,2
52	config classification: tcp-connection,A TCP connection was detected,4
53	config classification: trojan-activity,A Network Trojan was detected, 1
54	config classification: unusual-client-port-connection,A client was using an unusual port,2
55	config classification: network-scan,Detection of a Network Scan,3
56	config classification: denial-of-service,Detection of a Denial of Service Attack,2
57	config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
58	config classification: protocol-command-decode,Generic Protocol Command Decode,3
59	config classification: web-application-activity,access to a potentially vulnerable web application,2
60	config classification: web-application-attack,Web Application Attack,1
61	config classification: misc-activity,Misc activity,3
62	config classification: misc-attack,Misc Attack,2
63	config classification: icmp-event,Generic ICMP event,3
64	config classification: kickass-porn,SCORE! Get the lotion!,1
65	config classification: policy-violation,Potential Corporate Privacy Violation,1
66	config classification: default-login-attempt,Attempt to login by a default username and password,2

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format