snort2-docker/docker/etc/classification.config

# $Id$
# The following includes information for prioritizing rules
# 
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized.  You can specify
# what priority each classification has.  Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
# 
#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 
#	dsize: > 128; classtype:attempted-admin; priority:10;
#
#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
#	      content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override 
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
# 

#
# config classification:shortname,short description,priority
#

config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1


# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable Code was Detected,1
config classification: string-detect,A Suspicious String was Detected,3
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
config classification: system-call-detect,A System Call was Detected,2
config classification: tcp-connection,A TCP Connection was Detected,4
config classification: trojan-activity,A Network Trojan was Detected, 1
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
config classification: sdf,Sensitive Data was Transmitted Across the Network,2
config classification: file-format,Known malicious file or file based exploit,1
config classification: malware-cnc,Known malware command and control traffic,1
config classification: client-side-exploit,Known client side exploit attempt,1
Adding Docker Container 2020-02-24 13:56:30 +00:00			`# $Id$`
			`# The following includes information for prioritizing rules`
			`#`
			`# Each classification includes a shortname, a description, and a default`
			`# priority for that classification.`
			`#`
			`# This allows alerts to be classified and prioritized. You can specify`
			`# what priority each classification has. Any rule can override the default`
			`# priority for that rule.`
			`#`
			`# Here are a few example rules:`
			`#`
			`# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";`
			`# dsize: > 128; classtype:attempted-admin; priority:10;`
			`#`
			`# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \`
			`# content:"expn root"; nocase; classtype:attempted-recon;)`
			`#`
			`# The first rule will set its type to "attempted-admin" and override`
			`# the default priority for that type to 10.`
			`#`
			`# The second rule set its type to "attempted-recon" and set its`
			`# priority to the default for that type.`
			`#`

			`#`
			`# config classification:shortname,short description,priority`
			`#`

			`config classification: not-suspicious,Not Suspicious Traffic,3`
			`config classification: unknown,Unknown Traffic,3`
			`config classification: bad-unknown,Potentially Bad Traffic, 2`
			`config classification: attempted-recon,Attempted Information Leak,2`
			`config classification: successful-recon-limited,Information Leak,2`
			`config classification: successful-recon-largescale,Large Scale Information Leak,2`
			`config classification: attempted-dos,Attempted Denial of Service,2`
			`config classification: successful-dos,Denial of Service,2`
			`config classification: attempted-user,Attempted User Privilege Gain,1`
			`config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1`
			`config classification: successful-user,Successful User Privilege Gain,1`
			`config classification: attempted-admin,Attempted Administrator Privilege Gain,1`
			`config classification: successful-admin,Successful Administrator Privilege Gain,1`


			`# NEW CLASSIFICATIONS`
			`config classification: rpc-portmap-decode,Decode of an RPC Query,2`
			`config classification: shellcode-detect,Executable Code was Detected,1`
			`config classification: string-detect,A Suspicious String was Detected,3`
			`config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2`
			`config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2`
			`config classification: system-call-detect,A System Call was Detected,2`
			`config classification: tcp-connection,A TCP Connection was Detected,4`
			`config classification: trojan-activity,A Network Trojan was Detected, 1`
			`config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2`
			`config classification: network-scan,Detection of a Network Scan,3`
			`config classification: denial-of-service,Detection of a Denial of Service Attack,2`
			`config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2`
			`config classification: protocol-command-decode,Generic Protocol Command Decode,3`
			`config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2`
			`config classification: web-application-attack,Web Application Attack,1`
			`config classification: misc-activity,Misc activity,3`
			`config classification: misc-attack,Misc Attack,2`
			`config classification: icmp-event,Generic ICMP event,3`
			`config classification: inappropriate-content,Inappropriate Content was Detected,1`
			`config classification: policy-violation,Potential Corporate Privacy Violation,1`
			`config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2`
			`config classification: sdf,Sensitive Data was Transmitted Across the Network,2`
			`config classification: file-format,Known malicious file or file based exploit,1`
			`config classification: malware-cnc,Known malware command and control traffic,1`
			`config classification: client-side-exploit,Known client side exploit attempt,1`