classification.config

入侵检测系统.linux下与MySql连用的例子

# $Id: classification.config,v 1.4 2001/04/20 12:11:17 fygrave Exp $
# The following includes information for prioritizing rules
# 
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be cassified and prioritized.  You can specify
# what priority each classification has.  Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
# 
#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 
#	dsize: > 128; classtype:attempted-admin; priority:10;
#
#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
#	      content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override 
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
# 

#
# config classification:shortname,short description,priority
#

config classification: not-suspicious,Not Suspicious Traffic,0
config classification: unknown,Unknown Traffic,1
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,3
config classification: successful-recon-limited,Information Leak,4
config classification: successful-recon-largescale,Large Scale Information Leak,5
config classification: attempted-dos,Attempted Denial of Service,6
config classification: successful-dos,Denial of Service,7
config classification: attempted-user,Attempted User Privilege Gain,8
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
config classification: successful-user,Successful User Privilege Gain,9
config classification: attempted-admin,Attempted Administrator Privilege Gain,10
config classification: successful-admin,Successful Administrator Privilege Gain,11