2 Replies Latest reply on Mar 13, 2012 5:03 AM by dmease729

    Custom Attack Definition via Snort Rule

      Hi at All,

      I'm trying to create a snort rule by "Edit Snort Attack" but when I click on validate the message say that I have to specify a classtype option.

      Which classtype can I use?

      The documentation says that I could import my classtype under the manager but I have not found the place where I can do this.


        • 1. Re: Custom Attack Definition via Snort Rule

          Rockin, you can import a classification.config file from the "Custom Attack Editor" by selecting the "File" | "Import" | "Snort Rules" menu.  Then you will be prompted for the file name and .conf and .config files are one of the file types that you can choose from.  You can import your classifications that way.  Hope this helps.



          • 2. Re: Custom Attack Definition via Snort Rule



            Classtypes are essentially used to translate to a priority (severity), and as far as I know you need one or the other so the manager knows if you want to treat this attack as high, medium or low severity.  I have certainly been on sites that dont import any config files and just specify the required priority in the snort rule body.

            Saying that, however - config files are the way to go as LavonF suggests :-)