Classification.config

[Joshua Calandra]

Hi everyone, searching for this file I noticed that there were more
than one:
/etc/nsm/classification.config
/etc/nsm/test497-eth1/classification.config
/etc/snort/classification.config
/etc/snort-2.9.0.1/classification.config
/etc/snort.orig/classification.config
Which of them does Security Onion use?

[Doug Burks]

Hi Joshua,

This is defined in the configuration file for whatever IDS Engine you
chose during Setup (Snort or Suricata):

grep classification /etc/nsm/*/snort.conf /etc/nsm/*/suricata.yaml
/etc/nsm/qa-eth0/snort.conf:include classification.config
/etc/nsm/qa-eth0/suricata.yaml:classification-file:
/etc/suricata/classification.config

As you can see, snort.conf defaults to using the classification.config
in the sensor directory (/etc/nsm/HOSTNAME-INTERFACE) and
suricata.yaml defaults to using the classification.config in
/etc/suricata/.

We have an open issue to make this more consistent in the future:
http://code.google.com/p/security-onion/issues/detail?id=209

Hope that helps!

Thanks,
Doug

--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

[Joshua Calandra]

Thanks for your quickly respond, that helps!

On 14 Mag, 12:11, Doug Burks <doug.bu...@gmail.com> wrote:
> Hi Joshua,
>
> This is defined in the configuration file for whatever IDS Engine you
> chose during Setup (Snort or Suricata):
>
> grep classification /etc/nsm/*/snort.conf /etc/nsm/*/suricata.yaml
> /etc/nsm/qa-eth0/snort.conf:include classification.config
> /etc/nsm/qa-eth0/suricata.yaml:classification-file:
> /etc/suricata/classification.config
>
> As you can see, snort.conf defaults to using the classification.config
> in the sensor directory (/etc/nsm/HOSTNAME-INTERFACE) and
> suricata.yaml defaults to using the classification.config in
> /etc/suricata/.
>
> We have an open issue to make this more consistent in the future:http://code.google.com/p/security-onion/issues/detail?id=209
>
> Hope that helps!
>
> Thanks,
> Doug
>
> On Mon, May 14, 2012 at 4:44 AM, Joshua Calandra
>

[Joshua Calandra]

Hi Doug, I tried to edit my classification.config (path directory:/etc/nsm/test497-eth1/classification.config) but nothing changes in snorby visualization. It's possible that the right file that snort read is in another path directory?

[Doug Burks]

Did you restart Snort after making the changes?

Are you talking about events that were already in the Snorby database
or new events coming in after the Snort restart?

Thanks,
Doug

On Tue, May 15, 2012 at 9:53 AM, Joshua Calandra

[Joshua Calandra]

No I didn't restart snort, how do I this?
I'm talking about new incoming events...
Thanks for your quickly respond.

[Doug Burks]

sudo nsm_sensor_ps-restart --only-snort-alert

On Tue, May 15, 2012 at 10:04 AM, Joshua Calandra

[Joshua Calandra]

No, it still doesn't work. I'll explain what I've done for better understanding:
I change, in /etc/nsm/test497-eth1/classification.config, line
config classification: misc-activity,Misc activity,3
in
config classification: misc-activity,Misc activity,1
so I expect that events related with it, classified with 3(green) befor, now they have to be classified in 1(red)...
But nothing happens.

[Doug Burks]

Please see:
http://groups.google.com/group/security-onion/browse_thread/thread/d8e9e8b5f1aa202a

Hope that helps!

Thanks,
Doug

On Tue, May 15, 2012 at 10:18 AM, Joshua Calandra

[Joshua Calandra]

Howsome...it helps!
Thanks a lot!