None/all of the above. If you're going to do this, you could get the broadest reach with a regular expression match of the alert. I could imagine an organization other than mine blacklisting clients based on / ET (P2P|POLICY) .+Priority: 1/, for example.
VRT is 90% done changing the classification of most rules. ET went through a similar mass reclassification a couple years ago. This doesn't mean that classifications are not useful -- it just means that you'd have to pay attention when they change. I don't think I would ever use such a feature. False positives are too high with new rules. Consider reviewing your snort alerts in something like Snorby, Placid, or Aanval instead, and archive everything to ELSA. If you see something interesting, create a generic malware violation manually. High-confidence proprietary VRT rules have this sort of thing in the rule file: metadata:policy balanced-ips drop, policy security-ips drop; SourceFire appliances use that for default policy, based on VRT's estimation of the risk/reward. Most rules are alert only. The suggested action appears only in the rule, not in the alert message. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
