[Emerging-Sigs] Case sensitivity on rules classification

Tiago Faria tiago.faria.backups at gmail.com
Thu Jun 4 09:52:11 HDT 2020


Hi list,

I have a question regarding the classification.config that is used by the
rulesets and its use of case sensitivity.

As a user of Elasticsearch, and there are quite a few debates about the
dangers (from a detection engineering perspective) of what I'll mention, I
can't help but be concerned about a possible change to the classification
file and what that would mean for anyone who has developed anything with
the existing classification names.

While most categories have a capital letter on the beginning of each word,
many do not. Example:

"Detection of a Denial of Service Attack"

and

"Attempt to login by a default username and password"

Others, for example, don't hold any capital letters, such as "access to a
potentially vulnerable web application" and a few others.

There are many benefits of using the "full name" of a category when
developing detections or processes around alerts (namely they are more
telling of the event than the short name) but I guess the question I want
to ask is:

Is there a commitment to utilizing these names in the long run? I don't
worry so much about possible new categories as I'm more concerned about
changing existing ones.

In case anyone would like to read more about the Elasticsearch challenges
with stuff like this: https://github.com/elastic/elasticsearch/issues/53603

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200604/07698c69/attachment.html>


More information about the Emerging-sigs mailing list