[Emerging-Sigs] Case sensitivity on rules classification

Jason Williams jwilliams at emergingthreats.net
Thu Jun 4 12:34:16 HDT 2020


That's a good question, I encounter the case issue as well in using elastic.

We have no plans to change existing categories, there are a few new ones we
have tossed around about adding, but no plans to change the existing.

For our Suricata 5 ruleset we made new category suggestions to the official
Suricata classifications.config (
https://github.com/OISF/suricata/blob/master/etc/classification.config)

As we are intertwined with OISF/Suricata there, we wanted to make sure to
maintain the same classifications.config so there wouldn't be issues. May
want to pose this question there as well.

On Thu, Jun 4, 2020 at 12:52 PM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:

> Hi list,
>
> I have a question regarding the classification.config that is used by the
> rulesets and its use of case sensitivity.
>
> As a user of Elasticsearch, and there are quite a few debates about the
> dangers (from a detection engineering perspective) of what I'll mention, I
> can't help but be concerned about a possible change to the classification
> file and what that would mean for anyone who has developed anything with
> the existing classification names.
>
> While most categories have a capital letter on the beginning of each word,
> many do not. Example:
>
> "Detection of a Denial of Service Attack"
>
> and
>
> "Attempt to login by a default username and password"
>
> Others, for example, don't hold any capital letters, such as "access to a
> potentially vulnerable web application" and a few others.
>
> There are many benefits of using the "full name" of a category when
> developing detections or processes around alerts (namely they are more
> telling of the event than the short name) but I guess the question I want
> to ask is:
>
> Is there a commitment to utilizing these names in the long run? I don't
> worry so much about possible new categories as I'm more concerned about
> changing existing ones.
>
> In case anyone would like to read more about the Elasticsearch challenges
> with stuff like this:
> https://github.com/elastic/elasticsearch/issues/53603
>
> Thank you.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200604/b76af67a/attachment.html>


More information about the Emerging-sigs mailing list