[Emerging-Sigs] Case sensitivity on rules classification

Tiago Faria tiago.faria.backups at gmail.com
Thu Jun 4 13:37:14 HDT 2020


Hey Jason,

Thanks! My concern was that something like "access to a potentially
vulnerable web application" could be changed to "Access to a potentially
vulnerable web application", which, even though a small change, has the
capability of seriously breaking things. If those types of changes are not
in the roadmap then it shouldn't be a problem.

As for the classification file itself I always assumed OISF was relying on
https://rules.emergingthreats.net/open/suricata-5.0/classification.config
for 5.0. That's a good call and I'll reference this thread on their mailing
list as well.

Thank you!
Tiago

On Thu, Jun 4, 2020 at 10:34 PM Jason Williams <
jwilliams at emergingthreats.net> wrote:

> That's a good question, I encounter the case issue as well in using
> elastic.
>
> We have no plans to change existing categories, there are a few new ones
> we have tossed around about adding, but no plans to change the existing.
>
> For our Suricata 5 ruleset we made new category suggestions to the
> official Suricata classifications.config (
> https://github.com/OISF/suricata/blob/master/etc/classification.config)
>
> As we are intertwined with OISF/Suricata there, we wanted to make sure to
> maintain the same classifications.config so there wouldn't be issues. May
> want to pose this question there as well.
>
> On Thu, Jun 4, 2020 at 12:52 PM Tiago Faria <tiago.faria.backups at gmail.com>
> wrote:
>
>> Hi list,
>>
>> I have a question regarding the classification.config that is used by the
>> rulesets and its use of case sensitivity.
>>
>> As a user of Elasticsearch, and there are quite a few debates about the
>> dangers (from a detection engineering perspective) of what I'll mention, I
>> can't help but be concerned about a possible change to the classification
>> file and what that would mean for anyone who has developed anything with
>> the existing classification names.
>>
>> While most categories have a capital letter on the beginning of each
>> word, many do not. Example:
>>
>> "Detection of a Denial of Service Attack"
>>
>> and
>>
>> "Attempt to login by a default username and password"
>>
>> Others, for example, don't hold any capital letters, such as "access to a
>> potentially vulnerable web application" and a few others.
>>
>> There are many benefits of using the "full name" of a category when
>> developing detections or processes around alerts (namely they are more
>> telling of the event than the short name) but I guess the question I want
>> to ask is:
>>
>> Is there a commitment to utilizing these names in the long run? I don't
>> worry so much about possible new categories as I'm more concerned about
>> changing existing ones.
>>
>> In case anyone would like to read more about the Elasticsearch challenges
>> with stuff like this:
>> https://github.com/elastic/elasticsearch/issues/53603
>>
>> Thank you.
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200604/1aa610ac/attachment.html>


More information about the Emerging-sigs mailing list