The classtype assigns a classification to the rule to indicate the type of attack associated with an event. Snort provides a list of default classifications that rule-writers can use to better organize rule event data.

Note that a rule should only have one classtype declaration.

Attack classifications provided by Snort reside in the snort_defaults.lua configuration file, and they use a table syntax like so with three entries:

{ name = 'attempted-user', priority = 1,
      text = 'Attempted User Privilege Gain' }

Snort's current default classifications use priority values 1-4, with 1 being the most severe and 4 being the least severe. The following is a table of all default classifications provided by Snort:

not-suspiciousNot Suspicious Traffic3
unknownUnknown Traffic3
bad-unknownPotentially Bad Traffic2
attempted-reconAttempted Information Leak2
successful-recon-limitedInformation Leak2
successful-recon-largescaleLarge Scale Information Leak2
attempted-dosAttempted Denial of Service2
successful-dosDenial of Service2
attempted-userAttempted User Privilege Gain1
unsuccessful-userUnsuccessful User Privilege Gain1
succesful-userSuccessful User Privilege Gain1
attempted-adminAttempted Administrator Privilege Gain1
successful-adminSuccessful Administrator Privilege Gain1
rpc-portmap-decodeDecode of an RPC Query2
shellcode-detectExecutable code was detected1
string-detectA suspicious string was detected3
suspicious-filename-detectA suspicious filename was detected2
suspicious-loginAn attempted login using a suspicious username was detected2
system-call-detectA system call was detected2
tcp-connectionA TCP connection was detected4
trojan-activityA Network Trojan was detected1
unusual-client-port-connectionA client was using an unusual port2
network-scanDetection of a Network Scan3
denial-of-serviceDetection of a Denial of Service Attack2
non-standard-protocolDetection of a non-standard protocol or event2
protocol-command-decodeGeneric Protocol Command Decode3
web-application-activityAccess to a potentially vulnerable web application2
web-application-attackWeb Application Attack1
misc-activityMisc Activity3
misc-attackMisc Attack2
icmp-eventGeneric ICMP event3
inappropriate-contentInappropriate Content was Detected1
policy-violationPotential Corporate Privacy Violation1
default-login-attemptAttempt to login by a default username and password2
sdfSensitive Data2
file-formatKnown malicious file or file based exploit1
malware-cncKnown malware command and control traffic1
client-side-exploitKnown client side exploit attempt1