classtype
The classtype assigns a classification to the rule to indicate the type of attack associated with an event. Snort provides a list of default classifications that rule-writers can use to better organize rule event data.
Note that a rule should only have one classtype declaration.
Attack classifications provided by Snort reside in the snort_defaults.lua configuration file, and they use a table syntax like so with three entries:
{ name = 'attempted-user', priority = 1,
text = 'Attempted User Privilege Gain' }
Snort's current default classifications use priority values 1-4, with 1 being the most severe and 4 being the least severe. The following is a table of all default classifications provided by Snort:
| Classtype | Description | Priority |
|---|---|---|
not-suspicious | Not Suspicious Traffic | 3 |
unknown | Unknown Traffic | 3 |
bad-unknown | Potentially Bad Traffic | 2 |
attempted-recon | Attempted Information Leak | 2 |
successful-recon-limited | Information Leak | 2 |
successful-recon-largescale | Large Scale Information Leak | 2 |
attempted-dos | Attempted Denial of Service | 2 |
successful-dos | Denial of Service | 2 |
attempted-user | Attempted User Privilege Gain | 1 |
unsuccessful-user | Unsuccessful User Privilege Gain | 1 |
succesful-user | Successful User Privilege Gain | 1 |
attempted-admin | Attempted Administrator Privilege Gain | 1 |
successful-admin | Successful Administrator Privilege Gain | 1 |
rpc-portmap-decode | Decode of an RPC Query | 2 |
shellcode-detect | Executable code was detected | 1 |
string-detect | A suspicious string was detected | 3 |
suspicious-filename-detect | A suspicious filename was detected | 2 |
suspicious-login | An attempted login using a suspicious username was detected | 2 |
system-call-detect | A system call was detected | 2 |
tcp-connection | A TCP connection was detected | 4 |
trojan-activity | A Network Trojan was detected | 1 |
unusual-client-port-connection | A client was using an unusual port | 2 |
network-scan | Detection of a Network Scan | 3 |
denial-of-service | Detection of a Denial of Service Attack | 2 |
non-standard-protocol | Detection of a non-standard protocol or event | 2 |
protocol-command-decode | Generic Protocol Command Decode | 3 |
web-application-activity | Access to a potentially vulnerable web application | 2 |
web-application-attack | Web Application Attack | 1 |
misc-activity | Misc Activity | 3 |
misc-attack | Misc Attack | 2 |
icmp-event | Generic ICMP event | 3 |
inappropriate-content | Inappropriate Content was Detected | 1 |
policy-violation | Potential Corporate Privacy Violation | 1 |
default-login-attempt | Attempt to login by a default username and password | 2 |
sdf | Sensitive Data | 2 |
file-format | Known malicious file or file based exploit | 1 |
malware-cnc | Known malware command and control traffic | 1 |
client-side-exploit | Known client side exploit attempt | 1 |
Format
classtype:classification;Examples:
classtype:web-application-attack;
classtype:attempted-user;