Re: alarm levels assigned to Snort rules

[Chris Green <cmg () uab edu>]

tim.gray1 () firstunion com writes:

> Is there a utility or resource out there which somehow, (maybe by creating
> custom ruletypes), generates alarm levels for different attacks?
>
> Let me explain more: Say I want password-crack attack signatures to be
> considered a level 5 alarm, and if this signature is detected, it will
> execute a paging program and log the alarm to a database.
> If the attack signature is just an ftp attempt, I consider it a level 2 and
> I want to only log the attempt to a file.

These are what definable ruletypes are for.  The priorties ( a
solution in another reply ) in the output are designed for
postprocessing tools rather than the internals of snort.

Ruletypes allow you to create your own rules rather than 'alert':

See http://www.snort.org/writing_snort_rules.htm#rule_header
-- 
Chris Green <cmg () uab edu>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users