Snort mailing list archives
Re: alarm levels assigned to Snort rules
From: Chris Green <cmg () uab edu>
Date: 26 Jun 2001 15:23:39 -0500
tim.gray1 () firstunion com writes:
Is there a utility or resource out there which somehow, (maybe by creating custom ruletypes), generates alarm levels for different attacks? Let me explain more: Say I want password-crack attack signatures to be considered a level 5 alarm, and if this signature is detected, it will execute a paging program and log the alarm to a database. If the attack signature is just an ftp attempt, I consider it a level 2 and I want to only log the attempt to a file.
These are what definable ruletypes are for. The priorties ( a solution in another reply ) in the output are designed for postprocessing tools rather than the internals of snort. Ruletypes allow you to create your own rules rather than 'alert': See http://www.snort.org/writing_snort_rules.htm#rule_header -- Chris Green <cmg () uab edu> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alarm levels assigned to Snort rules tim . gray1 (Jun 26)
- Re: alarm levels assigned to Snort rules Brian Caswell (Jun 26)
- Re: alarm levels assigned to Snort rules Chris Green (Jun 26)
- <Possible follow-ups>
- RE: alarm levels assigned to Snort rules Kohlenberg, Toby (Jun 26)