Classification snort/barnyard

[Phil Wood <cpw () lanl gov>]

Folks,

There is a little known field in the SetEvent routine called classification.
Many of the preprocessors that generate alerts for some reason set the
classification to 0.  This causes barnyard to get chatty.  So,
what is the value of classification anyway?  My answer would be it makes
sense to have classifications.  And, it appears that there are 
currently 1-4.  Where 1 is most serious and 4 would be more or less 
informational.  Maybe they should have a name associated with them.

     color        severity
  1. red          emergency!, successful hack, get cracking
  2. yellow       on guard., attempted hack
  3. orange       what are these folks are up to?, information gathering
  4. blue         normal usage

For now, I've fixed SetEvent to set any 0 classifications to 4.  But, 
that's not right.  Each preprocessor should be investigated with a 
eye on how important the "alert/event" is and the classification changed
from zero to one of the above.

Later,

Phil


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users