Snort mailing list archives
Relation between events and rules set.
From: Julio Jaime <jjaime () ticket-accor com ar>
Date: Wed, 23 Apr 2003 16:47:30 -0300
Hi all, We are working on threath management system using snort + logsnorter + syslog servers, but the core is snort. We need make a events severity evaluation, at the moment we ar working with this formule: Severity = Sensor + Criticality( Type of rule / ip destination ) Sensor : Each sensor have specific value ( is not same the event detect by the router that internal IDS ) Criticality : Each pair of Type of rule ( IIS , Shellcode, Trojan ) and your destination have specific value ( is not same one attack with Nimda to one webserver that run Apache ) Each event have your severity , if the severity is < 3 the event is showed with white on the console. if severity is >=3 and <=6 the event is showed yellow if severity is >= 7 and <=8 the event is showed orange if severity is >=9 the event is showed red I need know , how find the relation between the event and the set of rules that trigger it event. Could you help me, please ? Thanks a lot. ======================================= Julio Jaime Americas Zone Security Administrator Accor Services - Servicios Ticket S.A. Av. Díaz Vélez 4367 (C1200 AAK) Bs. As. - Argentina Tel.: (54-11) 4909-1375 Fax.: (54-11) 4909-1394 jjaime () accorservices com ar ======================================= ---------------------------------------------------------------------------- ------------------------------- Este mensaje electrónico y todos los archivos adjuntos que contiene son confidenciales y se encuentran destinados, exclusivamente, a la persona a quien han sido dirigidos. Si ha recibido este mensaje por error, agradecemos la inmediata devolución a su emisor. La publicación, el uso, la distribución, la impresión o la copia no autorizada de este mensaje y del contenido de los archivos adjuntos se encuentran estrictamente prohibidos. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error please send it back to the person that sent it to you. Unauthorized publication, use, dissemination, forwarding, printing or copying of this email and its associated attachments is strictly prohibited. Ce message électronique et tous les fichiers attachés qu'il contient sont confidentiels et destinés exclusivement à l'usage de la personne à laquelle ils sont adressés. Si vous avez reçu ce message par erreur, merci de le retourner à son émetteur. La publication, l'usage, la distribution, l'impression ou la copie non autorisée de ce message et des attachements qu'il contient sont strictement interdits. ---------------------------------------------------------------------------- -------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Relation between events and rules set. Julio Jaime (Apr 23)
- Re: Relation between events and rules set. John Sage (Apr 23)
- <Possible follow-ups>
- RE: Relation between events and rules set. Julio Jaime (Apr 24)
- Re: Relation between events and rules set. David Alonso De La Vega Tapage (Apr 24)
- RE: Relation between events and rules set. bmcdowell (Apr 24)
- RE: Relation between events and rules set. Julio Jaime (Apr 24)
- Re: Relation between events and rules set. David Alonso De La Vega Tapage (Apr 24)
- RE: Relation between events and rules set. Julio Jaime (Apr 24)
- RE: Relation between events and rules set. Julio Jaime (Apr 25)
- Re: Relation between events and rules set. David Alonso De La Vega Tapage (Apr 25)