Alert classification and priority

[Gary_Portnoy () itginc com]

Is there any way to de-couple alert classification from priority on a 
rule-by-rule basis in a local type file?

For example, I don't consider "ICMP Large ICMP Packet" as important enough 
to have a priority of 2.  To me it's more of a low priority.  However, 
"DNS zone transfer TCP" is important enough to have a medium priority (2) 
to me.  Unfortunately they are both of classtype "attempted-recon" and 
therefore are assigned a priority of 2.

I understand that I could rewrite the rules and switch the ICMP classtype 
to something that has a lower priority setting, like "not-suspicious" for 
example, but I would have to do this every time i update my rules.

Is this a feature that could be implemented in the future versions of 
Snort or is something already in place and i am just missing it?

-------------------------------------------
Gary Portnoy






-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
This message is for the named person's use only. This communication is for 
informational purposes only and has been obtained from sources believed to 
be reliable, but it is not necessarily complete and its accuracy cannot be 
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users