Snort mailing list archives
Re: Alert classification and priority
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Thu, 03 Jun 2004 09:20:12 +0200
Hi Gary,
Is there any way to de-couple alert classification from priority on a rule-by-rule basis in a local type file?
yes of course: snort/docs/snort_manual.pdf, chapter 2.4.6 Priority priority: <value>; You can add it to each rule to set the priority. If no priority is set (as with nearly all default rules) the priority is taken via the classtype key which relates to the classification.config file. But be aware, if you use the database output plugin then the it may still show the old priority since this value is not checked. Of course, you can use FLoP (http://www.geschke-online.de/FLoP) with the DBTrust option enabled. This will take care of the changed priority. (Even barnyard does not check for a changed priority of a rule and will still use the old prioity.) BTW: With FLoP-1.2.3 there is a perl script called rules.pl which will insert all signatures with references to the database. This script is also able to add signatures with a range of priorities set. (I think it is not uncommon to have different priorities for the same rule depending on the place where snort sniffs.) Best regards Dirk ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert classification and priority Gary_Portnoy (Jun 02)
- Re: Alert classification and priority Dirk Geschke (Jun 03)
- <Possible follow-ups>
- Re: Alert classification and priority Gary_Portnoy (Jun 03)
- Re: Alert classification and priority Dirk Geschke (Jun 03)
- Re: Alert classification and priority SN ORT (Jun 03)