Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alert classification and priority

From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 3 Jun 2004 08:43:15 -0700 (PDT)
Gary is saying that setting priorities and such on
individual rules is a waste of time since the rules
get updated and hence, overwritten. It makes perfect
sense to make the priority work just like
threshold.conf: You set it up in a conf file and the
setting stays there, doesn't get overwritten by
updating your rules. The only thing that could throw
that off would be if they changed the SID. Heh!

Cheese!

Marc

--__--__--

Message: 7
To: Gary_Portnoy () itginc com
cc: Dirk Geschke <Dirk_Geschke () genua de>,
snort-users () lists sourceforge net,
   Dirk_Geschke () genua de
Subject: Re: [Snort-users] Alert classification and
priority
Date: Thu, 03 Jun 2004 14:29:14 +0200
From: Dirk Geschke <Dirk_Geschke () genua de>

Hi Gary,


I was looking for something more in the way of

threshold.conf where I

could change the priorities without changing the

rule files, so that

upgrading to new rules doesn't reset them back to

default priority values.

 The way I see it, the rule files should not be

changed, any local

customizations should be done via instance-specific

files, like

snort.conf, threshold.conf, local.rules, etc.


but the rules file are part of snort.conf, they are
simply included...


Even barnyard does not check for a changed

priority of a rule and

will still use the old prioity.


As far as I understand, unified plugin just writes

out the event with all

the relevant info and barnyard looks at

classification.config and

determines the priority.  So one way to achieve what

I am trying to do

with barnyard (i am focusing on it because that's

what I am using) would

be to create a different classification type with a

different priority and

then use that classification type in my rules. 

Barnyard then should

(should being the keyword, i haven't tried this) log

the correct

classtype/priority to the database.  But again, this

requires me to change

the rules files.  What I want is a priority.config

file where I can

override the default priority by saying something

along the lines of:


gen_id 1, sig_id 555, priority 3


Ok, it is a little bit confusing. You want to first
check the rules
file to find the sig_id and then change this via a
different config
rule? Won't it be much easier to change it directly
with the rule? <snip>


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: