Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Relation between events and rules set.

From: Julio Jaime <jjaime () ticket-accor com ar>
Date: Wed, 23 Apr 2003 16:47:30 -0300
Hi all,

     We are working on threath management system using snort + logsnorter +
syslog servers, but the core is snort.

      We need make a events severity evaluation, at the moment we ar working
with this formule: 
      Severity = Sensor + Criticality( Type of rule / ip destination ) 
      Sensor : Each sensor have specific value ( is not same the event
detect by the router that internal IDS ) 
      Criticality : Each pair of Type of rule ( IIS , Shellcode, Trojan )
and your destination have specific value ( is not same one attack with Nimda
to one webserver that run Apache ) 
      Each event have your severity , if the severity is < 3 the event is
showed with white on the console. 
      if severity is >=3 and <=6 the event is showed yellow 
      if severity is >= 7 and <=8 the event is showed orange 
     if severity is >=9 the event is showed red 

        I need know , how find the relation between the event and the set of
rules that trigger it event.
           
       Could you help me, please ?

Thanks a lot.

=======================================
Julio Jaime
Americas Zone Security Administrator
Accor Services - Servicios Ticket S.A.
Av. Díaz Vélez 4367
(C1200 AAK) Bs. As. - Argentina
Tel.:  (54-11) 4909-1375
Fax.: (54-11) 4909-1394
jjaime () accorservices com ar
=======================================
----------------------------------------------------------------------------
-------------------------------
Este mensaje electrónico y todos los archivos adjuntos que contiene son
confidenciales y se encuentran destinados, exclusivamente, a la persona a
quien han sido dirigidos. Si ha recibido este mensaje por error, agradecemos
la inmediata devolución a su emisor. La publicación, el uso, la
distribución, la impresión o la copia no autorizada de este mensaje y del
contenido de los archivos adjuntos se encuentran estrictamente prohibidos.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error please send it back to the person that sent it
to you. Unauthorized publication, use, dissemination, forwarding, printing
or copying of this email and its associated attachments is strictly
prohibited.
Ce message électronique et tous les fichiers attachés qu'il contient sont
confidentiels et destinés exclusivement à l'usage de la personne à laquelle
ils sont adressés. Si vous avez reçu ce message par erreur, merci de le
retourner à son émetteur. La publication, l'usage, la distribution,
l'impression ou la copie non autorisée de ce message et des attachements
qu'il contient sont strictement interdits.
----------------------------------------------------------------------------
--------------------------------




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: