Re: Alert classification and priority

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Gary,

> Is there any way to de-couple alert classification from priority on a 
> rule-by-rule basis in a local type file?

yes of course: snort/docs/snort_manual.pdf, chapter 2.4.6 Priority

   priority: <value>;

You can add it to each rule to set the priority. If no priority is
set (as with nearly all default rules) the priority is taken via
the classtype key which relates to the classification.config file.

But be aware, if you use the database output plugin then the it
may still show the old priority since this value is not checked.

Of course, you can use FLoP (http://www.geschke-online.de/FLoP)
with the DBTrust option enabled. This will take care of the
changed priority. (Even barnyard does not check for a changed
priority of a rule and will still use the old prioity.)

BTW: With FLoP-1.2.3 there is a perl script called rules.pl
which will insert all signatures with references to the database.
This script is also able to add signatures with a range of priorities
set. (I think it is not uncommon to have different priorities for
the same rule depending on the place where snort sniffs.)

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users