Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Signatures, priorities and database

From: Dirk Geschke <dirk () geschke-online de>
Date: Thu, 8 Apr 2004 21:44:31 +0200 (CEST)
Hi all,

as I was thinking about the differences in the database between
FLoP and mudpit an old issue came back to my mind.

If a rule is not in the database then the output-plugin
(or mudpit) will insert the signature in the database.

Normally the priority of the alert is not mentioned in the
rule but it is possible to do so...

The priority is taken from the classification.config file.
This priority is entered in database with all the other
values.

But if the signature is already part of the database then
the priority is ignored for all further alerts regardless
of the change in the priority or not.

So it is neither possible to change the priority of the
rule nor to have different priorities for the same rule.
(Yes, sometimes you want set different priorities for the
same rule on different sensors, e.g. WWW rules related
to a web server should get a higher priority than related
to maybe a file server.)

In principal you can correct this with a minor modification
of the select statement to fetch the sig_id. If the priority
does not match then insert a new (cloned) signature. (If you
set DBtrust to 1 in the FLoP servsock.conf file then FLoP
would show this behaviour.)

Ok, long introduction but here are the real questions:

  Should the priority really be part of the signature 
  table or wouldn't it make more sense to add it to 
  maybe the event table?

A not really related question is: 

  What is the range and order of priorities?

In principal every one can choose his own range but one
global definition would be useful?

So what is the range of priorities? From the snort docs
it seems to be from 1 to 4 with 1 the highest alert. But
in older documentations it was vice versa, the highest
number meant the most important alert.

Has anyone some good ideas how this should be handled?

Best regards

Dirk


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: