Snort mailing list archives
Signatures, priorities and database
From: Dirk Geschke <dirk () geschke-online de>
Date: Thu, 8 Apr 2004 21:44:31 +0200 (CEST)
Hi all, as I was thinking about the differences in the database between FLoP and mudpit an old issue came back to my mind. If a rule is not in the database then the output-plugin (or mudpit) will insert the signature in the database. Normally the priority of the alert is not mentioned in the rule but it is possible to do so... The priority is taken from the classification.config file. This priority is entered in database with all the other values. But if the signature is already part of the database then the priority is ignored for all further alerts regardless of the change in the priority or not. So it is neither possible to change the priority of the rule nor to have different priorities for the same rule. (Yes, sometimes you want set different priorities for the same rule on different sensors, e.g. WWW rules related to a web server should get a higher priority than related to maybe a file server.) In principal you can correct this with a minor modification of the select statement to fetch the sig_id. If the priority does not match then insert a new (cloned) signature. (If you set DBtrust to 1 in the FLoP servsock.conf file then FLoP would show this behaviour.) Ok, long introduction but here are the real questions: Should the priority really be part of the signature table or wouldn't it make more sense to add it to maybe the event table? A not really related question is: What is the range and order of priorities? In principal every one can choose his own range but one global definition would be useful? So what is the range of priorities? From the snort docs it seems to be from 1 to 4 with 1 the highest alert. But in older documentations it was vice versa, the highest number meant the most important alert. Has anyone some good ideas how this should be handled? Best regards Dirk ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signatures, priorities and database Dirk Geschke (Apr 08)