Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Only monitor high severity alerts

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 02 Nov 2012 19:04:42 -0400

let me prefix my response with this...

severity levels are subjective at best... what i consider severe, others may not 
and visa versa... with that said, the basic method of rules writing uses 
priority level 1 for the most severe... level 2 is medium and level 3 is the 
lower... BUT you can write rules with even more priority levels and you can 
change the priority levels of existing rules... you might want to have 6 levels 
of priority in which you divide each of the base ones in half according to your 
networks' needs...

On 11/2/2012 11:47, Tom Voussure wrote:

It would be nice that i could filter at the source, meaning only having rules
for high severity alerts or let snort only process these types of alerts.


i don't run security onion so i can't help there but you might be able to filter 
the raw logs so that you are shown only priority 1 alerts...

*:CLARIFICATION:* what i call priorities are what snort calls classifications... 
these are found in your classification.config file... for example, these are 
some of the level 1 classifications/priorities i have in my config...

config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
config classification: shellcode-detect,Executable code was detected,1
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: web-application-attack,Web Application Attack,1
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1

these may or may not be what you consider to be level1 priorities... 
attempted-user, for instance, might be considered only a level 2 or even level 3 
depending on the rules that use it and how they are written to look for what 
they are actually looking at... on the surface, attempted-user would seem to be 
a normal activity... however, if it is followed by unsuccessful-user, it might 
indicate something amiss... if you get both of them together and in "large 
numbers", that would be more indicative of someone/something trying various 
usernames and passwords and that would be important...

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: