Snort mailing list archives
Re: Only monitor high severity alerts
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 02 Nov 2012 19:04:42 -0400
let me prefix my response with this... severity levels are subjective at best... what i consider severe, others may not and visa versa... with that said, the basic method of rules writing uses priority level 1 for the most severe... level 2 is medium and level 3 is the lower... BUT you can write rules with even more priority levels and you can change the priority levels of existing rules... you might want to have 6 levels of priority in which you divide each of the base ones in half according to your networks' needs... On 11/2/2012 11:47, Tom Voussure wrote:
It would be nice that i could filter at the source, meaning only having rules for high severity alerts or let snort only process these types of alerts.
i don't run security onion so i can't help there but you might be able to filter the raw logs so that you are shown only priority 1 alerts... *:CLARIFICATION:* what i call priorities are what snort calls classifications... these are found in your classification.config file... for example, these are some of the level 1 classifications/priorities i have in my config... config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 config classification: shellcode-detect,Executable code was detected,1 config classification: trojan-activity,A Network Trojan was detected, 1 config classification: web-application-attack,Web Application Attack,1 config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 these may or may not be what you consider to be level1 priorities... attempted-user, for instance, might be considered only a level 2 or even level 3 depending on the rules that use it and how they are written to look for what they are actually looking at... on the surface, attempted-user would seem to be a normal activity... however, if it is followed by unsuccessful-user, it might indicate something amiss... if you get both of them together and in "large numbers", that would be more indicative of someone/something trying various usernames and passwords and that would be important... ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts JJC (Nov 02)
- Re: Only monitor high severity alerts waldo kitty (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)