Snort mailing list archives
Re: Alert classification and priority
From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 3 Jun 2004 08:43:15 -0700 (PDT)
Gary is saying that setting priorities and such on individual rules is a waste of time since the rules get updated and hence, overwritten. It makes perfect sense to make the priority work just like threshold.conf: You set it up in a conf file and the setting stays there, doesn't get overwritten by updating your rules. The only thing that could throw that off would be if they changed the SID. Heh! Cheese! Marc --__--__-- Message: 7 To: Gary_Portnoy () itginc com cc: Dirk Geschke <Dirk_Geschke () genua de>, snort-users () lists sourceforge net, Dirk_Geschke () genua de Subject: Re: [Snort-users] Alert classification and priority Date: Thu, 03 Jun 2004 14:29:14 +0200 From: Dirk Geschke <Dirk_Geschke () genua de> Hi Gary,
I was looking for something more in the way of
threshold.conf where I
could change the priorities without changing the
rule files, so that
upgrading to new rules doesn't reset them back to
default priority values.
The way I see it, the rule files should not be
changed, any local
customizations should be done via instance-specific
files, like
snort.conf, threshold.conf, local.rules, etc.
but the rules file are part of snort.conf, they are simply included...
Even barnyard does not check for a changed
priority of a rule and
will still use the old prioity.As far as I understand, unified plugin just writes
out the event with all
the relevant info and barnyard looks at
classification.config and
determines the priority. So one way to achieve what
I am trying to do
with barnyard (i am focusing on it because that's
what I am using) would
be to create a different classification type with a
different priority and
then use that classification type in my rules.
Barnyard then should
(should being the keyword, i haven't tried this) log
the correct
classtype/priority to the database. But again, this
requires me to change
the rules files. What I want is a priority.config
file where I can
override the default priority by saying something
along the lines of:
gen_id 1, sig_id 555, priority 3
Ok, it is a little bit confusing. You want to first check the rules file to find the sig_id and then change this via a different config rule? Won't it be much easier to change it directly with the rule? <snip> __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert classification and priority Gary_Portnoy (Jun 02)
- Re: Alert classification and priority Dirk Geschke (Jun 03)
- <Possible follow-ups>
- Re: Alert classification and priority Gary_Portnoy (Jun 03)
- Re: Alert classification and priority Dirk Geschke (Jun 03)
- Re: Alert classification and priority SN ORT (Jun 03)