[Snort-devel] more food for thought - priorities

Brian Caswell bmc at ...227...
Mon Feb 26 16:54:23 EST 2001


I've done some long and hard thinking on how we should handle
priorities.   I've
taken Marty's suggestion of extremely customizable granularity for
priorities.
I've started work on an implementation that should fit this bill.

Here is the implementation ideas.  We set it up to handle any ammount of
metrics
and values.  All metrics will be percentage configurable on a
configurable scale.
(current_value / max_value = percentage; then compute the value based on
the specified
granularity)

This allows the user control over how granualarity they want, as well as
allowing
variable metrics.  

    sp_priority_settings:"metricname | percentage scalevalue, \
        metricname | percentage scalevalue";
    sp_priority_scale:"lowvalue highvalue";
    alert tcp any any -> any any ( msg:"message"; priority:value,value;)

By default we should have these settings: Type, Accuracy, Risk.  We will
need to set
default "metric values" for each of the different metrics, as well as a
max scalevalue
 (from 1 to howmany)  So we rank "from 1 to 4 on the risk scale, this is
a 3.  We set
this to be 50% of our priority value"

The following example should be approxamately on the same scale as
RealSecure.

sp_priority_settings:"type | 30 10, accuracy | 10 10, risk | 50 4,
cvelove | 10 1";
sp_priority_scale:"3 1";

alert tcp any any -> any 80 (msg:"CVE loves you"; content:"GET
http://cve.mitre.org/"; \
    reference:cve,CVE-1978-0209; priority:2,10,1,10;)

This alert would give us a priority of 3.  (Which in real secure world
is very low)  
Does this make sense?  I've tried to incorperate all of the features I
could think of.
(Personalized metrics, values, percentages, and scale)

--
Brian Caswell
The MITRE Corporation

Type could be:
  1 - Single port connection
      ...
  9 - Multiple NOOP signature
  10 - Full Attack Signature
Risk could be:
  1 - Information Leak
  2 - limited user privilages
  3 - full user privilages
  4 - full administrator privilages




More information about the Snort-devel mailing list