[Snort-devel] Snort priorities in classification.config ; GIAC severity algorithm.

Imran William Smith iwsmith at ...1111...
Sun Mar 3 22:57:04 EST 2002

I don't understand the priorities in classification.config.
Are they meant to be 1=worst, 4=unimportant?  What
about not-suspicious being 3?

I am trying to develop an automated system to prioritize
snort rules based on the GIAC algorithm 

severity = criticality + lethality - 
                (system + network countermeasures)

(See Network Intrusion Detection 2nd edition, page 152).

Criticality and network countermeasures can be stored
in a database , keyed on IP address.  But lethality depends

1) what we know about how bad the attack is
2) the target architecture of the attack, and the target
destination of the packet.

I heard someone else a while back propose that the
signature database encodes the target architecture of the
attack.  But the new 'signature database' still doesn't
have 'architecture' as a field.

A good solution to this would contain many database
tables, and is (probably?) outside the scope of snort.
The problems include things like Architecture being
a hierarchy - Solaris is a subset of Unix, a Unix targetted
attack would possibly hit Solaris, but not vice versa.

Any thoughts anyone?  My current design is going
to require 5 database tables, and some reasonably
complex SQL / Perl.

(should this have gone to snort-users?)

Imran William Smith

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

More information about the Snort-devel mailing list