[Snort-users] One for the Wishlist
alambert at ...387...
Fri Aug 25 15:33:17 EDT 2000
> > I know this has been mentioned before, but I would like to see the ability
> > to assign a severity level to a rule. For example a PING-ICMP_TIME_EXCEEDED
> > my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
> > to agent may be a 5.
> Not only would a severity level be useful, but also a confidence
> There are many rules which are known to false trigger often, so it
> would be useful to assign those a low confidence level. Rules which
> almost never falsely trip should be given a high confidence level.
How about we collectively start just adding a simple, consistent
text string to messages which are known to generate false positives?
Something like 'msg: "$CURENTMSG Confidence:3"'. That would make life
easy on parsers, and not cause any additional work for snort itself.
Anyone else like the idea? Hate it? Comments welcome.
More information about the Snort-users