[Snort-users] One for the Wishlist

A.L.Lambert alambert at ...387...
Fri Aug 25 15:33:17 EDT 2000


> > I know this has been mentioned before, but I would like to see the ability
> > to assign a severity level to a rule.  For example a PING-ICMP_TIME_EXCEEDED
> > my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
> > to agent may be a 5.
> 
> Not only would a severity level be useful, but also a confidence
> level.
> 
> There are many rules which are known to false trigger often, so it
> would be useful to assign those a low confidence level. Rules which
> almost never falsely trip should be given a high confidence level.
> 
> -Dan

	How about we collectively start just adding a simple, consistent
text string to messages which are known to generate false positives?  
Something like 'msg: "$CURENTMSG Confidence:3"'.  That would make life
easy on parsers, and not cause any additional work for snort itself.  
Anyone else like the idea?  Hate it?  Comments welcome.

-- A.L.Lambert




More information about the Snort-users mailing list