[Snort-users] alarm levels assigned to Snort rules

Chris Green cmg at ...671...
Tue Jun 26 16:23:39 EDT 2001


tim.gray1 at ...2387... writes:

> Is there a utility or resource out there which somehow, (maybe by creating
> custom ruletypes), generates alarm levels for different attacks?
> 
> Let me explain more: Say I want password-crack attack signatures to be
> considered a level 5 alarm, and if this signature is detected, it will
> execute a paging program and log the alarm to a database.
> If the attack signature is just an ftp attempt, I consider it a level 2 and
> I want to only log the attempt to a file.
> 

These are what definable ruletypes are for.  The priorties ( a
solution in another reply ) in the output are designed for
postprocessing tools rather than the internals of snort.

Ruletypes allow you to create your own rules rather than 'alert':

See http://www.snort.org/writing_snort_rules.htm#rule_header
-- 
Chris Green <cmg at ...671...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-users mailing list