[Snort-users] Classification snort/barnyard
cpw at ...440...
Wed Dec 11 09:08:05 EST 2002
There is a little known field in the SetEvent routine called classification.
Many of the preprocessors that generate alerts for some reason set the
classification to 0. This causes barnyard to get chatty. So,
what is the value of classification anyway? My answer would be it makes
sense to have classifications. And, it appears that there are
currently 1-4. Where 1 is most serious and 4 would be more or less
informational. Maybe they should have a name associated with them.
1. red emergency!, successful hack, get cracking
2. yellow on guard., attempted hack
3. orange what are these folks are up to?, information gathering
4. blue normal usage
For now, I've fixed SetEvent to set any 0 classifications to 4. But,
that's not right. Each preprocessor should be investigated with a
eye on how important the "alert/event" is and the classification changed
from zero to one of the above.
More information about the Snort-users