[Snort-users] Classification snort/barnyard

Phil Wood cpw at ...440...
Wed Dec 11 09:08:05 EST 2002


Folks,

There is a little known field in the SetEvent routine called classification.
Many of the preprocessors that generate alerts for some reason set the
classification to 0.  This causes barnyard to get chatty.  So,
what is the value of classification anyway?  My answer would be it makes
sense to have classifications.  And, it appears that there are 
currently 1-4.  Where 1 is most serious and 4 would be more or less 
informational.  Maybe they should have a name associated with them.

     color        severity
  1. red          emergency!, successful hack, get cracking
  2. yellow       on guard., attempted hack
  3. orange       what are these folks are up to?, information gathering
  4. blue         normal usage

For now, I've fixed SetEvent to set any 0 classifications to 4.  But, 
that's not right.  Each preprocessor should be investigated with a 
eye on how important the "alert/event" is and the classification changed
from zero to one of the above.

Later,

Phil




More information about the Snort-users mailing list