[Snort-users] Signatures, priorities and database

Dirk Geschke dirk at ...10648...
Thu Apr 8 12:45:01 EDT 2004


Hi all,

as I was thinking about the differences in the database between
FLoP and mudpit an old issue came back to my mind.

If a rule is not in the database then the output-plugin
(or mudpit) will insert the signature in the database.

Normally the priority of the alert is not mentioned in the
rule but it is possible to do so...

The priority is taken from the classification.config file.
This priority is entered in database with all the other
values.

But if the signature is already part of the database then
the priority is ignored for all further alerts regardless
of the change in the priority or not.

So it is neither possible to change the priority of the
rule nor to have different priorities for the same rule.
(Yes, sometimes you want set different priorities for the
same rule on different sensors, e.g. WWW rules related
to a web server should get a higher priority than related
to maybe a file server.)

In principal you can correct this with a minor modification
of the select statement to fetch the sig_id. If the priority
does not match then insert a new (cloned) signature. (If you
set DBtrust to 1 in the FLoP servsock.conf file then FLoP
would show this behaviour.)

Ok, long introduction but here are the real questions:

  Should the priority really be part of the signature 
  table or wouldn't it make more sense to add it to 
  maybe the event table?

A not really related question is: 

  What is the range and order of priorities?

In principal every one can choose his own range but one
global definition would be useful?

So what is the range of priorities? From the snort docs
it seems to be from 1 to 4 with 1 the highest alert. But
in older documentations it was vice versa, the highest
number meant the most important alert.

Has anyone some good ideas how this should be handled?

Best regards

Dirk




More information about the Snort-users mailing list