[Snort-users] Difference between rule classification and rule priority?

Jeff Murphy jeff.murphy at ...11827...
Fri Apr 29 11:43:20 EDT 2011


+1 to tags. Currently I'm overloading the msg field and using it to tag rules and letting the SIEM figure things out based on that.
 
I'd like to see a 'confidence' score that rule repositories can adjust based on reports of FPs or confirmations. A definition of the score and algorithm should be included as well, ofcourse, to avoid ambiguities between rule repositories. 


jeff

On Apr 28, 2011, at 11:30 AM, Martin Holste wrote:

> I find both classification and priority to be all but useless in their
> current forms.  Classification is going to get an overhaul shortly,
> which will definitely improve its usefulness.  Priority is so
> subjective and context-dependent that it is tactically unhelpful.
> There may be rare cases in which it is a helpful indicator, but I have
> yet to see one.
> 
> I have yet to be told why message tags (essentially an array of
> classifications) have not been implemented as it would solve many
> issues and provide much more inherent context for analysts.
> 
> In short, I would pay far more attention to the references in the rule
> than the priority or classification.  You need to understand why the
> rule fired and make your own decision regarding what the consequences
> are for your org.  You will need tools to do that.  At a minimum, run
> daemonlogger to collect network traffic and get netflow from routers
> for sessions.  Alternatively, run sancp to do both.  It will be more
> than worth the initial setup time.
> 
> On Thu, Apr 28, 2011 at 9:38 AM, Andy Berryman <aberryman at ...14758...> wrote:
>> I asked on the google groups with no answer, so I’m asking here. But I
>> thought the two were combined.
>> 
>> 
>> 
>> If the rule classifications are 1-4, with 1 being the highest (omg omg
>> 
>> omg) and 4 being the lowest (eh, who cares)
>> 
>> 
>> 
>> But the priority that you can set in the rules can be a priority 10
>> 
>> for instance. What level would that be?
>> 
>> 
>> 
>> Would the higher the "priority" be like the lower the classtype?
>> 
>> 
>> 
>> Thanks,
>> 
>> Andy
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network 
> management toolset available today.  Delivers lowest initial 
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list