Thu Nov 23 16:36:19 EST 2017
# Each classification includes a shortname, a description, and a default
# priority for that classification.
# This allows alerts to be cassified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
# Here are a few example rules:
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
# config classification:shortname,short description,priority
You simply define a shortname, a description to go along with it, and then a
priority to go along with it. You then use that classification in your
As for the email alerts, two answers:
And: There has been a patch submited that adds email alerts. I've not
implemented this yet, so I can't speak well on it. Check the snort-dev list
archives for a thread on it. It was within the last few days... You would
also have to define a custom rule that would use the email and normal alerts
(see snort.conf for the 'redalert' example).
More information about the Snort-users