LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Snort rules> priority (http://www.linuxquestions.org/questions/linux-security-4/snort-rules-priority-229264/)

linuxtommy 09-11-2004 07:38 AM

Snort rules> priority
 
Hello!

My snort is reporting alerts to my mysql database.

in the log i find this:

09/06-00:05:29.472645 [**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 220.228.58.66:1356 -> 193.217.161.220:1434
09/06-00:21:16.286990 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.231.235 -> 193.217.161.220
09/06-00:23:50.707484 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.133.46 -> 193.217.161.220
09/06-00:54:57.420219 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.133.172 -> 193.217.161.220
09/06-01:11:52.430900 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.231.235 -> 193.217.161.220
09/06-01:40:44.600574 [**] [1:474:1] ICMP superscan echo [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 217.82.97.126 -> 193.217.161.220
09/06-02:03:19.613909 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> 193.217.161.220:1406
09/06-02:51:05.731231 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> 193.217.161.220:1868

Where does it say that a given rule should have priority 2? It does not say in the rule definition (ie: icmp.rules)...?

Capt_Caveman 09-12-2004 10:35 PM

I believe the priorities are set in the classification.config file. Priority should be the last field for each classification enty.


All times are GMT -5. The time now is 06:03 PM.