LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-11-2004, 06:38 AM   #1
linuxtommy
LQ Newbie
 
Registered: Apr 2004
Posts: 9

Rep: Reputation: 0
Snort rules> priority


Hello!

My snort is reporting alerts to my mysql database.

in the log i find this:

09/06-00:05:29.472645 [**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 220.228.58.66:1356 -> 193.217.161.220:1434
09/06-00:21:16.286990 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.231.235 -> 193.217.161.220
09/06-00:23:50.707484 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.133.46 -> 193.217.161.220
09/06-00:54:57.420219 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.133.172 -> 193.217.161.220
09/06-01:11:52.430900 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.231.235 -> 193.217.161.220
09/06-01:40:44.600574 [**] [1:474:1] ICMP superscan echo [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 217.82.97.126 -> 193.217.161.220
09/06-02:03:19.613909 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> 193.217.161.220:1406
09/06-02:51:05.731231 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> 193.217.161.220:1868

Where does it say that a given rule should have priority 2? It does not say in the rule definition (ie: icmp.rules)...?
 
Old 09-12-2004, 09:35 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I believe the priorities are set in the classification.config file. Priority should be the last field for each classification enty.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
snort not posting priority ryedunn Linux - Security 1 02-04-2005 12:38 PM
Snort, Rules Tredo Linux - Security 1 12-20-2004 12:36 AM
updating snort rules zuessh Linux - Security 2 11-26-2003 01:11 PM
Iptables rules priority exalik Linux - Networking 1 04-18-2003 11:50 PM
Snort Rules Canadian_2k2 Linux - Security 5 11-01-2002 10:24 PM


All times are GMT -5. The time now is 08:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration