Snort rules> priority
Hello!
My snort is reporting alerts to my mysql database. in the log i find this: 09/06-00:05:29.472645 [**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 220.228.58.66:1356 -> 193.217.161.220:1434 09/06-00:21:16.286990 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.231.235 -> 193.217.161.220 09/06-00:23:50.707484 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.133.46 -> 193.217.161.220 09/06-00:54:57.420219 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.133.172 -> 193.217.161.220 09/06-01:11:52.430900 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 193.217.231.235 -> 193.217.161.220 09/06-01:40:44.600574 [**] [1:474:1] ICMP superscan echo [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 217.82.97.126 -> 193.217.161.220 09/06-02:03:19.613909 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> 193.217.161.220:1406 09/06-02:51:05.731231 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> 193.217.161.220:1868 Where does it say that a given rule should have priority 2? It does not say in the rule definition (ie: icmp.rules)...? |
I believe the priorities are set in the classification.config file. Priority should be the last field for each classification enty.
|
All times are GMT -5. The time now is 02:55 AM. |