Prioritizing Alerts
Problem
You need to assign a priority to your alerts so that port scans aren't getting you out of bed.
Solution
Assign a custom priority level to an alert using the priority keyword:
priority: n;
Discussion
The priority keyword only changes the priority of the current rule. It has no effect on any of the other rules.
For example, the following rule assigns a priority of 10 to an attempt to connect to a Telnet server:
alert tcp any any -> any 23 (msg: "Telnet attempt"; priority: 10;)
This has no effect other than marking the rule with a priority in the alert file. This is one of the packets from the previous alert rule:
[**] [1:0:0] Telnet attempt [**] [Priority: 10] 11/02-13:42:39.806893 192.168.0.8:33175->192.168.0.25:23 TCP TTL:64 TOS:0x10 ID:53754 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x1A3A5F77 Ack: 0x28166C84 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1872654 15987586
You can see that the priority has been set to 10. You can then use this value in your other monitoring programs to determine whether an alert is worth escalating.
See Also
Snort Users Manual
Capturing Traffic from a Specific TCP Session
|