Snort Question

20 views

Skip to first unread message

Joe Fontes

unread,

Jan 4, 2007, 3:14:28 PM1/4/07

to ossec...@ossec.net

Within the FAQ, there is the following quote: "Thirdly, it gives you the option to alert only on specific thresholds or combined events"
I am trying to set the threshold for emails to be only snort priority 1 events...although I have not seen how to do this anywhere.
I went through the wiki and searched for snort and haven't found where to look for priority settings...ideas?

Thanks!

Daniel Cid

unread,

Jan 7, 2007, 11:21:32 PM1/7/07

to ossec...@googlegroups.com, Joe Fontes

Hi Joe,

Basically you just want to receive alerts of priority 1 snort events and
not from the others, right? To do that, you will need two new local
rules:

<rule id="100015″ level="8″>
<if_sid>20100, 20101</if_sid>
<decoded_as>snort</decoded_as>
<match>[Priority: 1]</match>
<description>Priority 1 snort events.</description>
</rule>

<rule id="100016″ level="4″>
<if_sid>20100, 20101</if_sid>
<decoded_as>snort</decoded_as>
<description>Other snort events.</description>
</rule>

Note that the first one has the severity of 8, which will generate
e-mail alerts. It will also only be called if an event is decoded
as snort ... The second one will fire if it is not a priority 1.

The following blog entry can be of help too:
http://www.ossec.net/dcid/?p=23

Hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all

Reply to author

Forward

0 new messages