Topic for small fixes/questions
1 view
Skip to first unread message
Stefan Kleindl
May 24, 2011, 8:28:04 AM5/24/11
to sagan-dev
classification.config
[**] [5000075] [OPENSSH] Authentication success [**]
[Classification: successful-user] [Priority: 1]
Success should be 3, no?
[**] [5000075] [OPENSSH] Authentication success [**]
[Classification: successful-user] [Priority: 1]
Success should be 3, no?
Da Beave
May 26, 2011, 9:22:02 AM5/26/11
to sagan-dev
Hmm.. Yeah, I'd think it should be a lower level alert. 3 sounds
good. WIll change ASAP.
good. WIll change ASAP.
Da Beave
May 26, 2011, 9:25:22 AM5/26/11
to sagan-dev
Snort classified it. I can't recall if "successful-user" is a Snort
classification or one only for Sagan. Anyways, I'll check and let
you know.
Da Beave
May 26, 2011, 9:32:20 AM5/26/11
to sagan-dev, sagan...@googlegroups.com
I've been out of the loop for the last couple weeks of bit due to some
major changes where I work. Basically, I've been moving a data center
which has taken a lot of my time over the last few weeks. Fortunately,
that's coming to a close. Yesterday, I just got my new development box
online, which I intend to use for Sagan/Sagan-rules.
First off, I need to look into some reported liblognorm issues.
I also need to update some rules.
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
Da Beave
May 26, 2011, 3:29:44 PM5/26/11
to sagan-dev
config classification: successful-user,Successful User Privilege Gain,1
That's from Snort's configuraton, which I attempt to stay in line with. However, you can change it from 1 to 3.
Or just disable those rules.
Reply all
Reply to author
Forward
0 new messages