Info wanted on finetuning these IDS rules

DanielC · #1 (**permalink**) 12-09-2004, 07:31 AM

Hi,

Were can I find more info on how to finetune some of these rules. There are some rules who generate an email alers (lots of them). I do want the rule active but I do not want an email for every intrusion. Can somebody point me to docs?
Thanks

Daniel

bagira · #2 (**permalink**) 12-13-2004, 06:50 AM

Daniel,
in the Webadmin > Intrusion Prevention > Settings you can set the notification level for detected and blocked packets. There are three levels the IPS rules are assigned: high, medium and low. By logging in via console or ssh, change to the directory /var/chroot-snort/etc/snort/rules and have a look in the classification.config file. You will find all groups of IPS with a certain digit: 1,2,3. That reflects the severity level of the rulle. 1 is high and 3 is low. WIth this information, you are able to tune your Intrusion Protection on Astaro.
/bagira

SecApp · #3 (**permalink**) 12-13-2004, 10:30 AM

That's one for the Knowledgebase!

BarryG · #4 (**permalink**) 01-22-2005, 10:21 PM

Would be really nice if the severities would show up in the IPS rules pages.

Barry

streetfox · #5 (**permalink**) 01-31-2005, 02:32 PM

My words, hope this will be implemented

streetfox

weasel · #6 (**permalink**) 04-12-2005, 07:31 PM

Would be even nicer if when it showed up in the Rules list if it was editable.

Another nicety would be a per rule notification setting. There are lots of level 1 rules I want to see every notification for, while many others I don't really care to see, but I still want them dropped.

BTW, Astaro is a god send. Its already saved me 2 time from what could have easily turned into 20+ hours of clean up and recovery. Which means it has basically paid for itself already in 2 weeks. RIO doesn't get any better than that...