[Oisf-devel] Rule usage issues

Francis Trudeau trudeauf at gmail.com
Thu Jan 30 19:14:50 UTC 2020


The 'signature_severity' stuff is part of the metadata, which is free
form, but most of the time it's a key value pair:

https://suricata.readthedocs.io/en/latest/rules/meta.html#metadata

So signature_severity isn't an official keyword but rather extra
information that Emerging Threats (who made the rules you are looking
at) added to help classify the rule.  The reason other rules might not
have that is because they were made before the metadata was added by
default by them.

On Wed, Jan 29, 2020 at 11:17 PM Star <huzhenming36 at gmail.com> wrote:
>
> Happy new year, thanks for reply
> I have another question
> How many severity levels does this rule define?
> Some rules have severity and some do not. Is this not a uniform standard?
>
>                                                                                                      Thank You
>
> Andreas Herz <aherz at oisf.net> 于2020年1月21日周二 上午3:50写道:
>>
>> On 19/01/20 at 17:36, Star wrote:
>> >       What does the signature_severity Major in the suricata default rule
>> > mean?
>>
>> That is just a classification of the severity by the rule writer.
>> This is on a lot of rules so depends mainly on the context.
>>
>> --
>> Andreas Herz
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>


More information about the Oisf-devel mailing list