How is the severity level of "alert" calculated in EVE logs?

sniper · September 25, 2023, 6:14am

The alert message is as follows, and the value of the “severity” field is 2.

"alert":{
        "action":"allowed",
        "gid":1,
        "signature_id":2029340,
        "rev":2,
        "signature":"ET INFO TLS Handshake Failure",
        "category":"Potentially Bad Traffic",
        "severity":2,
        "metadata":{
            "attack_target":[
                "Client_Endpoint"
            ],
            "created_at":[
                "2020_01_30"
            ],
            "deployment":[
                "Perimeter"
            ],
            "former_category":[
                "INFO"
            ],
            "signature_severity":[
                "Informational"
            ],
            "updated_at":[
                "2020_01_30"
            ]
        }
    }

I checked the rules, and I didn’t find any configuration for the “severity” field. Moreover, the documentation does not provide an explanation for the “severity” field. Therefore, I don’t know how the values for the “severity” field are calculated.

maja · September 25, 2023, 6:33am

AFAIK, the JSON EVE output is generated in output-json-alert.c

jb_set_uint(js, "severity", pa->s->prio);

There, the priority value is logged as “severity”.
So it might be simply a mistake. Or?

sbhardwaj · September 29, 2023, 3:50am

Hi @sniper !
Welcome to our forum.
It seems to me that this field might be coming from the rule itself. See Rules Severities - Wiki - Emerging Threats

Topic		Replies	Views
How to create pcap with packet:payload fields (eve.json) Help	7	1766	May 9, 2022
Is it possible to record pass event as well? Developers	2	321	June 20, 2021
Count of alert generating rules Help	1	293	August 22, 2022
Alert Payload Questions Help	2	491	March 11, 2022
Alert rules still triggering after pass rules Help aws-network-firewall	2	435	May 7, 2023

How is the severity level of "alert" calculated in EVE logs?

Related Topics