How is the severity level of "alert" calculated in EVE logs?

The alert message is as follows, and the value of the “severity” field is 2.

        "signature":"ET INFO TLS Handshake Failure",
        "category":"Potentially Bad Traffic",

I checked the rules, and I didn’t find any configuration for the “severity” field. Moreover, the documentation does not provide an explanation for the “severity” field. Therefore, I don’t know how the values for the “severity” field are calculated.

AFAIK, the JSON EVE output is generated in output-json-alert.c

jb_set_uint(js, "severity", pa->s->prio);

There, the priority value is logged as “severity”.
So it might be simply a mistake. Or?

Hi @sniper !
Welcome to our forum. :slight_smile:
It seems to me that this field might be coming from the rule itself. See Rules Severities - Wiki - Emerging Threats