How is the severity level of "alert" calculated in EVE logs?

sniper · September 25, 2023, 6:14am

The alert message is as follows, and the value of the “severity” field is 2.

"alert":{
        "action":"allowed",
        "gid":1,
        "signature_id":2029340,
        "rev":2,
        "signature":"ET INFO TLS Handshake Failure",
        "category":"Potentially Bad Traffic",
        "severity":2,
        "metadata":{
            "attack_target":[
                "Client_Endpoint"
            ],
            "created_at":[
                "2020_01_30"
            ],
            "deployment":[
                "Perimeter"
            ],
            "former_category":[
                "INFO"
            ],
            "signature_severity":[
                "Informational"
            ],
            "updated_at":[
                "2020_01_30"
            ]
        }
    }

I checked the rules, and I didn’t find any configuration for the “severity” field. Moreover, the documentation does not provide an explanation for the “severity” field. Therefore, I don’t know how the values for the “severity” field are calculated.

maja · September 25, 2023, 6:33am

AFAIK, the JSON EVE output is generated in output-json-alert.c

jb_set_uint(js, "severity", pa->s->prio);

There, the priority value is logged as “severity”.
So it might be simply a mistake. Or?

sbhardwaj · September 29, 2023, 3:50am

Hi @sniper !
Welcome to our forum.
It seems to me that this field might be coming from the rule itself. See Rules Severities - Wiki - Emerging Threats

Topic		Replies	Views
Eve.json severity:1 Help	4	242	February 5, 2024
Severity levels in eve.json Rules rules , suricata	3	420	April 13, 2024
Extensible Event Format logs issue	4	77	March 27, 2024
Eve-log level settings? Help	1	1109	February 2, 2022
Eve.json how to display only rules alert Rules	2	2506	May 4, 2021

How is the severity level of "alert" calculated in EVE logs?

Related topics