How does the meerkat define the severity level of the alert? 1, 2, 3, 4… What are the most relevant combined features that can be considered to have greater weight for this action? Would the signature IDs have a different weight of importance for this? The variables of the bidirectional flow of traffic data? I would like to map the specifications of the severity levels recorded in the alerts, combining them with interpretations of labeling patterns used in datasets such as: Probe, DoS, R2L, U2R.
Severity comes from the rules, which can set it in 2 ways:
- explicitly using the
prioritykeyword - implicitly by setting a
classtype. In yourclassification.configyou see the priority as the last value on each line.
Would it be possible to adjust this information using a dataset already collected in the pcap standard? Is there any way to obtain this related knowledge?
Do you want to use Suricata to read a set of pcaps (from this data set that you’ve mentioned), and use some heuristics to (re)evaluate rules’ severity based on that, and re-calculate the severity?
From my understanding, you should be able to, but Suricata would enter this in reading the pcaps, generating output, and, as Victor pointed out, by allowing you to set your classtypes via classification.config. For the heuristics etc, more would be needed – if I understood the idea correctly.
The question of my research is to take the already processed pcap file (traffic already captured and available in public pcap), transform it into the Suricata format, and then process it in some way to relate it to classifications of malicious traffic groupings (such as: Probe, DoS, R2L, U2R), and understand, within this grouping language, these types of malicious traffic, separating them from normal traffic, associating information about severity, category, signatures, and Suricata_ID. The first step would be to transform the pcap files and collect the tabulated data in the Suricata standard: severity, categories, signatures, Suricata_ID. Following this process, the goal is to understand this classification relationship with other available datasets.