Severity levels in eve.json

Hi all,
I’m just start using Suricata.
My English is not good.
I see the field “Severity” in eve.json file on OPNsense.
I have the information that “Suricata has three severity levels, 1, 2 and 3. Three being the lowest”.
Please let me know if it’s right or wrong.
Thanks a lot!

Hi @Akai,

I am also a new user of Suricata, but this post may help you (please see in the thread the message from a Suricata team member).

When using Evebox to view events and alerts, it is also visible that the severity level 2 is higher than severity level 3, hence we can guess what about severity level 1 :slight_smile:

1 Like

Hi @alex_49100 ,
I got it, thank you for your answer

You’re welcome @Akai ! Actually, my prudent answer was linked to the fact that I hadn’t seen yet a level 1 alert by the time when I responded :slight_smile:

Further testing rules, some events (eg. website where you can upload a file) caused a level 1, such as “ET POLICY Offsite File Backup in Use” and in Evebox, it’s easy to see clearly the different levels of events / alerts.

1 Like