Severity levels in eve.json

Akai · April 8, 2024, 4:40am

Hi all,
I’m just start using Suricata.
My English is not good.
I see the field “Severity” in eve.json file on OPNsense.
I have the information that “Suricata has three severity levels, 1, 2 and 3. Three being the lowest”.
Please let me know if it’s right or wrong.
Thanks a lot!

alex_49100 · April 8, 2024, 10:30am

Hi @Akai,

I am also a new user of Suricata, but this post may help you (please see in the thread the message from a Suricata team member).

When using Evebox to view events and alerts, it is also visible that the severity level 2 is higher than severity level 3, hence we can guess what about severity level 1

Akai · April 13, 2024, 10:12am

Hi @alex_49100 ,
I got it, thank you for your answer

alex_49100 · April 13, 2024, 1:37pm

You’re welcome @Akai ! Actually, my prudent answer was linked to the fact that I hadn’t seen yet a level 1 alert by the time when I responded

Further testing rules, some events (eg. website where you can upload a file) caused a level 1, such as “ET POLICY Dropbox.com Offsite File Backup in Use” and in Evebox, it’s easy to see clearly the different levels of events / alerts.

Topic		Replies	Views
Eve.json severity:1 Help	4	144	February 5, 2024
Eve-log level settings? Help	1	925	February 2, 2022
Eve.json with 'weird' output and no ALERTS Help	1	425	December 8, 2021
Is there a standard way to test all Suricata rules? Are there any sample EVE files I should use for testing? Developers rules , suricata	1	1631	October 26, 2022
Suricata 4.0.6, /data/suricata/eve.json files too large Help suricata	1	80	April 5, 2024

Severity levels in eve.json

Related Topics