Hi!
In the suricata.rules file i can see signature_severity
set, and in eve.json i see both that, and also one other called just severity
. How do they relate?
Sometimes i get alerts where sev=1/sig_sev=Critical, and sometimes sev=1/sig_sev=Informational.
And by what is severity
set? (since its not present in suricata.rules)
$ grep 2009099 suricata.rules
alert udp $HOME_NET 1024:65535 -> [$EXTERNAL_NET,!224.0.0.0/4] 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:2009099; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Informational, updated_at 2019_07_26;)
And in eve.json...
{
"timestamp": "2025-01-21T08:08:07.218624+0100",
"event_type": "alert",
...
"dest_port": 10050,
"proto": "UDP",
"community_id": "1:k8ntxFqa6QPNmM5nvC7v3IYfdgs=",
"alert": {
"signature_id": 2009099,
"signature": "ET P2P ThunderNetwork UDP Traffic",
"category": "Potential Corporate Privacy Violation",
"severity": 1,
...
"signature_severity": [
"Informational"
],
}
},
"app_proto": "failed",
"flow": {
...
}
}