Hi all,
could you please tell me the minimum and maximum alert severity levels available for suricata?
At this moment, I noticed that alerts with severity levels 2 or 3 are correctly triggered.
So, I would like to know the maximum available alert level and how I can test it using/creating a custom rule.
I’m a newbie, so, please, sorry for this stupid question.
Mauro
Hi, the rule priority keyword is discussed here.
Hi Jeff,
thank you for your reply.
So, the highest alert level is 1 and the lower is 4, right?
Now, if it is possible, I would like to ask you if there is a way to reduce the logs lines in eve and fast log files.
I know that I csan disable some rules or gorup fo rules, but I would like to have only one alert line per event and not a great number of identical lines in a few seconds.
In tthis way, I could send the log information to Wazuh and use Wazuh mail notification feature without flooding the mail server and my mail client 
Thank you,
Mauro
Have a look at 10.2. Global-Thresholds — Suricata 6.0.2 documentation
Though you might miss out on some contextual information from the subsequent alerts that would be squashed. You will also have no way of knowing if 10000 alerts would have followed your initial alert.
I would check if Wazuh has some option or custom search you can use to summarize alerts.
Yes, 1 is the highest priority.
Global thresholds can help reduce the amount of logging. There are also rule threshold keywords
One other thing to consider is reducing/disabling certain rules that are of low value to your deployment.
Suricata-update can help you build a rules file and disable those rules that are not of high value in your environment.
Thank you, Jeff.
I really appreciated your help.
Mauro