Suricata alert severity levels and how to verify that the maximum level that can be triggered by a test custom rule

Hi all,

could you please tell me the minimum and maximum alert severity levels available for suricata?
At this moment, I noticed that alerts with severity levels 2 or 3 are correctly triggered.
So, I would like to know the maximum available alert level and how I can test it using/creating a custom rule.

I’m a newbie, so, please, sorry for this stupid question.

Hi, the rule priority keyword is discussed here.

Hi Jeff,

thank you for your reply.
So, the highest alert level is 1 and the lower is 4, right?

Now, if it is possible, I would like to ask you if there is a way to reduce the logs lines in eve and fast log files.

I know that I csan disable some rules or gorup fo rules, but I would like to have only one alert line per event and not a great number of identical lines in a few seconds.
In tthis way, I could send the log information to Wazuh and use Wazuh mail notification feature without flooding the mail server and my mail client :slight_smile:

Thank you,

Have a look at 10.2. Global-Thresholds — Suricata 6.0.2 documentation
Though you might miss out on some contextual information from the subsequent alerts that would be squashed. You will also have no way of knowing if 10000 alerts would have followed your initial alert.

I would check if Wazuh has some option or custom search you can use to summarize alerts.

Yes, 1 is the highest priority.

Global thresholds can help reduce the amount of logging. There are also rule threshold keywords

One other thing to consider is reducing/disabling certain rules that are of low value to your deployment.

Suricata-update can help you build a rules file and disable those rules that are not of high value in your environment.

Thank you, Jeff.
I really appreciated your help.