[Emerging-Sigs] priority level

David Glosser david.glosser at gmail.com
Fri Jan 23 14:47:30 EST 2009


I'm thinking, via oinkmaster, to set some rules to a high priority. I would
get paged on those alerts so I would have the pleasure of getting up at 4:00
am on a Sunday.  Other alerts I would get emails or summary reports on.

- so maybe I would get paged if a downadup/conficker rule gets tripped on a
server network
- but not get a page on a World of Warcraft rule from an end user

While I know each network is different,  I'm just wondering if there is any
kind of consensus or ideas of which rules would one would consider a "SHTF"
event and would like to get 24x7 alerts on....






On Fri, Jan 23, 2009 at 2:16 PM, Joel Esler <eslerj at gmail.com> wrote:

> Priorities are different for everyone for every network.  I think setting
> of a priority though a rule is not feasible.
> J
>
> On Jan 23, 2009, at 1:57 PM, David Glosser allegedly wrote:
>
> I know you don't, and I just wondering if anyone has... if there are any
> "best practices" on this, and  which rules  would one set to a higher
> priority (ie paged in the middle of the night vs reading a report during the
> day)... Thanks...
>
>
> On Fri, Jan 23, 2009 at 1:33 PM, Matt Jonkman <jonkman at jonkmans.com>wrote:
>
>> Hey David. Generally we don't have priorities in our rules, thats
>> something you can set locally if your event manager works on them.
>>
>> I'll get those two removed, thanks!
>>
>> Matt
>>
>> David Glosser wrote:
>> > Looks like only one or two ET rules have priority levels associated with
>> > them....
>> >
>> > Is there a list of suggested priorities for the ET rules to be changed
>> > via oinkmaster or something?
>> >
>> > For example, a higher priority for new C&C or "0day" rules.....
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
>
> --
> Joel Esler
>http://www.joelesler.net
>http://www.twitter.com/joelesler
> [m]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090123/7109cd79/attachment-0001.html


More information about the Emerging-sigs mailing list