90 Chapter 3 • Working with Snort Rules The name is a name used for the classification. The name is used with the classtype keyword in Snort rules. The description is a short description of the class type. Priority is a number that shows the default priority of the classification, which can be modified using a priority keyword inside the rule options. You can also place these lines in snort.conf file as well. An example of this configuration parameter is as follows: config classification: DoS,Denial of Service Attack,2 In the above line the classification is DoS and the priority is 2. In Chapter 6, you will see that classifications are used in ACID, 2 which is a web-based tool to analyze Snort alert data. Now let us use this classification in a rule. The following rule uses default priority with the classification DoS: alert udp any any - 192.168.1.024 6838 msg:DoS; \ content: server; classtype:DoS; The following is the same rule but we override the default priority used for the classification. alert udp any any - 192.168.1.024 6838 msg:DoS; \ content: server; classtype:DoS; priority:1 Using classifications and priorities for rules and alerts, you can distinguish between high- and low-risk alerts. This feature is very useful when you want to escalate high-risk alerts or want to pay attention to them first. N O T E Low priority numbers show high priority alerts. If you look at the ACID browser window, as discussed in Chapter 6, you will see the classification screens as shown in Figure 3-3. The second column in the middle part of the screen displays different classifications for captured data. Other tools also use the classification keyword to prioritize intrusion detection data. A typical classification.config file is shown below. This file is distrib- uted with the Snort 1.9.0. You can add your own classifications to this file and use them in your own rules. 2. ACID stands for Analysis Control for Intrusion Detection. It provides a web-based user interface to analyze data generated by Snort.