We have been using the snort parsing in our environment with great success but one issue we are running into is the volume of rules we have running is clogging up our risk.info category. While we're working through some tuning, one of my analysts wanted to know if it was possible to put the rules into a dedicated category rather than in the risk categories. In looking through other discussions on these forums i saw the below mappings were in place. While I'm quite comfortable looking at the snort.config file and making adjustments, these options did not seem to be available.
Is it possible to over ride these mappings?
Snort to NextGen Field Mappings
Snort Field NextGen Meta
"snort rule" threat.source
- rule.priority/classtype these are used to decide which risk meta category is used for message
1 - risk.warning
2 - risk.suspicious
3 - risk.info