AnsweredAssumed Answered

Snort to NextGen Field Mappings overrides

Question asked by Rebecca Quinn on Sep 4, 2015
Latest reply on Sep 15, 2015 by Christopher Ahearn

We have been using the snort parsing in our environment with great success but one issue we are running into is the volume of rules we have running is clogging up our risk.info category. While we're working through some tuning, one of my analysts wanted to know if it was possible to put the rules into a dedicated category rather than in the risk categories. In looking through other discussions on these forums i saw the below mappings were in place. While I'm quite comfortable looking at the snort.config file and making adjustments, these options did not seem to be available.

 

Is it possible to over ride these mappings?

 

 

Snort to NextGen Field Mappings

 

Snort Field            NextGen Meta

"snort rule"      threat.source

sid           alert.id

classtype      threat.category

message risk.*

      1. rule.priority/classtype these are used to decide which risk meta category is used for message
        1 - risk.warning

            2 - risk.suspicious

            3 - risk.info

Outcomes