Can we change the priority of signatures?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Photo of IT-help

IT-help

  • 52 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 391 Posts
  • 8 Reply Likes
A method of doing this is to disable the standard signature, then copy-paste the signature in a new local one and add the priority instead of editing the standard signatures.

Let's use an example of the POLICY Skype User-Agent detected signature and change the priority to P3. The default priorty for this signature is P1.

Signature text:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| "; content:"Skype"; within:100; pcre:"/User-Agent\:[^\n\r]+Skype/i"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:8;)

Signature text with priority added:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| "; content:"Skype"; within:100; pcre:"/User-Agent\:[^\n\r]+Skype/i"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; priority:3; rev:8;)