How do Suricata alerts get a severity rating?

[csanate]

I read the following: https://docs.securityonion.net/en/2.3/managing-alerts.html?highlight=severity#alerting-engines-severity

event.severity: 4 ==> event.severity_label: critical

event.severity: 3 ==> event.severity_label: high

event.severity: 2 ==> event.severity_label: medium

event.severity: 1 ==> event.severity_label: low

My question, in the context of Suricata w/ ET rulesets is where does this severity level come from? Is it from the classtype in the rule and then mapped somehow to a severity level?

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; http.user_agent; content:"KUKU"; nocase; depth:4; reference:url,doc.emergingthreats.net/2003636; classtype:pup-activity; sid:2003636; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)

Sorry, I feel like I am missing something obvious here but can't figure out what.

Thanks!

[Acewiza]

I like to think reported successful exploits get ranked by estimated dollar-value loss in a weighted system where things like ubiquity, target sensitivity and other criteria are used. Just a WAG.

[csanate]

Thanks, I'm mostly asking because I want to write some Suricata rules, but I'm not understanding how I can set the severity.

[Masaya-A]

classtype in each rule sets the severity, that is connected to classification.config. You can obtain it by sudo docker exec -it so-suricata more /etc/suricata/classification.config.
So, your example rule says classtype:pup-activity and it is written in classification.config as config classification: pup-activity,Possibly Unwanted Program Detected,2. Then suricata's rule.severity is 2.
After that, common.nids converts to SO's standardized alert severity as event.severity.

[csanate]

Thank you, this is exactly what I was looking for.

[csanate]

Just to follow-up on this, I was looking over the common.nids file, and noticed there are only mappings for low, medium, and high severity. Where does the critical severity come into play? I see 4 severity levels in the /etc/suricata/classification.config file.

Thanks!

[defensivedepth]

critical comes from Sigma, but suricata rules typically only have low/med/high.

[jopi2016]

Hey @Masaya-A ,
I have a question related to this:
I would like to add my own classification. Should this go into /opt/so/saltstack/default/salt/suricata/defaults.yaml or into /opt/so/saltstack/local/pillar/global.sls ?
I currently have it in global.sls but are getting an error when executing sudo salt-call state.highstate:
Event iteration failed with exception: 'list' object has no attribute 'items'

My global.sls looks like this:

suricata:
  config:
    vars:
      address-groups:
        MY_SERVER: '1.2.3.4'
  classification:
    my-classification:
      description: Description for my classification
      priority: 2
    my-classification2:
      description: Description for my classification2
      priority: 3

[Masaya-A]

I'm not sure how to add custom classification for SO.
Maybe SO devs will help you if you start a new thread about this.