# DESCRIPTION: # # This file is used by the report generator to assign scores to # certain types of alerts. Use this file to increase the likelyhood # that a certain type of alarm is successful. The scores listed # in this file will be added to any scores derived by the report # generator. The format is -> ALERT_TYPESCORE # # The score derived by the report generator is influenced by certain # traffic patterns. If an alarm is generated and a connection is # seen coming from the victim host back to the suspect host this will # drive the score past the $ALARM_THRESHOLD. Also an alarm generated by # a host from the internal network will likely produce a score higher # than the $ALARM_THRESHOLD. This functionality only affects alarms # which produce an incident. # # EXAMPLE: # Lets assume you have created a custom alert type of # "Employee_Did_Something_Bad". Lets also assume that this alarm # is triggered only under certain conditions and you know the alarm is # always correct or of great interest. To make this always show up in # the report set the score to something equal to or higher than the # $ALARM_THRESHOLD (default: 100). # # NOTES: # # The only alert type that cannot be given a score is # "SensitiveSignature". Instead signatures are given their own # scores specified in their meta-data. (still in the works) # TRWAddressSca 40 WeirdActivit 1 PortScan 20 PasswordGuessing 60 MultipleSignature 20 _DEFAULT_ 0