Can priorities and classifications be assigned to Alerts?
The quick answer to this question is that it depends. ACID is at the mercy of the underlying database. Snort versions prior to 1.7 did not support priorities, hence ACID did not have priorities. In version 1.8, rudimentary support for classification and priorities was added into Snort (DB schema v103). At this time ACID only support classifications, but will also support priorities in the near future. In the mean time, there are several work-arounds: • It is possible to enforce priorities of sort at the database level by writing alerts of different severity to separate databases. For example, critical alerts such as buffer overflows can be written to one database, while scan alerts can be written to another. Then load two different versions of ACID, each pointing to a different instance of the database. • With manual intervention Alert Groups (AG) can be used to assign priority. Essentially, this strategy entails creating an AG for each severity level and manually moving the alerts as
