- High (red) — Signatures that protect against clearly identifiable security threats or malicious actions. Most of these signatures are specific to well-identified exploits and are mostly non-behavioral in nature. They should be prevented on every host.
- Medium (orange) — Signatures that are behavioral in nature and deal with preventing applications from operating outside of their environment (relevant for agents protecting web servers and Microsoft SQL Server 2000). On critical servers, you may want to prevent those signatures after fine-tuning.
- Low (yellow) — Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they cannot be changed. Preventing yellow signatures increases the security of the underlying system, but requires additional fine-tuning.
- Information (blue) — Indicates a modification to the system configuration that might create a benign security risk or an attempt to access sensitive system information. Events at this level occur during normal system activity and generally are not evidence of an attack.