[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] What is sguil RealTime Query?
From:       Jeremy Hoel <jthoel () gmail ! com>
Date:       2013-03-29 16:14:41
Message-ID: CAH_p-VP2r6rZ6E--LfkYgTBqzHi0ExoFtjKY8qkVSD6GbzfWEQ () mail ! gmail ! com
[Download RAW message or body]

Real Time events are events that come in and have not been catagorized
yet.  One you categorize an alert, it leaves the real-time window.

There is an option somewhere to make it NOT group events, but I don't
use it.  Grouping (to me) helps reduce clutter, and it's pretty smart
about what it groups together.

From the nsmwiki:
------------
Correlated Events

Events that have the same src IP and signature/message are correlated
under the same event in the appropriate RT pane. Each time an event is
"correlated" the CNT field is incremented by one. To view all the
correlated events, select the event->right click on the CNT
column->View Correlated Events. The shortcut for this info is to
middle click on the CNT column of a selected event.
Generating Transcripts, loading data into Wireshark: Make sure
Wireshark is installed on the client system. Select an alert, right
click on the sid.cid column. Select Transcript or Wireshark. Middle
clicking on the sid.cid column of a highlighted event will also
request a transcript.
------------



On Fri, Mar 29, 2013 at 10:16 AM, archembo <archembo@gmail.com> wrote:
> Hello,
> 
> I was wondering how sguil generates the GUI Realtime pane to see if I could tune it \
> up. 
> By experience, it seems that it displays the following sql query:
> 
> SELECT [...] FROM event WHERE event.status=0 GROUP BY event.src_ip,event.signature;
> 
> --> problem with that : several alerts for different destination IP addresses are \
> grouped so you can miss out some events if you don't click 'view correlated event'. \
> I checked on nsmwiki but couldn't find any relevant information about this. I tried \
>                 search through the TCL script :
> /usr/bin/sguil.tk: set GUI RealTime Pane
> /etc/nsm/securityonion/sguild.queries : looks interesting, but nothing about Real \
>                 time event here.
> /usr/lib/sguild/SguildEvent.tcl : might be something here, but I lack TCL skills to \
> analyse it. 
> 
> If anyone could help me to find out what process/script/query makes the real time \
> pane to display events, that would be greatly appreciated. 
> Regards
> 
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
> https://groups.google.com/groups/opt_out. 
> 

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]