[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    RE: [security-onion] autocat question
From:       "Shane" <tsmullins9 () gmail ! com>
Date:       2015-08-27 16:35:39
Message-ID: 068e01d0e0e6$68e23720$3aa6a560$ () gmail ! com
[Download RAW message or body]

Thanks Doug,

	My bad.  I did see the AutoCat builder in the Sguil client.

Shane


-----Original Message-----
From: security-onion@googlegroups.com [mailto:security-onion@googlegroups.com] On \
                Behalf Of Doug Burks
Sent: Thursday, August 27, 2015 11:38 AM
To: security-onion@googlegroups.com
Subject: Re: [security-onion] autocat question

Hi Shane,

Autocat is no longer done in autocat.conf.  It is now done directly in the Sguil \
client or Squert web interface.

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#autocategorize-events
 "Our current Sguil packages have an AutoCat builder in the Sguil client and in the \
Squert web interface."

http://blog.securityonion.net/2014/10/sguil-09-and-squert-150-now-available.html

On Thu, Aug 27, 2015 at 11:01 AM, Shane <tsmullins9@gmail.com> wrote:
> Hello everyone,
> 
> This should be a simple question, but I can't seem to get 
> autocat to work correctly.  We have an alert, "ET POLICY iTunes User 
> Agent" that I would like to have autocat classify as 1, no further 
> action.  This should avoid the alert from showing in sguil.  I have added this to \
> autocat.conf: 
> 1. none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^ET POLICY iTunes||1
> 
> And
> 
> 2. none||ANY||ANY||ANY||ANY||ANY||ANY||ET POLICY iTunes User Agent||1
> 
> Both seem not to work.  Any thoughts?
> 
> Thanks
> Shane
> 
> 
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]