[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: RE: [security-onion] autocat question
From: "Shane" <tsmullins9 () gmail ! com>
Date: 2015-08-27 16:35:39
Message-ID: 068e01d0e0e6$68e23720$3aa6a560$ () gmail ! com
[Download RAW message or body]
Thanks Doug,
My bad. I did see the AutoCat builder in the Sguil client.
Shane
-----Original Message-----
From: security-onion@googlegroups.com [mailto:security-onion@googlegroups.com] On \
Behalf Of Doug Burks
Sent: Thursday, August 27, 2015 11:38 AM
To: security-onion@googlegroups.com
Subject: Re: [security-onion] autocat question
Hi Shane,
Autocat is no longer done in autocat.conf. It is now done directly in the Sguil \
client or Squert web interface.
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#autocategorize-events
"Our current Sguil packages have an AutoCat builder in the Sguil client and in the \
Squert web interface."
http://blog.securityonion.net/2014/10/sguil-09-and-squert-150-now-available.html
On Thu, Aug 27, 2015 at 11:01 AM, Shane <tsmullins9@gmail.com> wrote:
> Hello everyone,
>
> This should be a simple question, but I can't seem to get
> autocat to work correctly. We have an alert, "ET POLICY iTunes User
> Agent" that I would like to have autocat classify as 1, no further
> action. This should avoid the alert from showing in sguil. I have added this to \
> autocat.conf:
> 1. none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^ET POLICY iTunes||1
>
> And
>
> 2. none||ANY||ANY||ANY||ANY||ANY||ANY||ET POLICY iTunes User Agent||1
>
> Both seem not to work. Any thoughts?
>
> Thanks
> Shane
>
>
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic