'Re: [Sguil-devel] Fwd: Sguil Reports'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sguil-devel
Subject:    Re: [Sguil-devel] Fwd: Sguil Reports
From:       "David J. Bianco" <david () vorant ! com>
Date:       2006-09-15 22:05:29
Message-ID: 450B23A9.5040405 () vorant ! com
[Download RAW message or body]

I usually prefer to have all my reports on a single (long) web page.
However, this probably doesn't scale so a summary report is probably
the way to go.

	David

john@wardmail.com wrote:
> These seem easy enough to do. How would you like these done?  Do you
> want the 5 listed on a "Summary" report, with a drill down to the
> details of the events, or do you want them as seperate reports?
> 
> John
> 
> On Thu, 14 Sep 2006 09:04:56 -0400
>  "David J. Bianco" <david@vorant.com> wrote:
>> john@wardmail.com wrote:
>>> OK, it seems that the web based approach is the prefered one. Where can
>>> I get some example reports you guys would like to see developed? Maybe
>>> we can possibly get Bamm to setup a Tomcat instance on the demo server
>>> with BIRT so we can demo the reports when they are complete.
>>>
>>
>> Let's start with something simple, just to help us get the reporting
>> engine up and running.  Here are a few of the reports I run:
>>
>> Top 10 Events (eg, "PHP Injection Attempt" occurred 23 times)
>> Top 10 Sources of Events ("192.168.1.3 was the source of 103 events")
>> Top 10 Dests of Events ("192.168.20.3 was the src IP on 3300 events")
>> Top 10 Hosts Initiating Outgoing Connections to Unique Addresses
>>
>> This last one deserves more detail.  I generate it from the SANCP
>> database, and I use a query to restrict the src_ip to my local range,
>> restrict the dst_ip to be NOT in the local range, and it must have come
>> from one of the sensors at the perimeter or the DMZ. The purpose is not
>> to look at raw numbers of connections, but rather to see who is talking
>> to the MOST computers offsite (ie, to look for worm, scan or P2P
>> activity originating inside).
>>
>> The SQL looks something like this:
>>
>>     SELECT INET_NTOA(src_ip) as src,
>>     count(distinct dst_ip) as dsts,
>>     (sum(src_bytes + dst_bytes) / (1024 * 1024)) as megs
>>     from sancp where
>>     start_time BETWEEN DATE_SUB(CURDATE(NOW()), INTERVAL 1 DAY) AND
>>            CURDATE(NOW()) AND
>>     sid in (4,7,9) AND
>>        (src_ip between INET_ATON("192.168.1.0") and
>>         INET_ATON("192.168.1.255")) AND NOT
>>     (dst_ip between INET_ATON("192.168.1.0") and
>>         INET_ATON("192.168.1.255))
>>     group by src
>>     order by dsts DESC
>>     LIMIT 10
>>
>> (I typed that from memory, so don't sue me if it doesn't parse properly).
>>
>> All of these reports are output in both table form (text) and graphic
>> form (a simple bar graph).
>>
>> Anyway, I think these three should be immediately useful, yet simple
>> enough to make a good starting point.  I have several more powerful
>> queries I'd like to see, but I think those can wait until the engine
>> is ready.
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Sguil-devel mailing list
>> Sguil-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sguil-devel
> 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Sguil-devel mailing list
Sguil-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-devel

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic