[prev in list] [next in list] [prev in thread] [next in thread]
List: sguil-devel
Subject: Re: [Sguil-devel] Fwd: Sguil Reports
From: "David J. Bianco" <david () vorant ! com>
Date: 2006-09-15 22:05:29
Message-ID: 450B23A9.5040405 () vorant ! com
[Download RAW message or body]
I usually prefer to have all my reports on a single (long) web page.
However, this probably doesn't scale so a summary report is probably
the way to go.
David
john@wardmail.com wrote:
> These seem easy enough to do. How would you like these done? Do you
> want the 5 listed on a "Summary" report, with a drill down to the
> details of the events, or do you want them as seperate reports?
>
> John
>
> On Thu, 14 Sep 2006 09:04:56 -0400
> "David J. Bianco" <david@vorant.com> wrote:
>> john@wardmail.com wrote:
>>> OK, it seems that the web based approach is the prefered one. Where can
>>> I get some example reports you guys would like to see developed? Maybe
>>> we can possibly get Bamm to setup a Tomcat instance on the demo server
>>> with BIRT so we can demo the reports when they are complete.
>>>
>>
>> Let's start with something simple, just to help us get the reporting
>> engine up and running. Here are a few of the reports I run:
>>
>> Top 10 Events (eg, "PHP Injection Attempt" occurred 23 times)
>> Top 10 Sources of Events ("192.168.1.3 was the source of 103 events")
>> Top 10 Dests of Events ("192.168.20.3 was the src IP on 3300 events")
>> Top 10 Hosts Initiating Outgoing Connections to Unique Addresses
>>
>> This last one deserves more detail. I generate it from the SANCP
>> database, and I use a query to restrict the src_ip to my local range,
>> restrict the dst_ip to be NOT in the local range, and it must have come
>> from one of the sensors at the perimeter or the DMZ. The purpose is not
>> to look at raw numbers of connections, but rather to see who is talking
>> to the MOST computers offsite (ie, to look for worm, scan or P2P
>> activity originating inside).
>>
>> The SQL looks something like this:
>>
>> SELECT INET_NTOA(src_ip) as src,
>> count(distinct dst_ip) as dsts,
>> (sum(src_bytes + dst_bytes) / (1024 * 1024)) as megs
>> from sancp where
>> start_time BETWEEN DATE_SUB(CURDATE(NOW()), INTERVAL 1 DAY) AND
>> CURDATE(NOW()) AND
>> sid in (4,7,9) AND
>> (src_ip between INET_ATON("192.168.1.0") and
>> INET_ATON("192.168.1.255")) AND NOT
>> (dst_ip between INET_ATON("192.168.1.0") and
>> INET_ATON("192.168.1.255))
>> group by src
>> order by dsts DESC
>> LIMIT 10
>>
>> (I typed that from memory, so don't sue me if it doesn't parse properly).
>>
>> All of these reports are output in both table form (text) and graphic
>> form (a simple bar graph).
>>
>> Anyway, I think these three should be immediately useful, yet simple
>> enough to make a good starting point. I have several more powerful
>> queries I'd like to see, but I think those can wait until the engine
>> is ready.
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Sguil-devel mailing list
>> Sguil-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sguil-devel
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Sguil-devel mailing list
Sguil-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic