Delete events in the gui by event id and/or ip address

1,530 views
Skip to first unread message

Wayne Turnquist

unread,
Dec 28, 2016, 12:53:06 PM12/28/16
to security-onion
I'm new to this product and not strong in unix.

As I go through events, I find ip numbers I want to block. So I go to the firewall and add these ip address to the firewall to block.

Then all the events from the ip address I blocked I want to delete the alerts in onion. This way I'm only keeping events which I have not blocked yet

I looked in the gui but could not see how to accomplish this function. have the newsest version and did a update last Friday

Wes Lambert

unread,
Dec 28, 2016, 5:22:54 PM12/28/16
to securit...@googlegroups.com

Wayne,

If you do not want the alerts to appear in the real time console, but still want them to be logged, you can create an autocat rule to automatically categorize these events.  Sguil has an autocat builder you can access by navigating to "File">>"Autocat", or by right-clicking the event under the "ST" column, and creating an autocat from it.

Otherwise, you can manually categorize the alert and clear it from the console by pressing F8, or by right-clicking the event under the "ST" column and choosing "Expire Event..."

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Wayne Turnquist

unread,
Dec 29, 2016, 10:13:00 AM12/29/16
to security-onion
I understand the first suggestion which is related to time and it will show backup after the time is met

2nd option not quite sure how it works. hear is my guess
when I right click and expire. the event will be deleted from console and database. But if the same alert is seen again, it will be in the console and database.

using these two options, what affect does it to to squert?
can this type of function be performed in squert?

is there any good links or youtube on this subject?
is there any good books I can get as a starter geared more to the gui?
hate fumbling around and asking to many questions

semi related to the question rule suppression which I understand is like bellow

--
Suppressions

edit the fileand add for example /etc/nsm/rules/threshold.conf
suppress gen_id 1, sig_id 2101411, track by_src, ip 172.16.42.109

then issue the cmd to update
sudo nsm_sensor_ps-restart --only-snort-alert
---

can this function be done from the gui in sguil or squert?

Wes Lambert

unread,
Dec 29, 2016, 3:39:32 PM12/29/16
to securit...@googlegroups.com

Wayne,

Please see my responses below:

I understand the first suggestion which is related to time and it will show backup after the time is met

2nd option not quite sure how it works. hear is my guess
when I right click and expire. the event will be deleted from console and database. But if the same alert is seen again, it will be in the console and database.

You will not see the event in the console, however, it will still remain in the database.  If you don't want to see certain traffic or alerts, you could apply BPF rules and/or disable signatures through /etc/nsm/pulledpork/disablesid.conf.

Maybe see:

https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#disable-the-sid

using these two options, what affect does it to to squert?
can this type of function be performed in squert?

Since Sguil and Squert use the same database, you should be able to switch between the two without issue, other than learning how each achieve the same function.

is there any good links or youtube on this subject?
is there any good books I can get as a starter geared more to the gui?
hate fumbling around and asking to many questions

While these are for Security Onion 12.04, much of it can still be applied to 14.04:

https://www.youtube.com/watch?v=dyLbgrdagaA&list=PLMN5wm-C5YjyieO63g8LbaiWTSJRj0DBe

Also, more here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Videos

semi related to the question rule suppression which I understand is like bellow

--
Suppressions

edit the fileand add for example /etc/nsm/rules/threshold.conf
suppress gen_id 1, sig_id 2101411, track by_src, ip 172.16.42.109

then issue the cmd to update
sudo nsm_sensor_ps-restart --only-snort-alert
---

can this function be done from the gui in sguil or squert?

Currently, this is only done via the command-line.

Thanks,
Wes


Wayne Turnquist

unread,
Dec 30, 2016, 11:17:10 AM12/30/16
to security-onion
ok, understand the manually categorize the alert and clear it from the console by pressing F8 in sguil. How do I clear/hide those in squert?

Wes Lambert

unread,
Dec 30, 2016, 11:40:24 AM12/30/16
to securit...@googlegroups.com

Wayne,

You can expand the events by clicking the number/red box that represents the aggregation of events and select each or all of the events and press F8, or select a classification by clicking the icon next to "CATEGORIZE EVENTS".

Thanks,
Wes


On Dec 30, 2016 11:17 AM, "Wayne Turnquist" <waynetu...@gmail.com> wrote:
ok, understand the manually categorize the alert and clear it from the console by pressing F8 in sguil.  How do I clear/hide those in squert?

Reply all
Reply to author
Forward
0 new messages