How to unclassify Sguil events
PhilipW
If I accidentally categorized an event, how do I return it to the main uncategorized pool within Sguil?
Is this something where I have to update the Event table status field to 0 on the backend or is there a way to do it within Sguil?
Thanks.
Doug Burks
Why do you want to unclassify the event? If you have put it in the
wrong category, you can just search for it and re-classify it to put
it in the correct category.
Hope that helps!
Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
PhilipW
I guess my unfamiliarity with the event categorization left me looking for a way to essentially restore the system to an untouched state. A way to test categorization with a way out, in case I felt something wasn't done correctly.
Also, it seemed like the easier way since once categorized, Sguil seems to have broken each event out into separate entries. When they were uncategorized I was able to classify an entire group with the one click.
Also, when one expires an event or group of events, are they deleted from the database? I don’t see a Sguil section to review F8’d events/groups of events, again, just in case.
Thanks for your help.
- Philip
Scott Runnels
Those alerts are still in the database used by Sguil(which is named securityonion_db). They have had their categorization set ( uncategorized are status=0) and no longer show up in the real time event window as the real time window only shows uncategorized events. To review them you need to craft a query that use the specifics for the alert.
Vr
Scott
PhilipW
Thanks for the clarification.
Just as up update/FYI for whomever (I think, ugh, grammar), I ended up running;
update event set status = '0' where status = '11';
to clear out the events I had mistakenly classified. Still trying to validate this, but it brought me to an interesting note and question:
First, in looking at the counts in the event table, there is a massive amount of events that I guess gets automatically classified as regular/known traffic with status 1.
So far I have 12 million vs 1.3 million unclassified events.status = 0.
How do the numbers in the database/sguil/squert all correlate?
If I run Scott's command of:
SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status=0 GROUP BY signature ORDER BY cnt DESC LIMIT 10;
and get the top two with 400k events each, then I turn to Sguil and see the top two events have 190k and 120k events, is there a way to verify the numbers against each other or is it all too specific/based on ip src and dst, to be able to manually verify?
Paul Halliday
When you are in the query tab within squert and simply hit the submit
button, you are essentially just running (a more complicated version
of) this:
SELECT COUNT(signature) AS c, signature FROM event GROUP BY signature
ORDER BY c DESC
Start flipping the "Status:" control and you are adding:
WHERE event.status = <pick an event status>
Its just a simplified query builder.
Sguil on the other hand will only show you (in the main event pane)
what has an event status of "0". If you flip the "Status:" control in
squert to "Unclassified" you will see the same thing. Sguil will only
show you the other event status' if you query for them.
--
Paul Halliday
http://www.squertproject.org/