Squert Summary Clean up
bug...@gmail.com
I am discovering Squert (late to the party!) in SO14.04 and am finding it really great.
I understand you can classify the events so they "disappear" from the main event view by selecting an event (or more) and then clicking on the category (i.e.: no action required).
Is there a way to also clear the summary tab?
Because the same logic should occur there... I dont want to see all the signatures for all events.
This is especially true about cleaning up false positives. There might be events that were false positives (classified as no aciton required) but at the moment it looks like the summary tab lists a summary for ALL events, regardless if they were false positives or not.
I'd like to know if there is anyway to "clean" that up?
For example, say out of 10 signatures, 3 were false positives. I then clean my snort config (i.e.: threshold.conf) and from now on those signatures will not fire.
But in the summary tab for the month, those 10 signatures stil appear. Worse, in that example they appear first because they fired the most.
Would appreciate any ideas/help on this.
I guess the answer will be: this is by design :)
Cheers,
B.
Wes
B,
I believe the above mentioned behavior is by design.
Squert is a web interface for Sguil/securityonion_db, so if you wanted to get an idea of how many events you received that you have a classification for, but ignore false positives (NA/F8), you could try some of the following queries for securityonion_db, modifying them to fit your needs:
//Get top twenty events (with the exception of F8 (No Action), including
uncategorized events).
sudo mysql -uroot -c securityonion_db -e " SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status!=1 GROUP BY signature ORDER BY cnt DESC LIMIT 20;"
//Get top twenty events, excluding uncategorized and F8'd events
sudo mysql -uroot -c securityonion_db -e " SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status!=1 and status!=0 GROUP BY signature ORDER BY cnt DESC LIMIT 20;"
//Get top twenty events for yesterday, excluding uncategorized and F8'd events
sudo mysql -uroot -c securityonion_db -e " SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status!=1 and status!=0 and event.timestamp<curdate() and event.timestamp>DATE_ADD(CURDATE(), INTERVAL -1 DAY) GROUP BY signature ORDER BY cnt DESC LIMIT 20;"
//Get top twenty events for the last hour, excluding uncategorized and F8'd events
sudo mysql -uroot -c securityonion_db -e " SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status!=1 and status!=0 and event.timestamp<curdate() and event.timestamp>DATE_ADD(CURDATE(), INTERVAL -1 HOUR) GROUP BY signature ORDER BY cnt DESC LIMIT 20;"
Thanks,
Wes
Doug Burks
Have you tried using a filter to only show the events you want? For
example, to show only uncategorized events in the RealTime queue, go
to the filter bar on the top right and type the following and then
press Enter:
st 0
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
bug...@gmail.com
I was looking/hoping for a simpler solution, but not being a SQL guru, those commands are very useful to have!
Thanks again.
B.
bug...@gmail.com
Thanks much, that works a charm!
Is it possible to see a summary/filter to display ALL the events that are not aymore in the active queue (events that have been categorised)
This would be especially useful for the summary tab...
The default settings (no filter) show a summary for the active queue.
Being able to see a summary of all the events you have cleared from your queue (queue = 0?) would be great for historical statistics.
Also, I think I saw that in another post in your forums that it is not possible currently to have "composed" filters such as "st 17 && st 0" ?
Maybe not directly related but is there a way to put back events in the active queue from Squert after they have been categorised, by "decategorising" them? I saw a previous post where the person was achieving that my running some SQL commands.
Would be great to have a cheat sheet with the different filters that can be applied to squert... :)
Thanks,
Bugs.
Doug Burks
{
"alias": "cat",
"name": "Categorized",
"notes": "None.",
"filter": "(event.status > '1')"
}
For more information, please see Help (?) on the Filters window.
bug...@gmail.com
Although it did not work for me, I will play around with this now that I have a great starting point (your example and the... embarrassingly... a Help link right in Squert! :)
FYI, I have 284 queued events, 15 malicious, 7 no action required.
When I copy and past your filter in the squert filter field, press enter... everything disappear and no events are displayed.
I also tried just to enter "filter": "(event.status > '1')"
or just
"name": "Categorized"
and nothing comes up either.
Just need to play around more!
Bye for now and thanks again.
Bugs.
Doug Burks
- click the Filters button
- click the + sign to add a new filter
- click the "New" hyperlink to edit the new filter
- paste the following:
{
"alias": "cat",
"name": "Categorized",
"notes": "None.",
"filter": "(event.status > '1')"
}
- close the Filters window
- on the left side, change "queue only" from "on" to "off"
- on the right side, type "cat" (without the quotes) into the Filters
bar and press Enter
bug...@gmail.com
Thanks much for this.
Bugs.