Wednesday, March 21, 2007

Sguil tricks: mass catagorization of events through database queries


If you don't want to catagorize events one by one (or aggregate by aggregate) via the sguil client, you can manipulate the database directly. This is useful if you have tens or hundreds of thousands of useless alerts. My personal best is 1.6 million.

The first step is to stop sguild. It prefers to think it's the only thing acting on the database at a given time, and will be confused if you alter the db while sguild is running.

Then you run a sql query as in the following example:

update event
set status = (desired code) where
status = (current code - usually 0 for this kind of task)
and (condition = whatever, eg signature = 'ICMP PING NMAP')
limit (some limit on the number of times you want this to run)
;

The status codes are a little tricky - I read the source of the sguil client to dig up the following:

"Cat I: Unauthorized Root Access" 11

"Cat II: Unauthorized User Access" 12

"Cat III: Attempted Unauthorized Access" 13

"Cat IV: Successful Denial of Service Attack" 14

"Cat V: Poor Security Practice or Policy Violation" 15

"Cat VI: Reconnaissance/Probes/Scans" 16

"Cat VII: Virus Infection" 17


So if you want to catagorize a real time event (status currently 0) as Cat VII, the query fragment is

update event set status = 17 where status = 0 and ....

I use a different system. I'm not interested in taxonomy, I'm interested in tasks. That is, do I have to deal with this or not? I am the remediator, if remediation is to be done. So I don't need to capture the type of incident. I KNOW that. I also won't run down every event, but I don't want to lie when I dismiss something without conclusive investigation. So I have two catagories for honest punts. This way they won't get buried in the False Positive sections.

My system is Cat I False Positive - no action required SQL update event set status = 11

Cat 2 False Positive - action required (tune rule, suppress alert, mitigate condition (i.e. reconfigure noisy host))set status = 12

Cat 3 True Positive - no action required (harmless worm attacking patched host)set status = 13

Cat 4 True Positive - action required (possibly should escalate F9)set status = 14

Cat 5 Not sure, not worried (Punt)set status = 15

Cat 6 Not sure, worried (Punt)set status = 16

Do not set status = 2 - that's escalate! This gets inserted into sguil client, slowing things down!

posted by JimmytheGeek at 10:13 PM

1 Comments:

Blogger Barbara Godin said...

I have found that, in my life search for an understanding of what it means for one individual to be deemed "more intelligent" than another, most certainly there are people who have dramatically different interpretation of what would be considered "smart" than I might.
As a matter of fact, I've found that an overwhelming majority - as much as 99.99% of the time - my opinion is outweighed by the "common" opinion and/or perception.

Threat analysis might best be considered in the same context. It's not so much the person with the sword, it's whether the person with the sword is running towards *you* and whether you have good reason to believe they're going to try to harm you/yours or a interceding against a threat being raised against you.

I wish I were as smart as people the government trusted to do deep analysis of the events leading up to and following 9/11...

2:36 AM  

Post a Comment

<< Home