Mass Catagorization of Events Through Database Queries

From NSMWiki

Jump to: navigation, search

If you don't want to catagorize events one by one (or aggregate by aggregate) via the sguil client, you can manipulate the database directly. This is useful if you have tens or hundreds of thousands of useless alerts. My personal best is 1.6 million.

The first step is to stop sguild. It prefers to think it's the only thing acting on the database at a given time, and will be confused if you alter the db while sguild is running.

Then you run a sql query as in the following example:

update event set status = (desired code) where status = (current code - usually 0 for this kind of task) and (condition = whatever, eg signature = 'ICMP PING NMAP') limit (some limit on the number of times you want this to run)

Here's an example of a typical mass update.

update event set status = 1 where status = 0 and signature = 'ICMP PING NMAP' and inet_ntoa(src_ip) = '10.1.1.43' limit 4000;

The status codes are a little tricky - I read the source of the sguil client to dig up the following:

F8 Monkey (just delete the alert) - status = 1

"Cat I: Unauthorized Root Access" 11

"Cat II: Unauthorized User Access" 12

"Cat III: Attempted Unauthorized Access" 13

"Cat IV: Successful Denial of Service Attack" 14

"Cat V: Poor Security Practice or Policy Violation" 15

"Cat VI: Reconnaissance/Probes/Scans" 16

"Cat VII: Virus Infection" 17

So if you want to catagorize a real time event (status currently 0) as Cat VII, the query fragment is

update event set status = 17 where status = 0 and ....

I use a different system. I'm not interested in taxonomy, I'm interested in tasks. That is, do I have to deal with this or not? I am the remediator, if remediation is to be done. So I don't need to capture the type of incident. I KNOW that. I also won't run down every event, but I don't want to lie when I dismiss something without conclusive investigation. So I have two catagories for honest punts. This way they won't get buried in the False Positive sections.

My system is Cat I False Positive - no action required SQL update event set status = 11

Cat 2 False Positive - action required (tune rule, suppress alert, mitigate condition (i.e. reconfigure noisy host))set status = 12

Cat 3 True Positive - no action required (harmless worm attacking patched host)set status = 13

Cat 4 True Positive - action required (possibly should escalate F9)set status = 14

Cat 5 Not sure, not worried (Punt)set status = 15

Cat 6 Not sure, worried (Punt)set status = 16

Do not set status = 2 - that's escalate! This gets inserted into sguil client, slowing things down!

Retrieved from "http://nsmwiki.org/Mass_Catagorization_of_Events_Through_Database_Queries"