Eclipse BIRT Designer Version 2.1.2.v20070205-1728 Build <20070205-1728> in The starting date for the report. Can be an actual date/time, or a SQL expression static string Start Date true false text-box Unformatted The ending date for the report. Can be an actual date/time, or a SQL expression static string End Date true false text-box Unformatted Comma-separated list of perimter sensor IDs static string List of perimeter sensor sids false text-box Unformatted com.mysql.jdbc.Driver jdbc:mysql://your.mysql.host/sguildb sguil description switch(row["status"]) { case 0: row["description"] = "Uncategorized"; break; case 1: row["description"] = "No Action Necessary (Cat VIII)"; break; case 2: row["description"] = "Escalated Event"; break; case 11: row["description"] = "Successful Admin Compromise (Cat I)"; break; case 12: row["description"] = "Successful User Compromise (Cat II)"; break; case 13: row["description"] = "Unsuccessful Attempted Compromise (Cat III)"; break; case 14: row["description"] = "Successful DoS (Cat IV)"; break; case 15: row["description"] = "Policy Violation or Poor Security Practice (Cat V)"; break; case 16: row["description"] = "Reconnaissance, Probes & Scans (Cat VI)"; break; case 17: row["description"] = "Virus and Malware Activity (Cat VII)"; break; default: row["description"] = "Unknown status! This should never happen."; break; } string 1 status integer 2 cnt decimal 3 description string SguilDB -1 dst_start_date Start Date string 12 1 true false dst_end_date End Date string 12 2 true false 1 status status integer 5 2 cnt cnt decimal -5 select status, count(*) as cnt from event where last_modified between ? and ? and status != 0 group by status order by cnt DESC 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression true false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression true false TextField status 1 5 5 0 Nullable status 5 cnt 2 -5 21 0 NotNullable cnt 21 ]]> ratio row["dsts"] / row["ports"] float src Source IP dsts # Hosts ports # Ports 1 src string 2 dsts decimal 3 ports decimal 4 ratio float SguilDB -1 dsp_start_date Start Date any 1 "DATE_SUB(DATE(NOW()), INTERVAL 1 DAY)" true false dsp_end_date End Date any 2 "DATE(NOW())" true false 1 src src string 12 2 dsts dsts decimal -5 3 ports ports decimal -5 select INET_NTOA(src_ip) as src, count(distinct dst_ip) as dsts, count(distinct dst_port) as ports from sancp where start_time between ? and ? and dst_bytes = 0 and ip_proto in (6,17) and ((src_ip between INET_ATON('192.168.1.0') and INET_ATON('192.168.1.255')) and (dst_ip between INET_ATON('192.168.1.0') and INET_ATON('192.168.1.255')) ) group by src_ip having ports > 0 1.0 src 1 12 31 0 Nullable src 31 dsts 2 -5 21 0 NotNullable dsts 21 ports 3 -5 21 0 NotNullable ports 21 ]]> src Address dsts # Hosts 1 src string 2 dsts decimal SguilDB -1 dst_start_date Start Date string 12 1 true dst_end_date End Date string 12 2 true 1 src src string 12 2 dsts dsts decimal -5 select INET_NTOA(src_ip) as src, count(distinct dst_ip) as dsts from sancp where (src_ip between INET_ATON('192.168.1.0') and INET_ATON('192.168.1.255')) and ip_proto = 1 and start_time between ? and ? group by src_ip order by dsts DESC limit 10 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression 2007-03-27 00:00:00 false false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression 2007-03-28 00:00:00 false false TextField src 1 12 31 0 Nullable src 31 dsts 2 -5 21 0 NotNullable dsts 21 ]]> 1 src string 2 dsts decimal 3 megs decimal SguilDB -1 dst_start_date Start Date any 1 true false dst_end_date End Date any 2 true false dst_perimeter_sensors Perimeter Sensors string 12 3 true 1 src src string 12 2 dsts dsts decimal -5 3 megs megs decimal 3 select INET_NTOA(src_ip) as src, count(distinct dst_ip) as dsts, sum(src_bytes) / (1024 * 1024) as megs from sancp where start_time between ? and ? and sid in (?) and ((src_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255"))) and not (dst_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) group by src 1.0 In 3 12 Unknown List of perimeter sensor sids Comma-separated list of perimter sensor IDs true false TextField src 1 12 31 0 Nullable src 31 dsts 2 -5 21 0 NotNullable dsts 21 megs 3 3 37 4 Nullable megs 39 ]]> 1 dst string 2 srcs decimal 3 megs decimal SguilDB -1 dst_start_date Start Date any 1 true false dst_end_date End Date any 2 true false dst_perimeter_sensors Perimeter Sensors string 12 3 true 1 dst dst string 12 2 srcs srcs decimal -5 3 megs megs decimal 3 select INET_NTOA(dst_ip) as dst, count(distinct src_ip) as srcs, sum(src_bytes) / (1024 * 1024) as megs from sancp where start_time between ? and ? and sid in (?) and ( (src_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) and not (dst_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) ) group by dst_ip 1.0 In 3 12 Unknown List of perimeter sensor sids Comma-separated list of perimter sensor IDs true false TextField src 1 12 31 0 Nullable src 31 dsts 2 -5 21 0 NotNullable dsts 21 megs 3 3 37 4 Nullable megs 39 ]]> hostname java.net.InetAddress.getByName(row["dst"]).getHostName() any 1 dst string 2 srcs decimal 3 megs decimal 4 hostname any SguilDB -1 dst_start_date Start Date any 1 true false dst_end_date End Date any 2 true false dst_perimeter_sensors Perimeter Sensors string 12 3 true 1 dst dst string 12 2 srcs srcs decimal -5 3 megs megs decimal 3 select INET_NTOA(dst_ip) as dst, count(distinct src_ip) as srcs, sum(src_bytes + dst_bytes) / (1024 * 1024) as megs from sancp where start_time between ? and ? and sid in (?) and not (src_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) and (dst_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) group by dst_ip order by srcs DESC limit 10 1.0 In 3 12 Unknown List of perimeter sensor sids Comma-separated list of perimter sensor IDs true false TextField src 1 12 31 0 Nullable src 31 dsts 2 -5 21 0 NotNullable dsts 21 megs 3 3 37 4 Nullable megs 39 ]]> 1 src string 2 dst string 3 ip_proto integer 4 sbytes decimal 5 dbytes decimal SguilDB -1 dst_start_date Start Date string 12 1 true false dst_end_date End Date string 12 2 true 1 src src string 12 2 dst dst string 12 3 ip_proto ip_proto integer -6 4 sbytes sbytes decimal 3 5 dbytes dbytes decimal 3 select INET_NTOA(src_ip) as src, INET_NTOA(dst_ip) as dst, ip_proto, sum(src_bytes) as sbytes, sum(dst_bytes) as dbytes from sancp where (start_time between ? and ?) and not(ip_proto in (1,6,17)) and not (src_ip = 0 and dst_ip = 0) group by src, dst, ip_proto 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression 2007-03-27 00:00:00 false false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression 2007-03-28 00:00:00 false false TextField src 1 12 31 0 Nullable src 31 dst 2 12 31 0 Nullable dst 31 ip_proto 3 -6 3 0 NotNullable ip_proto 3 sbytes 4 3 33 0 Nullable sbytes 34 dbytes 5 3 33 0 Nullable dbytes 34 ]]> 1 dst_port integer 2 traffic_to_site decimal 3 traffic_from_site decimal 4 total_traffic decimal SguilDB -1 dst_start_date1 Start Date any 1 true false dst_end_date1 End Date any 2 true false dst_perimeter_sensors1 Perimeter Sensors string 12 3 true dst_start_date2 Start Date any 4 true false dst_end_date2 End Date any 5 true false dst_perimeter_sensors2 Perimeter Sensors string 12 6 true 1 dst_port dst_port integer 5 2 traffic_to_site traffic_to_site decimal 3 3 traffic_from_site traffic_from_site decimal 3 4 total_traffic total_traffic decimal 3 select dst_port, sum(to_site) / (1024 * 1024) as traffic_to_site, sum(from_site) / (1024 * 1024) as traffic_from_site, sum(to_site + from_site) / (1024 * 1024) as total_traffic from ( select dst_port, src_bytes as from_site, dst_bytes as to_site from sancp where (start_time between ? and ?) and sid in (?) and ( (src_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) and not (dst_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) ) UNION ALL select dst_port, dst_bytes as from_site, src_bytes as to_site from sancp where (start_time between ? and ?) and sid in (?) and ( not (src_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) and (dst_ip between INET_ATON("192.168.1.0") and INET_ATON("192.168.1.255")) ) ) as temp_table group by dst_port order by total_traffic desc limit 10 1.0 In 5 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression true false TextField In 6 12 Unknown List of perimeter sensor sids Comma-separated list of perimter sensor IDs true false TextField ]]> 1 ip_proto integer 2 cnt decimal SguilDB -1 dst_start_date Start Date string 12 1 true dst_end_date End Date string 12 2 true 1 ip_proto ip_proto integer -6 2 cnt cnt decimal -5 select ip_proto, count(*) as cnt from sancp where (start_time between ? and ?) and not (src_ip = 0 and dst_ip = 0) group by ip_proto order by cnt DESC 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression 2007-03-27 00:00:00 false false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression 2007-03-28 00:00:00 false false TextField ip_proto 1 -6 3 0 NotNullable ip_proto 3 cnt 2 -5 21 0 NotNullable cnt 21 ]]> 1 signature string 2 cnt decimal SguilDB -1 dst_start_date Start Date string 12 1 true dst_end_date End Date string 12 2 true 1 signature signature string 12 2 cnt cnt decimal -5 select signature, count(*) as cnt from event where timestamp between ? and ? group by signature order by cnt desc limit 10 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression true false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression true false TextField signature 1 12 255 0 NotNullable signature 255 cnt 2 -5 21 0 NotNullable cnt 21 ]]> hostname java.net.InetAddress.getByName(row["src"]).getHostName() any 1 src string 2 cnt decimal 3 hostname any SguilDB -1 dst_start_date Start Date string 12 1 true dst_end_date End Date string 12 2 true 1 src src string 12 2 cnt cnt decimal -5 select INET_NTOA(src_ip) as src, count(*) as cnt from event where timestamp between ? and ? group by src_ip order by cnt desc limit 10 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression true false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression true false TextField INET_NTOA(src_ip) 1 12 31 0 Nullable INET_NTOA(src_ip) 31 cnt 2 -5 21 0 NotNullable cnt 21 ]]> hostname java.net.InetAddress.getByName(row["dst"]).getHostName() any 1 dst string 2 cnt decimal 3 hostname any SguilDB -1 dst_start_date Start Date string 12 1 true dst_end_date End Date string 12 2 true 1 dst dst string 12 2 cnt cnt decimal -5 select INET_NTOA(dst_ip) as dst, count(*) as cnt from event where timestamp between ? and ? group by dst order by cnt desc limit 10 1.0 In 1 12 Unknown Start Date The starting date for the report. Can be an actual date/time, or a SQL expression true false TextField In 2 12 Unknown End Date The ending date for the report. Can be an actual date/time, or a SQL expression true false TextField INET_NTOA(src_ip) 1 12 31 0 Nullable INET_NTOA(src_ip) 31 cnt 2 -5 21 0 NotNullable cnt 21 ]]> landscape 0.75in 0.75in 100% 0.7474747475in 3.4141414141in 5.2323232323in 28px 65px embed sguil_logo_h.png Header medium Network Security Report Header medium Reporting Period "Reporting Period: " + params["Start Date"] + " - " + params["End Date"] any Reporting Period html Report generated on new Date()]]> 0.3535353535in 5.898989899in 0.7373737374in 1.9797979798in 3.1818181818in 0.3535353535in 28px 63px embed sguil_logo_h.png Header medium Network Security Report Header medium Reporting Period "Reporting Period: " + params["Start Date"] + " - " + params["End Date"] any Reporting Period html new Date()]]> Landscape Master auto 8.4747474747in 8.6262626263in "Alerts & Alert Categories" 8.6262626263in auto 4.0404040404in 8.5050505051in "Alerts Categorized During Report Period" 8.5050505051in Report Header 12pt Alerts Categorized During Report Period 3.5656565657in 3.5050505051in8.4343434343inCategories description dataSetRow["description"] string cnt dataSetRow["cnt"] decimal 4.3131313131in 4.1212121212in

2.8888888889in 4.2626262626in status dataSetRow["status"] integer cnt_1 dataSetRow["cnt"] decimal description_1 dataSetRow["description"] string Pie Chart Standard Pie Chart 0.0 0.0 0.0 0.0 3.0 3.0 3.0 3.0 -1 -1 -1 -1 1 255 0 0 0 false true

0 255 255 255 1 255 0 0 0 0.0 2.0 0.0 3.0 true 0.0 0.0 0.0 0.0 3.0 3.0 3.0 3.0 -1 -1 -1 -1 1 255 0 0 0 false true 5 5 0 255 0 0 0 false 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0 3.0 3.0 3.0 -1 -1 -1 -1 1 255 0 0 0 false true 0 255 0 0 0 false 2.0 2.0 2.0 2.0 9.0 Vertical Top_Bottom 1 255 0 0 0 true Right Categories Above 100.0 0.0 0.0 306.1818181818182 208.0 3.0 3.0 3.0 3.0 -1-1-1-1 1 255 0 0 0 false 255 255 255 255 trueTwo_Dimensional_With_DepthPoints10.01 'A','B','C' 5,4,12 0 false None 255 80 166 218 255 242 88 106 255 232 172 57 255 128 255 128 255 64 128 128 255 128 128 192 255 170 85 85 255 128 128 0 255 80 166 218 255 242 88 106 255 232 172 57 255 128 255 128 255 64 128 128 255 128 128 192 255 170 85 85 255 128 128 0 true 0 255 255 255 1 255 0 0 0 false 0.0 2.0 0.0 3.0 true row["cnt_1"] Orthogonal_Value , Outsidefalse10Below 1 255 0 0 0 true Stretch_To_Side40.0 false 2 Text Sum Ascending true 0 255 255 255 1 255 0 0 0 false 0.0 2.0 0.0 3.0 false row["description_1"] Orthogonal_Value , Outsidefalse

Alert Categorizations 16.0 true Center Center