[Snort-users] Counting Keystrokes of Sguil Users

Dixon, Cheryl CTR Cheryl.A.Dixon1 at ...15690...
Thu Jun 28 16:04:37 EDT 2012


Is there a way to count the number of times a Sguil user clicked the F8 button to change an alert's status from 'uncategorized' to 'No Further Action Required'?   

I know how to count the number of records that were changed in the manner mentioned above using the event and status tables in a query where 'status.status_id=...'  in a SQL SELECT statement.  But that counts the number of times the event(s) went to an F8 status (for example, within an 8 hour period), etc.   

What I want to know if there a way to determine within (for example) the same 8 hour period, how many times a Sguil user clicked the F8 key to flag an new event for a status change of F8 ('No Further Action Required')?

If so what Sguil databases and tables can be queried?  Where are they located within the software?

Thanks.  Any help is greatly appreciated.

Cheryl Dixon

More information about the Snort-users mailing list