[Snort-users] Counting Keystrokes of Sguil Users

Bamm Visscher bamm.visscher at ...11827...
Thu Jun 28 17:40:11 EDT 2012


Use the history table from the mysql command line.

SELECT COUNT(*) FROM history, user_info WHERE
user_info.uid=history.uid AND user_info.username='bamm' AND
history.status=1 and timestamp > '2012-06-28';

That would give you the number of events that were f8'd on the 28th by
bamm. The only catch is that you could hit f8 once and cat 1000+
events. You could DISTINCT the timestamp to get the actual number of
times f8 was hit.

Bamm

On Thu, Jun 28, 2012 at 4:04 PM, Dixon, Cheryl CTR
<Cheryl.A.Dixon1 at ...15690...> wrote:
> Hi:
>
> Is there a way to count the number of times a Sguil user clicked the F8 button to change an alert's status from 'uncategorized' to 'No Further Action Required'?
>
> I know how to count the number of records that were changed in the manner mentioned above using the event and status tables in a query where 'status.status_id=...'  in a SQL SELECT statement.  But that counts the number of times the event(s) went to an F8 status (for example, within an 8 hour period), etc.
>
> What I want to know if there a way to determine within (for example) the same 8 hour period, how many times a Sguil user clicked the F8 key to flag an new event for a status change of F8 ('No Further Action Required')?
>
> If so what Sguil databases and tables can be queried?  Where are they located within the software?
>
>
> Thanks.  Any help is greatly appreciated.
>
> Cheryl Dixon
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list