Snort mailing list archives
Re: Counting Keystrokes of Sguil Users
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Thu, 28 Jun 2012 17:40:11 -0400
Use the history table from the mysql command line. SELECT COUNT(*) FROM history, user_info WHERE user_info.uid=history.uid AND user_info.username='bamm' AND history.status=1 and timestamp > '2012-06-28'; That would give you the number of events that were f8'd on the 28th by bamm. The only catch is that you could hit f8 once and cat 1000+ events. You could DISTINCT the timestamp to get the actual number of times f8 was hit. Bamm On Thu, Jun 28, 2012 at 4:04 PM, Dixon, Cheryl CTR <Cheryl.A.Dixon1 () uscg mil> wrote:
Hi: Is there a way to count the number of times a Sguil user clicked the F8 button to change an alert's status from 'uncategorized' to 'No Further Action Required'? I know how to count the number of records that were changed in the manner mentioned above using the event and status tables in a query where 'status.status_id=...' in a SQL SELECT statement. But that counts the number of times the event(s) went to an F8 status (for example, within an 8 hour period), etc. What I want to know if there a way to determine within (for example) the same 8 hour period, how many times a Sguil user clicked the F8 key to flag an new event for a status change of F8 ('No Further Action Required')? If so what Sguil databases and tables can be queried? Where are they located within the software? Thanks. Any help is greatly appreciated. Cheryl Dixon ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- sguil - The Analyst Console for NSM http://sguil.sf.net ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Counting Keystrokes of Sguil Users Dixon, Cheryl CTR (Jun 28)
- Re: Counting Keystrokes of Sguil Users Bamm Visscher (Jun 28)