Snort mailing list archives

Re: Counting Keystrokes of Sguil Users

From: Bamm Visscher <bamm.visscher () gmail com>
Date: Thu, 28 Jun 2012 17:40:11 -0400

Use the history table from the mysql command line.

SELECT COUNT(*) FROM history, user_info WHERE
user_info.uid=history.uid AND user_info.username='bamm' AND
history.status=1 and timestamp > '2012-06-28';

That would give you the number of events that were f8'd on the 28th by
bamm. The only catch is that you could hit f8 once and cat 1000+
events. You could DISTINCT the timestamp to get the actual number of
times f8 was hit.

Bamm

On Thu, Jun 28, 2012 at 4:04 PM, Dixon, Cheryl CTR
<Cheryl.A.Dixon1 () uscg mil> wrote:

Hi:

Is there a way to count the number of times a Sguil user clicked the F8 button to change an alert's status from 
'uncategorized' to 'No Further Action Required'?

I know how to count the number of records that were changed in the manner mentioned above using the event and status 
tables in a query where 'status.status_id=...'  in a SQL SELECT statement.  But that counts the number of times the 
event(s) went to an F8 status (for example, within an 8 hour period), etc.

What I want to know if there a way to determine within (for example) the same 8 hour period, how many times a Sguil 
user clicked the F8 key to flag an new event for a status change of F8 ('No Further Action Required')?

If so what Sguil databases and tables can be queried?  Where are they located within the software?


Thanks.  Any help is greatly appreciated.

Cheryl Dixon

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Counting Keystrokes of Sguil Users Dixon, Cheryl CTR (Jun 28)
- Re: Counting Keystrokes of Sguil Users Bamm Visscher (Jun 28)