#37 Allow comments for each sig_id & alert

Interface (44)

I'd like to see a comment field for each sig_id, and for
each alert instance. Ideally this would be
displayed/editable in the alert detail screens.

IE, in our network we might decide that gen_id 1, sig_id
1444 (TFTP GET) is generally benign but we still want
to track them. So when this alert is displayed in the db,
a BASE user with appropriate appropriate privs could
add a comment like "This is benign if originating from
systems BORG & TWEETY, invistigate other sources

Same for specific alerts. So as a response to some
specific alert the admin could comment "Seems benign,
moving to archive DB in case of recurrence" or "System
was infected with agobot virus, now cleaned" and then
the alert could be moved to archive.

Perhaps you see what I'm getting at - a workflow within
BASE. Ability to document the response at alert or sig
level before archiving the alert (adding notes at sig level
allows admin to pass tips to the next guy who sees this

I have another feature request building on this but will
file separately.


  • Joel Esler

    Joel Esler - 2005-06-01
    • labels: --> Interface
  • Joel Esler

    Joel Esler - 2005-06-01

    Logged In: YES

    We're working on a new Incident Response system, please
    submit idea during meeting tonight (if you get this before then)

  • Joel Esler

    Joel Esler - 2005-06-01
    • milestone: --> 467929
    • priority: 5 --> 3
  • Joel Esler

    Joel Esler - 2005-06-01
    • milestone: 467929 --> 498397
  • Kevin Johnson

    Kevin Johnson - 2005-09-29

    Logged In: YES

    This will be part of 2.x

  • Kevin Johnson

    Kevin Johnson - 2005-09-29
    • milestone: 498397 --> 2.0x
    • status: open --> closed

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks