#37 Allow comments for each sig_id & alert

2.0x
closed
nobody
Interface (44)
3
2005-09-29
2005-06-01
quuxo
No

I'd like to see a comment field for each sig_id, and for
each alert instance. Ideally this would be
displayed/editable in the alert detail screens.

IE, in our network we might decide that gen_id 1, sig_id
1444 (TFTP GET) is generally benign but we still want
to track them. So when this alert is displayed in the db,
a BASE user with appropriate appropriate privs could
add a comment like "This is benign if originating from
systems BORG & TWEETY, invistigate other sources
though!"

Same for specific alerts. So as a response to some
specific alert the admin could comment "Seems benign,
moving to archive DB in case of recurrence" or "System
was infected with agobot virus, now cleaned" and then
the alert could be moved to archive.

Perhaps you see what I'm getting at - a workflow within
BASE. Ability to document the response at alert or sig
level before archiving the alert (adding notes at sig level
allows admin to pass tips to the next guy who sees this
sig).

I have another feature request building on this but will
file separately.

Discussion

  • Joel Esler

    Joel Esler - 2005-06-01
    • labels: --> Interface
     
  • Joel Esler

    Joel Esler - 2005-06-01

    Logged In: YES
    user_id=853584

    We're working on a new Incident Response system, please
    submit idea during meeting tonight (if you get this before then)

     
  • Joel Esler

    Joel Esler - 2005-06-01
    • milestone: --> 467929
    • priority: 5 --> 3
     
  • Joel Esler

    Joel Esler - 2005-06-01
    • milestone: 467929 --> 498397
     
  • Kevin Johnson

    Kevin Johnson - 2005-09-29

    Logged In: YES
    user_id=836228

    This will be part of 2.x

     
  • Kevin Johnson

    Kevin Johnson - 2005-09-29
    • milestone: 498397 --> 2.0x
    • status: open --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks