Re: [Sguil-devel] Sguil: Categorization
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-devel] Sguil: Categorization
|
From: Bamm V. <bam...@gm...> - 2007-05-22 21:20:31
|
This is a good request and it's not the first time it has been asked. Consider it on the TODO list. Bammkkkk On 3/21/07, Tim A. <sgu...@li...> wrote: > > Richard Bejtlich wrote: > Tim Allender wrote: > > > Rich, > There are a lot of things that happen on the network that I want to make > note of, some of which don't exactly fall into one of the predefined > categories. > I use the main view to see what's going on, and clear it out, putting > events into categories like you showed me. > > Most things I see, I don't want to act on immediately, but want to make > note of, like, spyware, potential viruses / exploits, terminal services > / vnc connections, SSL activity, P2P, VoIP. > So, I've been categorizing like this: > F7: spyware, virus, exploit related events > F5: SSL, P2P, VoIP, IM > F2: terminal services / vnc related events > > I'm wondering if I could add categories, or adjust the existing > categories to better reflect what I'm dealing with daily. > Actual Unauthorized Root / User Access or Attempts, DoS and Scans, for > us, are a whole different level and (lets hope) of such rarity that, I > think, they could have a single category all their own. > > I'm thinking, a better Categorization system for us would look like this: > F1: Rare: Premeditated Offensive Actions > F2: Unknown Potentials: Encrypted Tunneling, covert channels, TOR > F3: Remote Access Monitoring (Terminal Services, VNC) > F4: VoIP, IM, P2P > F5: Reserved > F6: Spyware > F7: Viruses / Exploits > > > Hi Tim, > > Do you think you could post this to the sguil-devel mailing list? > > https://lists.sourceforge.net/lists/listinfo/sguil-devel > > I think user-adjustable categories would be a nice feature request. > > Sincerely, > > Richard > > > > > Done. > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Sguil-devel mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-devel > > -- sguil - The Analyst Console for NSM http://sguil.sf.net |