Forum Discussion

brad_11480's avatar
brad_11480
Icon for Nimbostratus rankNimbostratus
Sep 28, 2010

Manual Policy Building - Recent Incidents - signatures what is recent?

This is a basic question but I haven't seen anything in the documents (so far) that tell me the answer.

 

 

When using manual policy building, under traffic learning, if there is a signature violation it lists them. Then click on the "Attack Signature Detected" it will then list them. Then it provides a column labeled "Recent Incidents".

 

 

What is the time frame for "recent"? It seems that they disappear after a while.. Maybe a few hours... I would like to see them stay around for a longer period of time, othewise I have to be continually checking. Yes, the reporting gives lots of history, but it isn't as easy to work with (IMHO) as the manual policy building approach.

 

 

Is there a place to set the time frame for keeping this? Thanks so much!!!!

 

1 Reply

  • (Correcting an earlier post that mentioned purge_mysql_logs.pl which actually is for the MySQL binary logs.)

     

     

    There is a clean_db.pl script that seems to remove the older entries, "older" being not very deterministically defined though.

     

     

    For what I currently need, I have a script that queries the database and adds the signatures that have fired to a file. I run that script every hour through cron.hourly. Omitting the db login code that you can extract from the asmqkview script:

     

     

    -----

     

     

    OPTIONS=--skip-column-names

     

    for POLICY in \'p1\' \'p2' \'p3\' ; do

     

    echo `date` $POLICY

     

    (mysql --user=root --password=$MYSQL_PASSWORD $OPTIONS PLC <

     

     

    set @account = (select account_id from DCC.ACCOUNTS where active_policy_name = $POLICY);

     

     

    select NEGSIG_SIGNATURES.sig_id, ":::", sig_name

     

    from NEGSIG_SIGNATURES, LRN_NEGSIG_SIGNATURES

     

    where account_id = @account

     

    and NEGSIG_SIGNATURES.sig_id = LRN_NEGSIG_SIGNATURES.sig_id;

     

     

    HERE

     

    ) | sort | uniq -c | sort -n

     

    done >> /tmp/learned-signatures.log

     

     

    -----

     

     

    (I'll try to move the sorting and counting to the SQL query later.)

     

     

    Arthur