Forum Discussion
brad_11480
Nimbostratus
NimbostratusManual Policy Building - Recent Incidents - signatures what is recent?
This is a basic question but I haven't seen anything in the documents (so far) that tell me the answer.
When using manual policy building, under traffic learning, if there is a signature violation it lists them. Then click on the "Attack Signature Detected" it will then list them. Then it provides a column labeled "Recent Incidents".
What is the time frame for "recent"? It seems that they disappear after a while.. Maybe a few hours... I would like to see them stay around for a longer period of time, othewise I have to be continually checking. Yes, the reporting gives lots of history, but it isn't as easy to work with (IMHO) as the manual policy building approach.
Is there a place to set the time frame for keeping this? Thanks so much!!!!
Arthur_7109(Correcting an earlier post that mentioned purge_mysql_logs.pl which actually is for the MySQL binary logs.)
There is a clean_db.pl script that seems to remove the older entries, "older" being not very deterministically defined though.
For what I currently need, I have a script that queries the database and adds the signatures that have fired to a file. I run that script every hour through cron.hourly. Omitting the db login code that you can extract from the asmqkview script:
-----
OPTIONS=--skip-column-names
for POLICY in \'p1\' \'p2' \'p3\' ; do
echo `date` $POLICY
(mysql --user=root --password=$MYSQL_PASSWORD $OPTIONS PLC <
set @account = (select account_id from DCC.ACCOUNTS where active_policy_name = $POLICY);
select NEGSIG_SIGNATURES.sig_id, ":::", sig_name
from NEGSIG_SIGNATURES, LRN_NEGSIG_SIGNATURES
where account_id = @account
and NEGSIG_SIGNATURES.sig_id = LRN_NEGSIG_SIGNATURES.sig_id;
HERE
) | sort | uniq -c | sort -n
done >> /tmp/learned-signatures.log
-----
(I'll try to move the sorting and counting to the SQL query later.)
Arthur