Forum Discussion

brad_11480's avatar
Icon for Nimbostratus rankNimbostratus
Sep 28, 2010

Manual Policy Building - Recent Incidents - signatures what is recent?

This is a basic question but I haven't seen anything in the documents (so far) that tell me the answer.



When using manual policy building, under traffic learning, if there is a signature violation it lists them. Then click on the "Attack Signature Detected" it will then list them. Then it provides a column labeled "Recent Incidents".



What is the time frame for "recent"? It seems that they disappear after a while.. Maybe a few hours... I would like to see them stay around for a longer period of time, othewise I have to be continually checking. Yes, the reporting gives lots of history, but it isn't as easy to work with (IMHO) as the manual policy building approach.



Is there a place to set the time frame for keeping this? Thanks so much!!!!


1 Reply

  • (Correcting an earlier post that mentioned which actually is for the MySQL binary logs.)



    There is a script that seems to remove the older entries, "older" being not very deterministically defined though.



    For what I currently need, I have a script that queries the database and adds the signatures that have fired to a file. I run that script every hour through cron.hourly. Omitting the db login code that you can extract from the asmqkview script:








    for POLICY in \'p1\' \'p2' \'p3\' ; do


    echo `date` $POLICY


    (mysql --user=root --password=$MYSQL_PASSWORD $OPTIONS PLC <



    set @account = (select account_id from DCC.ACCOUNTS where active_policy_name = $POLICY);



    select NEGSIG_SIGNATURES.sig_id, ":::", sig_name




    where account_id = @account







    ) | sort | uniq -c | sort -n


    done >> /tmp/learned-signatures.log






    (I'll try to move the sorting and counting to the SQL query later.)