Comments on: Not only alert data Part III http://blog.hazrulnz.net/185/not-only-alert-data-part-iii.html I dunno why on earth I have this blog. Fri, 21 Nov 2008 03:09:14 +0000 http://wordpress.org/?v= By: ayoi http://blog.hazrulnz.net/185/not-only-alert-data-part-iii.html#comment-2152 ayoi Wed, 21 Mar 2007 12:50:28 +0000 http://blog.hazrulnz.net/185/not-only-alert-data-part-iii.html#comment-2152 Kewl, hopefully we can share the method as well. Especially on db data mining :D Kewl, hopefully we can share the method as well. Especially on db data mining :D

]]> By: Hanashi http://blog.hazrulnz.net/185/not-only-alert-data-part-iii.html#comment-2151 Hanashi Wed, 21 Mar 2007 12:16:57 +0000 http://blog.hazrulnz.net/185/not-only-alert-data-part-iii.html#comment-2151 Great example! This is exactly how Sguil was designed to be used. Personally, I find myself using transcripts to answer probably 80% or 90% of all my questions when I'm processing alerts, and that saves me tons of time. As for the session data, I've also had very good results in using it to identify additional events using some basic traffic analysis. With a little SQL-foo, it's pretty easy to spot scanners, for example. I also correlate session data with PHP injection attack attempts as a rudimentary way to see if any where successful. Datamining the SQL db is big interest of mine, and most of that hinges on the session data. Great example! This is exactly how Sguil was designed to be used. Personally, I find myself using transcripts to answer probably 80% or 90% of all my questions when I’m processing alerts, and that saves me tons of time.

As for the session data, I’ve also had very good results in using it to identify additional events using some basic traffic analysis. With a little SQL-foo, it’s pretty easy to spot scanners, for example. I also correlate session data with PHP injection attack attempts as a rudimentary way to see if any where successful. Datamining the SQL db is big interest of mine, and most of that hinges on the session data.

]]>