[Emerging-Sigs] Rule dupe, well msg anyway. Is that allowed?
scastle at bouldercounty.org
Wed Dec 12 09:30:03 HAST 2012
LOL. Yep. Guilty.
Data Security Mgr, Boulder County IT
From: Bamm Visscher [mailto:bamm.visscher at gmail.com]
Sent: Wednesday, December 12, 2012 10:59
To: Castle, Shane
Cc: emerging-sigs at lists.emergingthreats.net
Subject: Re: [Emerging-Sigs] Rule dupe, well msg anyway. Is that allowed?
<buddytheelf>No it doesn't.</buddytheelf>
Sguil does aggregate alerts based on unique source IP address and event message, but if you display the rule, it uses the sid:gid:rev to pull the correct one. The aggregation was done that way on purpose, so the analyst (aka me) could write 10 different rules to catch phf attacks and all be correlated in the console under one event.
Shane needs to get on the "Do More Aggregation" bandwagon.
More information about the Emerging-sigs