[aklug] off-topic: seeking thoughts on a different event classification scheme for snort/sguil classifications than the default

From: techno curmudgeon <technocurmudgeon@gmail.com>
Date: Fri Dec 14 2012 - 09:53:41 AKST

For those network security monitoring folk:

Came across this earlier today. It correlates nicely with my thinking
(and practices 8) ) that is, "is this my problem or not" or "do I
have to do something about this (now or later) or not"? But I am
curious as to what others think about using the proposed
classification scheme, instead of using default classification scheme,
and if losing the information in the default scheme is a loss of real,
useful information.

Anyway,

from:

http://inadvertantmenace.blogspot.com/2007/03/sguil-tricks-mass-catagorization-of.html

extract:

<snip>

I use a different system. I'm not interested in taxonomy, I'm
interested in tasks. That is, do I have to deal with this or not? I am
the remediator, if remediation is to be done. So I don't need to
capture the type of incident. I KNOW that. I also won't run down every
event, but I don't want to lie when I dismiss something without
conclusive investigation. So I have two catagories for honest punts.
This way they won't get buried in the False Positive sections.

My system is Cat I False Positive - no action required SQL update
event set status = 11
Cat 2 False Positive - action required (tune rule, suppress alert,
mitigate condition (i.e. reconfigure noisy host))set status = 12
Cat 3 True Positive - no action required (harmless worm attacking
patched host)set status = 13
Cat 4 True Positive - action required (possibly should escalate F9)set
status = 14
Cat 5 Not sure, not worried (Punt)set status = 15
Cat 6 Not sure, worried (Punt)set status = 16
Do not set status = 2 - that's escalate! This gets inserted into sguil
client, slowing things down
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Dec 14 09:53:50 2012

This archive was generated by hypermail 2.1.8 : Fri Dec 14 2012 - 09:53:50 AKST