If we wanted to make a custom report to see if the TOR SIDs were triggered, can we add multiple signatures?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
If we wanted to make a custom report to see if the TOR SIDs were triggered within 24 hours, can we add multiple signatures, e.g. 2002950 , 2002951, 2002952 , 2002953.

Can do one at a time but can’t seem to do multiple signatures, tried various characters.
Photo of Mike

Mike

  • 0 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes
I am afraid there is no such feature in the product at this time.

However it is possible to hardcode these signatures in the Security :: by Signature report.

To view the syntax that was used to generate the report that you are currently viewing, click More Actions on the report menu bar and select Report Syntax. The code that was used to query the database and extract the results is displayed.

This feature may be useful for advanced users who wish to create custom reports.

Query event [aid##app], [sid#Signature#signature], [prio#Priority#prio], [count(eid)#Total#total] sort=2,-3 where 1=1 & (sid=2002950 | sid=2002951 | sid=2002952 | sid=2002953) & {timestamp#t#Time#date#} & {senid#senid#Sensor#sensor#} & {aid#aid#Application#app#} & {sid#sid#Signature#number#} & {src#src#Source IP/Subnet#subnet#} & {dst#dst#Destination IP/Subnet#subnet#} & {prio#prio#Priority#number#}
Link down.png View_detailed_event_list /netmon/view.cgi?View=1&rid=81&t=$t&aid=$0&sid=$1&src=$src&dst=$dst&prio=$prio&senid=$senid 4
Link down.png Breakdown_by_source_IP /netmon/view.cgi?View=1&rid=130&t=$t&aid=$0&sid=$1&src=$src&dst=$dst&senid=$senid
Link down.png Breakdown_by_destination_IP /netmon/view.cgi?View=1&rid=106&t=$t&aid=$0&sid=$1&src=$src&dst=$dst&senid=$senid
Link info.png View/Mark_this_signature /ids/editrule.cgi?sid=$1&aid=$0&senid=$senid 2
Graph bar z=3 y=1 x=0,1 title=Events