Sunday, April 22, 2007

SGUIL/BIRT: SGUIL Reports Built Using BIRT, Description Available on Sguil WIKI

Sometime ago I had some brief discussions with David Bianco from Vorant about writing a series of functional reports using BIRT. I never managed to get past the initial discussion (EclipseCon, book project, major life changes, etc), however he continued on and has completed some amazing work. He wrote an article about it, with a sample report, and wrote a very detailed entry on the Sguil Wiki page.

I have been trying for some time to get BIRT into the world of SGUIL and NSM, since I've believed from my beginnings into the world of NSM in 2001 that the reporting features of tools for analysts was lacking, so I am very glad to see someone else agreed with me and made headway in this area. BIRT is a very versatile tool, and I am glad to see that its capabilities are able to assist security analysts in detecting patterns and help security personnel make informed decisions. Some of the features of the finished reports aren't visible in the example reports, such as the the hostname fields in the reports which are real-time reverse DNS lookups. Using these reports as an example, a whole slew of additional functionality can be added, such as SANS lookups of offending IP's and ports, and a possible detail section at the end of the report explaining each alert might be beneficial (don't know if there are still sights out there that provide explanations of SNORT alerts), especially if being viewed by not so technically included managers.

Good job David.

No comments: