evebox icon indicating copy to clipboard operation
evebox copied to clipboard

Published 20 hours ago verified publisher icon jasonish

How can one add new reports?

Open rful011 opened this issue 6 years ago • 2 comments

Most of the time I am interested in aggregated counts rather then individual alerts. I started out with ACID (yes that was a while ago ;) and then moved to PLACID as its SQL queries were much better optimised. I have long wanted to get rid of my sql db and barnyard! ;)

I already have an ES instance for Moloch so switching to eve output should be straight forward.

My standard display is listing of the last days alerts aggregated by SID, ordered by frequency with columns for number of sources, destinations etc

screen shot 2018-01-23 at 3 53 51 pm

and I drill down from the table.

I am interested in adding some reports like this to evebox. Any hints on where to start?

rful011 avatar Jan 23 '18 03:01 rful011

Reports are kind of tricky at this time. Its a mix of JavaScript in the frontend, and Go at the backend. I'm working to migrate them all to Go at the backend, as right now the frontend has some hardcoded elasticsearch stuff, but I want the reports to work on PostgreSQL.

However, this looks more like a variation of the inbox display. I'll have to think about this a bit more..

I'm not familiar with PLACID, and its been a long time since I used ACID. Can you share more on what each of those links would pivot to? I think it could make a great alternate view for the "Alerts" tab, but not maybe the inbox tab.

Currently the inbox/alert view is like a group by signature, group by src_ip, group_by dest_ip. This looks like it starts with a simpler group by signature (with counts for src and dsts), and then drills down further.

jasonish avatar Jan 25 '18 00:01 jasonish

Picking this up again.

Is it still tricky to create custom reports at this time? i.e. is it still a mixture of JS in the frontend and Go at the backend?

As for what each of those links pivot to in rful011's screenshot, I'll try answer that below:

  • Signature: returns a listing of all alerts that fall under that particular signature. This view is similar in content to evebox's Events -> Alerts view.
  • Total Events: same as above.
  • IP Srcs: returns a listing of all alerts grouped by unique source IP. This is the more useful view for us. Contains information like src_ip, signature_name, total_events, and latest_event_timestamp. This would be an extension of evebox's 'Top Alerting Source IPs' in the Reports -> Alerts view with additional columns.
  • IP Dsts: same as the above except the resulting table listing is grouped into unique destination IPs.
  • Sensors: returns a list of which sensor(s) generated the alert.

After those links, the next one to click on is normally the the unique alert you're interested in which displays the alert details (e.g. source/dst ips/ports, payload data, etc.).

If the above is still unclear @jasonish I'm happy to provide screenshots.

So to summarise:

Evebox has all the information we're after in an alert front-end however our problem is that they're split across different pages/reports/views.

We would like to replicate what an ideal front-end view and tree looks like for us (Placid, described above) using evebox and are happy to code away and contribute back. We're just after some pointers as to where to start poking around to achieve that.

Thanks!

Edit: just noticed the experimental web API, might give that a poke as a starting point to the above.

ccpptt avatar Oct 23 '18 01:10 ccpptt

Closing as stale. Custom reporting is not really planned and out of scope, especially when Kibana exists.

jasonish avatar Mar 10 '23 21:03 jasonish