TABLE OF CONTENTS Having seen all the different formats and types of data you can gather from your security devices, it is apparent that these reports require a support structure of their own. In addition, your organization and security shop will be best served in gathering the information in these reports and disseminating the right information to the right teams or individuals.
If your organization is typical, you have mountains of IDS data flowing to somewhere, whether an ESM/SIM or a back-end log server. However, in previous chapters you were shown some examples of culling useful data out of those mountains. One of the keys to using this information is to put it in reports that can be automated or in templates to be filled in when needed. As you think about the reports you can automate, also consider how you can frame these reports and their associated templates into a flexible and scalable resource. One example of such a templated report would be to simply pull all of the snort data for a specific host sorted in some kind of meaningful way such as the report shown in Figure 5.1. Both the screenshot and the script that follows are called when looking at current snort log files. This can be useful if you restart snort every 24 hours to pull a host report only during the specified period. However, this can be easily extended to search dated files, specific days, or timeframes with...
