Rafael Capovilla wrote:
Thanks for the suggestions, i will try to do it all asap.
I'm glad you found them useful. Here's a few more: -When displaying the real-time alerts, perhaps you could use the JavaScript you've used to display agent details for the alert details. This would allow you to fit more alerts on the screen and the analyst could expand the alert for more details. I'm thinking the alert screen could look something like this (with the alert expanded): Time ID Level Agent Event -09:30 5501 3 Snuffy Login Session Opened Jan 13 16:17:01 Snuffy CRON[15420]: (pam_unix) session opened for user root by (uid=0) You could also have an expand all/collapse all link for ease of use. Of course one should be able to click on the columns to sort by any particular field. Notice I didn't include the Date column. I think a real-time alert screen would probably best be used for events from the current day. Previous events can be viewed from the search screen (with convenient links like 'previous day') -Maybe the newest alerts could be highlighted somehow since the last refresh of the page, so the analyst knows visually what is most recent. Then again, maybe it would get in the way.. -A way to mark the events as dealt with would be useful. There could be something like a 'mark event as.. (closed|follow up|etc)' If there is a small notes field, the analyst could put in notes such as 'filed abuse report with ISP'. -I'd like to see the source IP linked with useful sites like dshield or a quick way to do a whois on the netblock. For that matter, maybe filing an abuse report could be made super-simple. Just click on the IP, select 'file report' and it copies the event to a new mail message addressed to the abuse contact address of the netblock. -On the search screen, having 'level' link to something explaining the levels would be useful. -On the search screen, add 'dstip' to compliment 'srcip' -On the search screen, maybe add a drop-down box for agent. Hope this helps..
