This is my first post here, so please excuse me if I'm posting it in the wrong place.
Fist of all, I understand the NSP has some decent tools for report generation. However, due to some of my customer's requests, we primarily use the Historical Threat Analyzer for gathering data, and extract it to a CSV file.
The thing is, we have a lot of Informational signatures enabled, and those eat up a lot of lines on the Threat Analyzer and slow Java to a crawl. I tried using custom views and filters, but that still didn't seem to do the trick, the Analyzer still slows down and eventually I have to stop Java.
And this is why I would like to disable Informational signatures. I understand this is not the best solution, but I don't see much use for most, if not all of those signatures. Now, I know some other signatures of different severity levels use informational signatures to detect attacks. So, would those other signatures stop working if I disable the Informational ones? Other than that, is it advisable to disable them at all?
Any help on this subject would be greatly appreciated.
Are you sure you do not need the information alert data? If you had to investigate an incident would you be required to produce this data?
You should be able to create a custom view with severity does not equal Informational to get around your problem
The Threat Analyzer is a very poorly performing feature and has been removed from the new 8.3.x release of the software, I haven't tried it yet but @pingebri shared a demo of it here
You could also try tuning your IPS policies to reduce the over all volume of alerts.
You could also just run queries directly against the database to collect the alert data you want, which would be easier in the long run.
It is not advisable to disable the informational alerts IMHO without careful investigation of each rule. It is possible that they may be part of a correlation rule meaning that by themselves they may not mean much, but if that attack definition fires along with another it could be a high sev/low BTP alert.
Does your customer use a SIEM and are they feeding it the NSM alerts? If so, it may more advantageous to pull your reports from there if you are having difficulty with the report generation functions in the NSM.
Also, like Peter mentioned you can query the DB directly. In theory, since you do this from command line you should be able to right a batch script to simplify the process. If you do this I'd be interested in seeing what you came up with since I don't have my own NSM to play with.
Thanks for the responses, guys.
I think quering the DB might be the best thing to do here. The customer doesn't have a SIEM yet.