1. Download Security Onion 20110116.
2. Boot the ISO and run through the installer.
3. Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
4. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes.
5. Double-click the Sguil desktop icon. Log into Sguil using the username/password you specified in the previous step. There may already be some alerts in the Sguil console. If not, open Firefox and click the testmyids.com bookmark and you should then see an alert appear in Sguil.
6. Double-click the Squert desktop icon. The Squert main page appears. Click the "submit" button. Snort alerts appear at the bottom of the page and they should match what you saw in Sguil.
7. Go back to Sguil, select an alert, and press the F8 key to expire it. Notice that the alert disappears from Sguil.
8. Go back to Squert and click the "submit" button again. Notice that the alert remains in Squert. Sguil's main console shows events that have not yet been classified, so we need to tell Squert to do the same. Click the "Status" drop-down box and select "Unclassified". Click the "submit" button and notice that the alert is now gone.
In this post, we've covered the following:
- Logging into Sguil and Squert
- generating an IDS alert
- expiring an IDS alert
- Configuring Squert to show Unclassified events to match the main Sguil window
Stay tuned for future posts in this series!