Monday, January 17, 2011

Introduction to Sguil and Squert: Part 1

This post is the first in a multi-part series designed to introduce Sguil and Squert to beginners.

1. Download Security Onion 20110116.
2. Boot the ISO and run through the installer.
3. Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
4. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes.
5. Double-click the Sguil desktop icon.  Log into Sguil using the username/password you specified in the previous step.  There may already be some alerts in the Sguil console.  If not, open Firefox and click the testmyids.com bookmark and you should then see an alert appear in Sguil.


6. Double-click the Squert desktop icon.  The Squert main page appears.  Click the "submit" button.  Snort alerts appear at the bottom of the page and they should match what you saw in Sguil.


7. Go back to Sguil, select an alert, and press the F8 key to expire it.  Notice that the alert disappears from Sguil.


8. Go back to Squert and click the "submit" button again.  Notice that the alert remains in Squert.  Sguil's main console shows events that have not yet been classified, so we need to tell Squert to do the same.  Click the "Status" drop-down box and select "Unclassified".  Click the "submit" button and notice that the alert is now gone.



In this post, we've covered the following:
  • Logging into Sguil and Squert
  • generating an IDS alert
  • expiring an IDS alert
  • Configuring Squert to show Unclassified events to match the main Sguil window
Stay tuned for future posts in this series!

15 comments:

M said...

Thanks for the tutorial.
Is there any way to get it to monitor wlan0? Although I am connected tot he wireless network, it does not come up in the list of choices for the port to monitor.

Doug Burks said...

Hi M,

Thanks for using Security Onion!

I just added wlan support for you. Download the Security Onion Upgrade Script and run it from a terminal like this:
sudo bash security-onion-upgrade.sh

Setup should then be able to detect wlan interfaces. If you've already run setup, you'll probably want to run nsm_all_del (from the terminal or from the NSM menu) to delete your sensors so that Setup can run properly.

Please let me know how it goes. Thanks!

M said...

Thanks, Doug, but that doesn't seem to have worked. I followed your instructions, bur sguil still only shows eth0 and ossec as the networks to monitor. I had wlan0 up and running, connected to my wireless network and the Internet before running the script. The script simply returned tot he command prompt, it gave no messages.

FWIW this is an ASUS eee netbook, Atheros AR9285 adaptor.

Walt

Doug Burks said...

Hi Walt,

Did you see this part of my reply?

"Setup should then be able to detect wlan interfaces. If you've already run setup, you'll probably want to run nsm_all_del (from the terminal or from the NSM menu) to delete your sensors so that Setup can run properly. "

It sounds like you need to execute the following:
nsm_all_del
Setup

In Setup, make sure to choose Advanced Setup and then in the interfaces step of Setup you should see wlan0 as an option.

Please let me know whether or not that helps.

Thanks,
Doug

M said...

Yes, I did run nsm_all_del the last time, but did not run setup in Advanced mode.

Tonight, I ran nsm_all_del from the menu, but nothing interesting happens. If I run it from the command prompt I get:
OOPS! The server "securityonion" does not exist!

and setup (in Advanced mode) still only displays eth0.

I am using the 20110116 version from a thumb drive.

BTW what is the password for the keyring? I keep having to enter my (very long) WPA password by hand!

Thanks!
Walt

Doug Burks said...

Hello again Walt,

You said "I am using the 20110116 version from a thumb drive".

Are you running in Live mode, or did you actually run through the Installer? If you're running in Live mode, you may see strange things happen when you run out of RAM and the kernel starts killing processes. Live mode is fine for quick demonstrations and verifying hardware compatibility, but for any production usage you'll want to be running a fully installed version.

I just put up two new blog posts which demonstrate the Upgrade script and the nsm_all_del script. If you're not seeing the same kind of output shown in these posts, then something is wrong (perhaps you're running in Live mode and the kernel Out Of Memory killer is killing processes as I mentioned above).

It would be much easier to continue this conversation if you join the Security Onion mailing list.

Thanks!

Anonymous said...

Hello,

I have installed the latest Security Onion Distro and updated it.

When I try to open Sguil from the desktop or the drop down, I get no response whatsoever.

I have ran setup and can access Snorby and Squert but no response from Sguil.

Any ideas anyone??

Cheers,

Simon..

Doug Burks said...

Hi Simon,

Please send support issues to the mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

Anonymous said...

Wow..thanks for fast response..

Am well chuffed with Security Onion...!

Cheers..

Simon,

Luke said...

Hi
All going very well with SO installed as well as Sguil and Snorby. However, I am getting the message that 'rule download sites appear to by down. Skipping rule updates'.
Can anyone give me steer on this.
Thanks
Luke

Doug Burks said...

Hi Luke,

That message means that your box couldn't contact the rule sites and you should verify that you have full Internet access.

If you have further questions or problems, please use our Google Group:
https://code.google.com/p/security-onion/wiki/MailingLists

Thanks,
Doug

gabrielle said...

thanks for the tutorial

i'm still having a bit of a trouble though

when i add a new rule (in local.rules), the "msg" part of the rule is not displayed in Sguil or Squert (or Snorby for that matter)

Instead, I get "Snort Alert [gid:SID:Rev]"

How am i supposed to have suricata communicate with sguil/squert/snorby ?



Doug Burks said...

Hi Gabrielle,

Did you run "sudo rule-update" after adding the rule to local.rules?

If you have further questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

gabrielle said...

i forgot to say that I did use the rule-update script and that my SO does NOT go on the internet

Doug Burks said...

Please send a detailed email to our mailing list and include the output of "sudo rule-update":
https://code.google.com/p/security-onion/wiki/MailingLists