Tuesday, January 18, 2011

Introduction to Sguil and Squert: Part 2

This post is the second in a multi-part series designed to introduce Sguil and Squert to beginners.

I'm assuming you've already been through the steps in Introduction to Sguil and Squert: Part 1.  

Before we get started with Part 2, we need to fix a bug in Security Onion's Squert configuration.  Download the Security Onion Upgrade script and run it from a terminal like so:
sudo bash security-onion-upgrade.sh

Let's get started!  Generate an alert like you did previously using the testmyids.com bookmark in Firefox.  If the page loads but you get no alert in Sguil, then Firefox loaded the page from cache and you'll need to do a Shift-Reload to force the browser to get a new copy of the page.

In Sguil, make sure that "Show Packet Data" and "Show Rule" are enabled.  Now click the alert.  You should something like the following screenshot.  Notice that we can instantly see both the rule and the traffic that triggered the alert without any further navigation in the user interface.

In Squert, set Status to Unclassified as we did before and click the "submit" button.  You should see something like the following.  Notice that we only see the Signature.

Click the View drop-down box and select "event detail" and then click the "submit" button.  You should now see something like the following.

Click on the Timestamp for the alert.  A separate window will appear that shows the packet data:

Now click the Signature field.  A separate window will appear that shows the rule:

In this post, we've covered looking at rule and packet data in both Sguil and Squert.

Stay tuned for future posts in this series!

No comments: