tag:blogger.com,1999:blog-7554630712114756330.post2965360844911183037..comments2014-08-26T13:29:06.855-04:00Comments on Security Onion: Security Onion 20110321: Distributed Sguil SensorsDoug Burkshttp://www.blogger.com/profile/09074300658047188367noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-7554630712114756330.post-69470707738370551392013-10-23T08:42:50.869-04:002013-10-23T08:42:50.869-04:00Hi Isha,
Please send a detailed email to our mail...Hi Isha,<br /><br />Please send a detailed email to our mailing list:<br />http://code.google.com/p/security-onion/wiki/MailingLists<br />Doug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-85996810977708515072013-10-23T08:36:23.984-04:002013-10-23T08:36:23.984-04:00hey dough
i configured the network info, setup the...hey dough<br />i configured the network info, setup the sensor but still my sguil setup is not showing the packets which i am sending...<br />.<br />and one more thing, the monitoring interface should have the static ip or dhcp???ishanoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-21799201757573485672013-07-25T18:18:41.956-04:002013-07-25T18:18:41.956-04:00Hi Mike,
It sounds like you chose "Quick Set...Hi Mike,<br /><br />It sounds like you chose "Quick Setup" which automatically chooses Snort and the free Emerging Threats ruleset, which doesn't require an oinkcode. <br /><br />If you want more options, please choose "Advanced Setup" instead of "Quick Setup".<br /><br />If you have further questions or problems, please use our mailing list:<br />http://code.google.com/p/security-onion/wiki/MailingLists<br /><br />Thanks,<br />DougDoug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-41492172037371210542013-07-25T10:41:03.499-04:002013-07-25T10:41:03.499-04:00Hello Doug, I just tried running this and the inst...Hello Doug, I just tried running this and the installer did not give me an option of which IDS I wanted to utilize. Did it default to Snort and make the proper changes for reporting without any prompt? Or request for Oinkcode?Mikehttp://secanalysis.comnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-9841486354126691852012-10-24T10:20:00.993-04:002012-10-24T10:20:00.993-04:00Hi N8,
You don't HAVE to do anything, but if ...Hi N8,<br /><br />You don't HAVE to do anything, but if you want to clean up the Sguil interface, you can remove the sensor via MySQL.<br /><br />If you have further support questions, please use our mailing lists:<br /><a href="http://code.google.com/p/security-onion/wiki/MailingLists" rel="nofollow">http://code.google.com/p/security-onion/wiki/MailingLists</a>Doug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-57639110873006699022012-10-24T10:04:30.270-04:002012-10-24T10:04:30.270-04:00Hi Doug,
How do you remove a remote sensor that i...Hi Doug,<br /><br />How do you remove a remote sensor that is no longer be used?<br /><br />Thanks,<br /><br />NateN8https://www.blogger.com/profile/03534553590221157451noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-30928389893590420632012-01-19T05:49:14.876-05:002012-01-19T05:49:14.876-05:00Hi Emilio,
Unfortunately, there is no supported m...Hi Emilio,<br /><br />Unfortunately, there is no supported method of updating the sensors (without Internet connection) from the server. You could try mirroring the packages on Sourcefire and hacking the update script to pull from your mirror.<br /><br />Thanks,<br />DougDoug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-45732241204766536592012-01-19T05:33:38.385-05:002012-01-19T05:33:38.385-05:00Thanks Doug, it works!.
Another question. Is ther...Thanks Doug, it works!.<br /><br />Another question. Is there any method to update the version of sensors (without internet connection) from the server?<br /><br />RegardsEmiliohttp://blog.emiliocasbas.comnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-87201285976701944482011-12-23T09:09:35.185-05:002011-12-23T09:09:35.185-05:00Hi Open Source,
Currently, sensors need to be abl...Hi Open Source,<br /><br />Currently, sensors need to be able to connect to the server on ports 22 and 7736.<br /><br />Hope that helps!<br /><br />Thanks,<br />DougDoug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-81552373615160754112011-12-23T07:49:49.401-05:002011-12-23T07:49:49.401-05:00Thanks Doug, excellent Tool!!.
One question, in c...Thanks Doug, excellent Tool!!.<br /><br />One question, in case of placing a sensor in a DMZ without connection with the internal sguil server. What kind of open ports would be needed to make them visible?<br /><br />ThanksEmiliohttps://www.blogger.com/profile/16361221957286024934noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-39288423554714609382011-11-08T22:05:33.584-05:002011-11-08T22:05:33.584-05:00Hi Scott,
Yes, the full pcap data is stored on th...Hi Scott,<br /><br />Yes, the full pcap data is stored on the sensor and only retrieved when requested.<br /><br />Thanks,<br />DougDoug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-81100674537557730952011-11-08T14:03:14.290-05:002011-11-08T14:03:14.290-05:00When a sensor is added in this manner is the full ...When a sensor is added in this manner is the full pcap data stored on the sensor and only transferred to the server when queried or does it all get shuffled to the server?Anonymoushttps://www.blogger.com/profile/12443265182043871213noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-76932705809772522002011-05-05T05:57:44.296-04:002011-05-05T05:57:44.296-04:00Hi Alfon,
I'm not sure that I fully understan...Hi Alfon,<br /><br />I'm not sure that I fully understand your question, but I think you have 2 options:<br />1. Run Quick Setup. This will create a standalone sensor with its own Sguil server (so no need for a separate box running Sguil server).<br />2. If you just want to run Snort by itself without Sguil at all, you can certainly do that by manually running Snort with a standard snort.conf.Doug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-52953576259949062032011-05-05T05:42:15.785-04:002011-05-05T05:42:15.785-04:00Hi,
When you add a remote sensor, it is necessary...Hi,<br /><br />When you add a remote sensor, it is necessary to connect to a server sguil. Could add a snort sensor without sguil server as does prelude ids for example?.<br /><br />Best Regards,Alfonhttp://seguridadyredes.nireblog.comnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-46768153960684708942011-04-13T21:26:25.839-04:002011-04-13T21:26:25.839-04:00我们团队支持你.我很喜欢这个ISO. :D我们团队支持你.我很喜欢这个ISO. :Ddis9teamhttp://h4x0er.org/index.phpnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-2336968994885411902011-04-13T12:54:50.478-04:002011-04-13T12:54:50.478-04:00Thanks. I'll check it out.Thanks. I'll check it out.RLGhttps://www.blogger.com/profile/17846675375383197956noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-53014577748018497572011-04-13T11:28:54.452-04:002011-04-13T11:28:54.452-04:00"setup" is just a bash script that is a ..."setup" is just a bash script that is a wrapper around the excellent NSMnow scripts such as nsm_server_add and nsm_sensor_add. Take a look at "setup" and you'll see what I mean.Doug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-58553111230512257092011-04-13T11:19:49.317-04:002011-04-13T11:19:49.317-04:00Is there a way to create sensors, etc. via the com...Is there a way to create sensors, etc. via the command-line? A command line version of "setup" would be cool.RLGhttps://www.blogger.com/profile/17846675375383197956noreply@blogger.com