Re: [security-onion] New install successfull but unable to log into web pages remotely
1,555 views
Skip to first unread message
Doug Burks
Mar 20, 2013, 6:32:15 AM3/20/13
to securit...@googlegroups.com
On Tue, Mar 19, 2013 at 4:34 PM, <stipro...@gmail.com> wrote:
> hi
Hi Joe,
> I successfully installed SO as a stand alone server. I can get to the Elsa front end as well as the snorby front end as well, yet squert squil and default web page are not available over network.
How are you trying to access Squert, Sguil, and the default web page?
Start with the default web page. From another box on your network,
you should be able to point a browser at https://192.168.XX.86 (note
the httpS). If that doesn't work, then perhaps there is some kind of
firewall between the two boxes.
Once you've reached the default web page, you should see a link for
Squert and it should work since it's using the same port (443).
Once you've verified that, then try logging into Sguil from another
machine on the network. Since Sguil is not web-based, we recommend
running Security Onion in a VM to get a full copy of the Sguil tcl/tk
app with our customizations for pivoting to NetworkMiner, etc. Launch
Sguil and point it at 192.168.XX.86. If you can't connect, check for
firewalls blocking port 7734.
> The weird thing is that as console on server both squert and squil works ok.
> I have verified the basics, but now have reach my maximum expertise.
> Here are the steps that I've checked:
> 1- all service runs ok (cf sostat
> 2 no autossh
> 3 ufw with ALLOW from everywhere / no other fw blocking traffic
> 4 network/internet connectivity works
> 5 mysql/apached2 running
> etc ==> this leads me to believe not a direct SO issue.
>
> Only clue I found is in /var/log/apache2/error.log
> [warn] RSA server certificate CommonName (CN) `securityonion' does NOT match server name
That's normal.
> and that ps aux |grep rub[y] give no fedback
That's normal.
> Let me know where would be the best spot to keep looking !
> Thanks in advance
Hope that helps!
Thanks,
Doug
> Joe
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
> hi
Hi Joe,
> I successfully installed SO as a stand alone server. I can get to the Elsa front end as well as the snorby front end as well, yet squert squil and default web page are not available over network.
How are you trying to access Squert, Sguil, and the default web page?
Start with the default web page. From another box on your network,
you should be able to point a browser at https://192.168.XX.86 (note
the httpS). If that doesn't work, then perhaps there is some kind of
firewall between the two boxes.
Once you've reached the default web page, you should see a link for
Squert and it should work since it's using the same port (443).
Once you've verified that, then try logging into Sguil from another
machine on the network. Since Sguil is not web-based, we recommend
running Security Onion in a VM to get a full copy of the Sguil tcl/tk
app with our customizations for pivoting to NetworkMiner, etc. Launch
Sguil and point it at 192.168.XX.86. If you can't connect, check for
firewalls blocking port 7734.
> The weird thing is that as console on server both squert and squil works ok.
> I have verified the basics, but now have reach my maximum expertise.
> Here are the steps that I've checked:
> 1- all service runs ok (cf sostat
> 2 no autossh
> 3 ufw with ALLOW from everywhere / no other fw blocking traffic
> 4 network/internet connectivity works
> 5 mysql/apached2 running
> etc ==> this leads me to believe not a direct SO issue.
>
> Only clue I found is in /var/log/apache2/error.log
> [warn] RSA server certificate CommonName (CN) `securityonion' does NOT match server name
That's normal.
> and that ps aux |grep rub[y] give no fedback
That's normal.
> Let me know where would be the best spot to keep looking !
> Thanks in advance
Hope that helps!
Thanks,
Doug
> Joe
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
info stptech
Mar 25, 2013, 10:39:10 AM3/25/13
to securit...@googlegroups.com
Ps is there a working windows VM for Squil ?
the Download sguil-client-0.8.0-x86_64.exe (7.1 MB) from sourceforge doesn't work on win32 or am I missing something else ?
the Download sguil-client-0.8.0-x86_64.exe (7.1 MB) from sourceforge doesn't work on win32 or am I missing something else ?
On Mon, Mar 25, 2013 at 10:10 AM, <stipro...@gmail.com> wrote:
Hi Doug,
Thanks for the help !
Using another Pc on the same subnet (ie no firewall in between) I was able to get to https on port 443 so it is indeed my FW config as I was trying to connect from a different subnet! I should have taught of that test before !!!
Squert is indeed working fine.
I'll work on setting up the vm for squil now!
Thanks again
--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/TF3d5Yeqp1w/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Jay Swan
Mar 25, 2013, 12:15:18 PM3/25/13
to securit...@googlegroups.com
The recommendation is to install a bare-bones version of SO in a VM on your Windows box and run Squil from there.
The reason for this is that there are important SO-specific customizations to the Sguil client that you'd be missing otherwise (like the ability to view session transcripts by right-clicking on the alert ID).
I haven't tried the binary .exe, but have successfully run Sguil on Windows 7 using ActiveState Tcl/TK and just double-clicking the squil.tk file. However, the customizations are so important to the recommended SO workflow that you really should run it that way.
Jay
The reason for this is that there are important SO-specific customizations to the Sguil client that you'd be missing otherwise (like the ability to view session transcripts by right-clicking on the alert ID).
I haven't tried the binary .exe, but have successfully run Sguil on Windows 7 using ActiveState Tcl/TK and just double-clicking the squil.tk file. However, the customizations are so important to the recommended SO workflow that you really should run it that way.
Jay
Reply all
Reply to author
Forward
0 new messages