Saving Sguil, Snorby, and Elsa Alerts in my desktop

[ofaj....@gmail.com]

I need to save my Sguil, Snorby and Elsa Alerts' information in my desktop for further analysis. How do I do this?

[Matt Gregory]

Hi Ofaj,

Can you be more specific as to what you are trying to accomplish? What analysis are you trying to do that cannot be done within those tools?

Alot of analysis can be done within those tools. There are also raw logs available, such as Bro logs and full pcaps, that can be processed with other tools if needed.

Matt

On May 28, 2014 6:29 AM, <ofaj....@gmail.com> wrote:

I need to save my Sguil, Snorby and Elsa Alerts' information in my desktop for further analysis. How do I do this?

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[ofaj....@gmail.com]

On Wednesday, 28 May 2014 03:58:09 UTC+1, ofaj....@gmail.com wrote:
> I need to save my Sguil, Snorby and Elsa Alerts' information in my desktop for further analysis. How do I do this?

I want to analyze sguil, snorby and Elsa Alerts' Information (output) using a security incident management tool I developed. I need the information in csv or excel format. Therefore, I want to be able to copy the alert file to the host machine.

[Matt Gregory]

In ELSA, you can export query results directly as a csv. In Squil, you can select events and export them as a text file (select events, then click Report -> Export events...), although you'll have to do some command line kung fu to format the files as a csv with the information you want. I don't think you can export anything from Snorby except the dashboards as a PDF. You could probably create some sql queries to pull out info directly from the Snorby databases, then format them as csv's.

Is there something you are trying to do that can't be done in ELSA?

Matt

[Kevin Branch]

Here is a pared down version of the mysql query one of my analysis scripts makes against the sguil db event table. 

mysql -B securityonion_db -e "SELECT left(hostname,length(hostname)-locate('-',reverse(hostname))) as hostname,right(hostname,locate('-',reverse(hostname))-1) as interface,signature_id as sig_sid, signature as sig_name, timestamp,inet_ntoa(src_ip) as src_ip, inet_ntoa(dst_ip) as dst_ip, ip_proto as proto, src_port as layer4_sport, dst_port as layer4_dport FROM securityonion_db.event left join securityonion_db.sensor on (event.sid=sensor.sid) limit 2;"

hostname        interface       sig_sid sig_name        timestamp       src_ip  dst_ip  proto   layer4_sport    layer4_dport
ons-nids2       eth1    2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.    2014-05-07 21:27:30     172.18.2.166    23.23.211.142   6       4275    80
ons-nids2       eth1    2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.    2014-05-07 21:27:30     172.18.2.166    23.23.211.142   6       4276    80

If you really need csv instead of tab-delimited, you can append this to the above command
     | sed 's/\t/\",\"/g' | sed 's/\(.*\)/\"\1\"/'

Kevin