HowTo show MAC address in events

2,131 views
Skip to first unread message

Joshua Calandra

unread,
May 14, 2012, 6:47:12 AM5/14/12
to security-onion
Hi all, as subject I'd like to know how to view MAC address and not
just IP address in events given by snort and shown by snorby, that is
possible?

Joshua Calandra

unread,
May 16, 2012, 4:22:38 AM5/16/12
to securit...@googlegroups.com
up

Doug Burks

unread,
May 16, 2012, 6:38:05 AM5/16/12
to securit...@googlegroups.com
Hi Joshua,

First, you do realize that you'll only see MAC addresses from your
local network, right? Meaning that if an attacker is outside of the
layer 2 boundary your sensor is monitoring, you'll see the MAC address
of the local gateway instead of the actual MAC address of the
attacker.

If local MAC addresses is indeed what you're looking for, here's one
way of accessing them:
- find the alert in Sguil
- right-click the Alert ID
- click "Wireshark"
- pcap opens in Wireshark and you can find the local MAC address there

Hope that helps!

Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

Joshua Calandra

unread,
May 17, 2012, 4:24:30 AM5/17/12
to securit...@googlegroups.com
Hi Doug, I tried to start sguil but this error occured:

Application initialization failed: no display name and no $DISPLAY environment variable
ERROR: Cannot fine the Iwidgets extension.
The iwidgets package is part of the incr tcl extension and is
available as a port/package most systems.
See http://www.tcltk.com/iwidgets/ for more info.

Searching for iwidgets in apt-get give me no such a packet...what should I do?

Doug Burks

unread,
May 17, 2012, 7:08:15 AM5/17/12
to securit...@googlegroups.com
This usually occurs when the tcl/tk configuration is changed. Please see:
http://code.google.com/p/security-onion/wiki/tcl

Hope that helps!

Thanks,
Doug

On Thu, May 17, 2012 at 4:24 AM, Joshua Calandra

Joshua Calandra

unread,
May 17, 2012, 10:33:14 AM5/17/12
to securit...@googlegroups.com
Hi Doug, I fix the wrong installed threaded version of tcl8.5 as guide says, but it still show me same error of before.

Doug Burks

unread,
May 17, 2012, 10:42:30 AM5/17/12
to securit...@googlegroups.com
Do you know what lead to the wrong threaded version of tcl8.5 being
installed in the first place?

Did you see this at the end of the link I previously sent?

See Also
Also see the page on FreeNX and in particular this:

"Now that the FreeNX Server is up and running if you were to attempt
to launch Sguil from the desktop link you'll notice that nothing
happens. This is due to a symlink change made during the installation
that affects the execution of the 'wish' command. Execution of 'wish'
launches /usr/bin/wish which is a symlink to /etc/alternatives/wish.
Prior to the FreeNX Server installation the symlink
/etc/alternatives/wish pointed to /usr/bin/wish8.5 and now points to a
newly created symlink /usr/bin/wish-default which points to
/usr/bin/wish8.4. You need to change it back so that exection of
'wish', by Sguil, will launch tk8.5 and not tk8.4."

sudo ln -sf /usr/bin/wish8.5 /etc/alternatives/wish


Thanks,
Doug

On Thu, May 17, 2012 at 10:33 AM, Joshua Calandra

Joshua Calandra

unread,
May 17, 2012, 10:49:54 AM5/17/12
to securit...@googlegroups.com
Yes, i just have done this command...but that doesn't have effect.

Doug Burks

unread,
May 17, 2012, 11:00:44 AM5/17/12
to securit...@googlegroups.com
Do you know what lead to the wrong threaded version of tcl8.5 being
installed in the first place?

If you can't answer that question, you could always just do a fresh re-install.

Thanks,
Doug

On Thu, May 17, 2012 at 10:49 AM, Joshua Calandra

Joshua Calandra

unread,
May 22, 2012, 3:56:32 AM5/22/12
to securit...@googlegroups.com
Hi Doug, when I installed SecurityOnion 20120125, and after all the updates, I once tried to start Sguil by clicking shortcut icon on desktop but nothing happen. After I tried to start it by console running the command /usr/local/bin/sguil.tk but that error occurred...

Application initialization failed: no display name and no $DISPLAY environment variable
ERROR: Cannot fine the Iwidgets extension.
The iwidgets package is part of the incr tcl extension and is available as a port/package most systems.
See http://www.tcltk.com/iwidgets/ for more info.
So when I see the phrase "is part of the incr tcl extension", to fix the problem I installed the tcl8.5 packet manually given that in graphic mode I couldn't do it. 
That's the way that led to the wrong threaded version of tcl8.5, infact after all of those passages sensors disappear in snorby and no events show.

2012/5/17 Doug Burks <doug....@gmail.com>

Doug Burks

unread,
May 22, 2012, 6:36:23 AM5/22/12
to securit...@googlegroups.com
Hi Joshua,

That error does not occur on a default installation of Security Onion.
The incorrect tcl version was installed AFTER Security Onion was
installed and BEFORE you tried to launch Sguil when you noticed the
error. If you're unable to determine the root cause, please perform a
fresh install of Security Onion and make sure that you follow the
Installation procedure:
http://code.google.com/p/security-onion/wiki/Installation

Hope that helps!

Thanks,
Doug

On Tue, May 22, 2012 at 3:56 AM, Joshua Calandra

Joshua Calandra

unread,
May 25, 2012, 6:00:46 AM5/25/12
to securit...@googlegroups.com
Hi Doug,
I did a fresh reinstall and SGUIL start normally, but in tab Agent Status pcap status is down so Wireshark could not start...How can I fix it?
Thanks a lot.

2012/5/22 Doug Burks <doug....@gmail.com>

Doug Burks

unread,
May 25, 2012, 6:06:27 AM5/25/12
to securit...@googlegroups.com
You can try restarting the pcap agent using the following command:
sudo nsm_sensor_ps-restart --only-pcap-agent

If that doesn't work, take a look at the log file for clues (replacing
HOSTNAME and INTERFACE):
/var/log/nsm/HOSTNAME-INTERFACE/pcap_agent.log

If you need additional help, please include the output of the
following in your reply:
sudo sostat

Thanks,
Doug

On Fri, May 25, 2012 at 6:00 AM, Joshua Calandra

Joshua Calandra

unread,
May 25, 2012, 6:21:33 AM5/25/12
to securit...@googlegroups.com
Thanks, restarting agent works fine.

2012/5/25 Doug Burks <doug....@gmail.com>
Reply all
Reply to author
Forward
0 new messages