Bro_agent events not showing data in squert

125 views
Skip to first unread message

James Gordon

unread,
Feb 8, 2018, 11:18:06 AM2/8/18
to security-onion
Disclaimer: I am a complete novice in working with most Squert and Sguil issues...

We use Paul Halliday's Bro_agent in our environment to forward Bro notices and intel matches to the sguil DB for analysts to review in Squert. Since the recent Squert update, these events no longer contain any data when viewed in Squert. The events show up, but just say they contain no data whereas they used to contain the information logged in bro's notice.log. When we review the Bro alerts with the sguil client relevant alert data is available, so it looks like the bro_agent is still successful in transmitting the alert data into the sguil DB. My guess is that the recent Squert update broke the way Squert queries this Bro data.

I've attached an sostat-redacted from our master server, as well as screenshots of Bro notices from both Squert and Sguil. I used capture-loss alerts for the sake of not providing information in our environment - you'll notice that the squert alert doesn't contain any data, but the alert in sguil show's the percentage of capture loss reported. This is similar across all our Bro notices.

I know this is is not officially supported functionality for Security Onion, but the ability to review Bro data in Squert has been incredibly useful for us to date. I'm curious if anyone else on the mailing list has encountered this problem, or has ideas on how to fix it :)

Thanks!

James Gordon

squert-alert.PNG
sguil-alert.PNG
sostat-redacted

Doug Burks

unread,
Feb 8, 2018, 7:56:15 PM2/8/18
to securit...@googlegroups.com
Hi James,

I've confirmed this problem and created the following issue:
https://github.com/Security-Onion-Solutions/security-onion/issues/1203

Please download the following file:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-squert/master/.inc/callback.php

then save it to:
/var/www/so/squert/.inc/callback.php

Please let us know whether or not that helps.

Thanks!
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

Doug Burks

unread,
Feb 9, 2018, 7:00:13 AM2/9/18
to securit...@googlegroups.com
Update: I've built a new Squert package with this fix and have
submitted it to our testing group for QA:
https://groups.google.com/d/topic/security-onion-testing/gZxg4Rg1a80/discussion
--
Doug Burks

James Gordon

unread,
Feb 9, 2018, 8:25:21 AM2/9/18
to security-onion

Doug,

I can confirm that this fixed the issue. Thanks much for your assistance with this!

James Gordon

Reply all
Reply to author
Forward
0 new messages