Reverse DNS and Enable External DNS
tr...@yahoo.com
Shane Castle
> Is it possible to enable Reverse DNS and Enable External DNS by default,
> when Sguil client starts? If yes how can I change the settings?
/etc/sguil, but sguil.tk also looks for it in
$HOME
current directory
and uses the one in /etc/sguil if that's the only one.
Note you can also set the IP addresses that will be used by external DNS in
sguil.conf.
--
Mit besten Grüßen
Shane Castle
Shane Castle
SHOWRULE - automatically checks the "Show Rule" box
DISPLAY_GENERIC - checks the box for "Display Detail" for generic events
DISPLAY_PADS - checks the box for "Display Detected Banner" for PADS events
PACKETINFO - checks the box for "Show Packet Data"
And in case you missed it, these are either set to 1 (on) or 0 (off), like this:
set PACKETINFO 1
In my case, owing to peculiarities of how my network is set up, I had to set
EXT_DNS, EXT_DNS_SERVER, and HOME_NET to force local resolution and external
resolution to do what I want.
Doug Burks
https://github.com/Security-Onion-Solutions/security-onion/wiki/Sguil
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
tr...@yahoo.com
> Is it possible to enable Reverse DNS and Enable External DNS by default, when Sguil client starts? If yes how can I change the settings?
I have following setting in Sguil.conf file as suggested in Sguil tweak, but I am missing the variables for "Reverse DNS and Enable External DNS".
sguil.conf,v 1.35 2011/02/22 13:27:10 bamm Exp $ #
# sguil.conf - Read by sguil.tk on init. Configure options
# to meet your needs
# Port to connect to the server on
set SERVERPORT 7734
# Server to connect to:
# this can also be a space separated list of hosts (if you have more than one)
#set SERVERHOST "demo.sguil.net localhost 10.0.0.2"
set SERVERHOST localhost
# Where any required sguil libraries are (like the font chooser).
set SGUILLIB /usr/lib/sguil
# Debug 1=on 0=off This is VERY chatty
set DEBUG 1
# PATH to tls lib if needed (tcl can usually find this by default)
#set TLS_PATH /usr/lib/tls1.4/libtls1.4.so
# win32 example
#set TLS_PATH "c:/tcl/lib/tls1.4/tls14.dll"
# Path to a whois script.
# awhois.sh is an example. Get it at ftp://ftp.weird.com/pub/local/awhois.sh
# NEW: sguil.tk has a built in whois proc called SimpleWhois although
# you can continue to use tools like awhois.sh.
set WHOIS_PATH SimpleWhois
# Configure optional external DNS here. An external DNS can be used as a
# way to prevent data leakage. Some users would prefer to use anonymous
# DNS as a way to keep potential malicious sources from knowing who is
# interested in their activities.
#
# Enable Ext DNS
set EXT_DNS 1
# Define the external nameserver to use. OpenDNS list 208.67.222.222 and 208.67.220.220
set EXT_DNS_SERVER 208.67.222.222
# Define a list of space separated networks (xxx.xxx.xxx.xxx/yy) that you want
# to use the OS's resolution for.
set HOME_NET "192.168.0.0/16 10.0.0.0/8 172.16.0.0/12"
# If you have festival installed, then you can have alerts spoken to
# you. Set the path to the festival binary here. If you are using
# speechd from speechio.org, then leave this commented out.
set FESTIVAL_PATH /usr/bin/festival
# win32 example
# set FESTIVAL_PATH "c:\festival\bin\festival.exe"
# Path to wireshark (ethereal)
set WIRESHARK_PATH /usr/bin/wireshark
# win32 example
# set WIRESHARK_PATH "c:/progra~1/wireshark/wireshark.exe"
# Where to save the temporary raw data files on the client system
# You need to remember to delete these yourself.
set WIRESHARK_STORE_DIR /tmp
# win32 example
# set WIRESHARK_STORE_DIR "c:/tmp"
# Favorite browser for looking at sig info on snort.org
set BROWSER_PATH /usr/bin/x-www-browser
# win32 example (IE)
# set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe
# Define what url is opened when a sid is clicked
# Format: set sid_ref(name) {{url} min max}
set sid_ref(snort) {{http://snort.org/search/sid/} 0 999999}
set sid_ref(et) {{http://doc.emergingthreats.net/} 2000000 2999999}
set sid_ref(custom) {{http://localhost/} 3000000 9000000}
# Path to gpg
set GPG_PATH /usr/bin/gpg
# win32 example
# set GPG_PATH "c:/gnupg"
# How often in seconds to get sensor status updates
# Default is 15 seconds
set STATUS_UPDATES 15
# Packet Data Search Frame shown by default?
set SEARCHFRAME 1
# Number of RealTime Event Panes
set RTPANES 3
set RTPANES 2
set RTPANES 3
# Specify which priority events go into what pane
# According to the latest classification.config from snort,
# there are only 4 priorities. The sguil spp_portscan mod
# uses a priority of 5.
#set RTPANE_PRIORITY(0) "1 2 3 4 5"
set RTPANE_PRIORITY(0) "1"
set RTPANE_PRIORITY(1) "2 3"
set RTPANE_PRIORITY(2) "4 5"
# Number of different colors in the Status (ST) column.
set RTCOLORS 3
# If you defined 3 colors than you need 3 corresponding
# definitions of which priority alerts have what color.
set RTCOLOR_PRIORITY(0) "1"
set RTCOLOR_PRIORITY(1) "2 3"
set RTCOLOR_PRIORITY(2) "4 5"
# Now define the colors
set RTCOLOR_NAME(0) "red"
set RTCOLOR_NAME(1) "orange"
set RTCOLOR_NAME(2) "yellow"
# Different colors for different incident categories
set CATEGORY_COLOR(NA) "lightblue"
set CATEGORY_COLOR(C1) "#cc0000"
set CATEGORY_COLOR(C2) "#ff6600"
set CATEGORY_COLOR(C3) "#ff9900"
set CATEGORY_COLOR(C4) "#cc9900"
set CATEGORY_COLOR(C5) "#9999cc"
set CATEGORY_COLOR(C6) "#ffcc00"
set CATEGORY_COLOR(C7) "#cc66ff"
set CATEGORY_COLOR(ES) "pink"
set CATEGORY_COLOR(UN) "white"
# Customize the Select/highlight color
set SELECTBACKGROUND "#ffffcc"
set SELECTFOREGROUND black
# Default Max Rows returned for portscan data.
# Value can be changed within the GUI after init.
# Set to 0 for no limit - use 0 at your own risk.
set MAX_PS_ROWS 200
# Display a GMT clock in the upper righthand corner
# 1=on 0=off
set GMTCLOCK 1
#
# Mailserver to use for emailing alerts
set MAILSERVER mail.example.com
# If you need to define a hostname for the HELO set it here.
# Otherwise you `hostname` will be used
#set HOSTNAME host.example.com
# Default From: address for emailing
set EMAIL_FROM exa...@example.com
# Default CC:
set EMAIL_CC ""
# Default Email Subject
set EMAIL_SUBJECT "Incident Report"
# Default Email Body Header
set EMAIL_HEAD "Dear Hostmaster,\n We recently detected a possible attack from an IP address that originates from your network. Please take appropriate action.\n\n All times are UTC and are accurate\n"
# Default Email Body Footer
set EMAIL_TAIL "Please Reply to this Email Address with questions.\n"
set SHOWRULE 1
set PACKETINFO 1
set DISPLAY_GENERIC 1
tr...@yahoo.com
I am sorry I am just missing the Reverse DNS variable. Everything else is okay.
Shane Castle
The sguil app is a TCL/TK script, /usr/bin/sguil.tk, and you can look at it to see what variables need to be set.
I thought it was already in sguil.conf, just commented out, but that was probably done by me.
Sent from my iPad
Wes
Try the following:
set REVERSE_DNS 1
Thanks,
Wes
tr...@yahoo.com
Thanks, it worked.