sguil events not apearing in squert - do they have different minimum levels for display?
nbHd5
Here's the question I'm at today that my google-fu can't seem to find.
I have 9 groups of alerts in Sguil but only 3 showing in Squert. Level 7 alerts apear but level 5 alerts do not. (or at least with these specific rules). The level 5 alerts are minimum from OSSEC to apear in Sguil.
Is there a higher minimum alert level for Squert? And, if so, can I change that in a config file I've not yet found?
The level 5 rules are Kippo connection, login fail and login success alerts. I do not want OSSEC to provide an active response but I do want Sguil and Squert to show the event.
OSSEC decoder and rules for Kippo?
https://groups.google.com/d/msg/ossec-list/Om5hw-MP3nc/MlQkmxor_JgJ
Should Squert be showing all alerts visible in Sguil and/or should I be adjusting Squert to show a lower level of OSSEC alert?
Alternately, can I create OSSEC acception rules so specific level 7 rules do not trigger active responses? I've been all over the OSSEC website without seeing that option yet.
Doug Burks
In general, Squert should show the same data as Sguil. However, there
are a few caveats to be aware of:
1. Squert may group things differently from Sguil. You might try
changing "Event grouping" (on the right side) from "on" to "off" and
then clicking the Update button.
2. Sguil's "RealTime Events" tab shows you all uncategorized events
for all time. However, Squert defaults to showing you the current
day's events. To change the time window in Squert:
- click the bidirectional arrow in the upper right corner of the screen
- change the From date (perhaps just change "2014" to "2013")
- click the Update button on the left side
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
nbHd5
From reading the Squert install directions and .inc directory, I did note that it read directly from the Sguil database but could find no SELECT WHERE event level = something in the config or .scripts directory.
Originally I had the Kippo rules set OSSEC level 14 and 15. Those apeared in Squert but the OSSEC active response kept blocking the IP; bit of a problem when I want to capture attempted username/password lists and potentially session recordings.
Good notes about the ungrouping and date filtering. I had ungrouped and showed unqeued events along with confirming that the level 14/15 events where still listed for previous days. That was what lead me to believe there was an event severity filtering in the sql query; level 7 and greater apear in Squert but I couldn't remember seeing lesser severities.
Currently, I've bumped the OSSEC active response to level 8 with Kippo connections level 6 and Kippo login attempts level 7.
With OSSEC level 6, I've got a connection showing from last night though it's just a reconassance with no login attempts. It does give me a nice dark spot on Spain.
One catch, my Kippo is using ETC but SO is using UTC.
Kippo:
2014-07-31 01:03:14-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: #.#.#.#:35141 (#.#.#.#:2222) [session: 438]
Sguil/Squert:
2014-07-31 05:03:14 1.3229 TX #.#.#.# - #.#.#.# - [OSSEC] Kippo New Connection.
I thought that may be causing a time delay based on Squert using OSSEC's time but seems to use the UTC time from when OSSEC server recieved the event rather than the event's originating log time so that's all good.
Maybe it all just needed a reboot once OSSEC rule levels where adjusted though I'd still like to reduce the Squert severity minimum if there is such a thing. I'll watch Sguil for lesser severity events today; at home I'm catching Kippo events, at work I want to catch user failed login attempts. (eventually VPN failed login attempts from rsyslog tracking - got remote logging setup but haven't looked at alert rules yet)