Squert / Sguil Alerts Not working with so-import-pcap

Chris Horvath

unread,

Jun 13, 2019, 2:27:12 PM6/13/19

to security-onion

Hi - I am importing several TB worth of pcaps and am not seeing any alerts in squert or sguil.

Any guidance would be much appreciated!

Regards,

Chris

Chris Horvath

unread,

Jun 13, 2019, 2:42:41 PM6/13/19

to security-onion

I should add that I'm not seeing any data with pcap-import.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/a_KeEX0_WKk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/5652533e-10cb-493d-8870-538aa2de8e21%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Dustin Lee

unread,

Jun 13, 2019, 3:42:20 PM6/13/19

to securit...@googlegroups.com

Chris,

What's the date range for the pcap you're ingesting? Also, is there any way to test on a much smaller scale initially? Sguil should at least show the alerts within the main console while you'll need to adjust the time range for Squert depending on the pcap dates. Are the NIDS services up and running during the import process?

- Dustin

You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAEngUkLLQ3QaLub_T7ixUPBvr4X9W6rxrik6eXOswvUj2%2BcAmQ%40mail.gmail.com.

Chris Horvath

unread,

Jun 16, 2019, 9:44:23 AM6/16/19

to security-onion

Hi Dustin - I am searching on the entire past year for my date rang. I tried testing by ingesting only a handful of pcap files and still nothing. Running sudo sostat-quick shows all services are running - Wouldn't this show if NIDS services were running? Do you have any other thoughts?

Thanks!

Chris

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CALFLVbrKm9gUTZ4Z_4ZuKuarTcUYYi7_5t_ZR2U_nafjOxhb2g%40mail.gmail.com.

Doug Burks

unread,

Jun 17, 2019, 6:44:35 AM6/17/19

to securit...@googlegroups.com

Hi Chris,

Let's start with a simple test and some known good pcap files.

Please perform a fresh installation of the Security Onion 16.04.6.1 ISO image and then run the following:

sudo so-import-pcap /opt/samples/zeus*

When so-import-pcap completes and provides a Kibana hyperlink, that hyperlink should show data similar to:

If not, please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your terminal’s scroll buffer OR redirect the output of the command to a file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.

Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAEngUkL1RB-mkbRM7zczJMVjYVd2qJSkJz4W08dQde98imj3qw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Doug Burks
CEO
Security Onion Solutions, LLC

Chris Horvath

unread,

Jun 26, 2019, 1:58:31 PM6/26/19

to security-onion

Hi Doug,

Thank you for reaching out to me. Sorry for the delay, as I've been out of the office.

I installed a fresh version of TSO 16.04.6.1. I ran the setup and then imported the zeus pcap. When I load Kibana, it's telling me that there is no index created. How do I create the index for Elastic in Kibana for TSO?

Regards,

Chris

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWDyKD7UJa4y%3DaL0gg_6Cc6xkFW4_bVZqbFoAsPj4J2Wmw%40mail.gmail.com.

Doug Burks

unread,

Jun 27, 2019, 6:11:37 AM6/27/19

to securit...@googlegroups.com

Hi Chris,

How many CPU cores and how much RAM do you have?

Please try the following:

sudo so-elastic-configure-kibana

If you need further assistance, please also run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your terminal’s scroll buffer OR redirect the output of the command to a file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.

Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAEngUkLjcfnMLWKe4rudN%3DZ%3DUysedRXrwDgkHgHhr%3DGiNzxiHw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Chris Horvath

unread,

Jun 27, 2019, 9:41:50 PM6/27/19

to security-onion

Chris Horvath <cmho...@gmail.com>

4:50 PM (4 hours ago)

to doug.burks

Hi Doug,

I was able to get Kibana up and running correctly with the indexes and Suricata to show alerts from the Zeus pcap files in Squert.

I am running TSO on a Blade server with 32gb of RAM and 8 cores. I am ingesting several thousand large pcap files. When running so-import-pcap, it roughly is taking around 1 minute per pcap. Do you have any suggestions for speeding up the ingest process, as this will take weeks at this speed? I'm just trying to understand if there are ways I can tweak TSO.

Also, I should be updating the suricata.yaml file within the so-import folder (sensor) folder for pcap imports through the so-import-pcap process?

One final question - I am very interested in building out custom Kibana dashboards based on the data that is generated by bro/zeek and ingested in to logstash/elastic search. Do you have any learning resources that you can share with me to teach myself?

Thanks so much for your help!

Regards,

Chris

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWBOqnmLKmKtU7W5v7Aps%2B_UQoaQ_ciyLO%2Bpkqx%3Dc99OTw%40mail.gmail.com.

Doug Burks

unread,

Jul 2, 2019, 4:59:22 PM7/2/19

to securit...@googlegroups.com

Hi Chris,

Instead of ingesting several thousand large pcap files, have you considered having Security Onion sniff traffic live from a tap or span port?

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAEngUkLXLP3kOuCwHuujCLxKxrvKzQpHaF_sdjFUd%2BV22n%3D2bQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Mathias Conde

unread,

Jul 13, 2019, 5:23:22 AM7/13/19

to security-onion

Has anyone encountered an issue when following so-import-pcap, the sensor/server failed to "go back" to being a live-network-sniffing sensor?

Bro seems to have dropped off of nsm-sensor-status,

"sensor-enp2s0-1: <error: no running instances of Bro>"

and when doing a ???, it returns <sensor>-import.. am thinking it has gotten 'stuck' in the pcap import?

"user@sensor:/var/log/nsm$ sudo so-bro-status
Status: sensor-import"

..help?

Reply all

Reply to author

Forward