Sguil and Bro
72 views
Skip to first unread message
Koen Veelenturf
Jun 10, 2014, 5:12:15 AM6/10/14
to securit...@googlegroups.com
Hi all,
I have a little question about Sguil. According to the website it is
possible to run Bro, using the Sguil client. I don't want to run Bro all
the time, only for further analysis per event.
I don't see the option for "Bro" when I rightclick an event. Is this
because I've disabled Bro in the securityonion.conf?
Kind regards,
Koen
I have a little question about Sguil. According to the website it is
possible to run Bro, using the Sguil client. I don't want to run Bro all
the time, only for further analysis per event.
I don't see the option for "Bro" when I rightclick an event. Is this
because I've disabled Bro in the securityonion.conf?
Kind regards,
Koen
Doug Burks
Jun 10, 2014, 6:46:05 AM6/10/14
to securit...@googlegroups.com
Hi Koen,
Are you referring to the option in our Sguil client to render a pcap
transcript using a Bro script? The Bro script emulates tcpflow,
providing an ASCII transcript of the traffic in the pcap while
handling gzip encoding.
This option should not be affected by the Bro setting in
/etc/nsm/securityonion.conf. You should still be able to right-click
an Alert ID in the Sguil client and choose the "Bro" option. This
will retrieve the pcap from the full packet capture store for the
session in question and then render it using the Bro script. Of
course, this does require that you're running netsniff-ng for full
packet capture.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Are you referring to the option in our Sguil client to render a pcap
transcript using a Bro script? The Bro script emulates tcpflow,
providing an ASCII transcript of the traffic in the pcap while
handling gzip encoding.
This option should not be affected by the Bro setting in
/etc/nsm/securityonion.conf. You should still be able to right-click
an Alert ID in the Sguil client and choose the "Bro" option. This
will retrieve the pcap from the full packet capture store for the
session in question and then render it using the Bro script. Of
course, this does require that you're running netsniff-ng for full
packet capture.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Koen Veelenturf
Jun 10, 2014, 9:32:03 AM6/10/14
to securit...@googlegroups.com
Hi Doug,
(replying inline)
On 10/06/14 12:46, Doug Burks wrote:
> Hi Koen,
>
> Are you referring to the option in our Sguil client to render a pcap
> transcript using a Bro script? The Bro script emulates tcpflow,
> providing an ASCII transcript of the traffic in the pcap while
> handling gzip encoding.
Yes that's exactely what I mean. :)
>
> This option should not be affected by the Bro setting in
> /etc/nsm/securityonion.conf. You should still be able to right-click
> an Alert ID in the Sguil client and choose the "Bro" option. This
> will retrieve the pcap from the full packet capture store for the
> session in question and then render it using the Bro script. Of
> course, this does require that you're running netsniff-ng for full
> packet capture.
I think my events don't offer enough traffic to run Bro. It's pretty
quiet on my test network. The only alerts I get are SURICATA
STREAM/TLS/HTTP (low/very low) events and a ET DOS (medium) event.
Kind regards,
Koen
(replying inline)
On 10/06/14 12:46, Doug Burks wrote:
> Hi Koen,
>
> Are you referring to the option in our Sguil client to render a pcap
> transcript using a Bro script? The Bro script emulates tcpflow,
> providing an ASCII transcript of the traffic in the pcap while
> handling gzip encoding.
>
> This option should not be affected by the Bro setting in
> /etc/nsm/securityonion.conf. You should still be able to right-click
> an Alert ID in the Sguil client and choose the "Bro" option. This
> will retrieve the pcap from the full packet capture store for the
> session in question and then render it using the Bro script. Of
> course, this does require that you're running netsniff-ng for full
> packet capture.
quiet on my test network. The only alerts I get are SURICATA
STREAM/TLS/HTTP (low/very low) events and a ET DOS (medium) event.
Kind regards,
Koen
jsm
Jun 10, 2014, 10:18:20 AM6/10/14
to securit...@googlegroups.com
Hi Koen
To get some "better" quality alerts on your quiet test network you can replay malicious pcaps without any risk. The pcaps in the /opt/sample folder. Doug has described it very well on his youtube channel and probably in the wiki too:
https://www.youtube.com/watch?v=9dloF04GoJM
I'd recommend the Zeus samples.
Regards
J
Reply all
Reply to author
Forward
0 new messages