Location of SO data of bro,tcpflow,pcap and snort
3,215 views
Skip to first unread message
Jeshrel
Jan 3, 2015, 1:41:09 AM1/3/15
to securit...@googlegroups.com
Hi,
I have SO on a server and we are going to setup SO from Scratch, we have a security activity on the 23 of December and we had used SO as NSM and it performed really good.
Now i would like to discard the server but would like all the logs and data of
1) BRO IDS alerts & logs
2) Packet Capture
3) Snort IDS alerts and logs
3) tcpreplay
4) transcript
5) Others
Basically i need all the logs to analyze in details to make a handbook about the security activity conducted on the 23 of December, before the server is discarded i would need all the logs how do i obtain it for complete analysis without the SO server.
Please assist
I have SO on a server and we are going to setup SO from Scratch, we have a security activity on the 23 of December and we had used SO as NSM and it performed really good.
Now i would like to discard the server but would like all the logs and data of
1) BRO IDS alerts & logs
2) Packet Capture
3) Snort IDS alerts and logs
3) tcpreplay
4) transcript
5) Others
Basically i need all the logs to analyze in details to make a handbook about the security activity conducted on the 23 of December, before the server is discarded i would need all the logs how do i obtain it for complete analysis without the SO server.
Please assist
Doug Burks
Jan 3, 2015, 10:00:05 AM1/3/15
to securit...@googlegroups.com
Hi Jeshrel,
Replies inline.
On Sat, Jan 3, 2015 at 1:41 AM, Jeshrel <rac...@gmail.com> wrote:
> Hi,
>
> I have SO on a server and we are going to setup SO from Scratch, we have a security activity on the 23 of December and we had used SO as NSM and it performed really good.
>
> Now i would like to discard the server but would like all the logs and data of
>
> 1) BRO IDS alerts & logs
All Bro data is stored in /nsm/bro/.
> 2) Packet Capture
All packet capture data is stored in
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/.
> 3) Snort IDS alerts and logs
Snort alerts go to 3 destinations by default:
1. Snorby database
2. Sguil database
3. ELSA database
You can use standard MySQL tools to export one or more of these databases.
Depending on what you need, you may be able to just grab the alerts
from the Sguil log at /var/log/nsm/securityonion/sguild.log:
grep "Alert Received" /var/log/nsm/securityonion/sguild.log*
> 3) tcpreplay
Not sure what you mean by this. tcpreplay is a tool used to replay
pcaps to an ethernet interface.
> 4) transcript
Transcripts are rendered on-the-fly when an analyst requests it from
the full packet capture in
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/. So as long as you
have the full packet capture from that directory, you can create any
transcript you want using tcpflow.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Sat, Jan 3, 2015 at 1:41 AM, Jeshrel <rac...@gmail.com> wrote:
> Hi,
>
> I have SO on a server and we are going to setup SO from Scratch, we have a security activity on the 23 of December and we had used SO as NSM and it performed really good.
>
> Now i would like to discard the server but would like all the logs and data of
>
> 1) BRO IDS alerts & logs
> 2) Packet Capture
All packet capture data is stored in
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/.
> 3) Snort IDS alerts and logs
1. Snorby database
2. Sguil database
3. ELSA database
You can use standard MySQL tools to export one or more of these databases.
Depending on what you need, you may be able to just grab the alerts
from the Sguil log at /var/log/nsm/securityonion/sguild.log:
grep "Alert Received" /var/log/nsm/securityonion/sguild.log*
> 3) tcpreplay
Not sure what you mean by this. tcpreplay is a tool used to replay
pcaps to an ethernet interface.
> 4) transcript
Transcripts are rendered on-the-fly when an analyst requests it from
the full packet capture in
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/. So as long as you
have the full packet capture from that directory, you can create any
transcript you want using tcpflow.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jeshrel
Jan 3, 2015, 3:38:54 PM1/3/15
to securit...@googlegroups.com
Hi Doug,
Thank you.
Is there something else i am missing out that would be crucial to analysis?
Thank you.
Is there something else i am missing out that would be crucial to analysis?
Doug Burks
Jan 3, 2015, 5:16:54 PM1/3/15
to securit...@googlegroups.com
That should be most of the relevant data, but if you're really
concerned you could always do a full backup of the whole box.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
concerned you could always do a full backup of the whole box.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages