Sguil not displaying any alerts

1,734 views
Skip to first unread message

dqk...@yahoo.com

unread,
Jul 12, 2011, 9:32:42 AM7/12/11
to security-onion
Hi,

I've recently discovered Security Onion. It looks promising, but I
can't get the installation to work. I installed "security onion" by
following the FAQ's here (http://code.google.com/p/security-onion/wiki/
FAQ). When I ran through the setup script with all defaults (snort). I
started the sguil client. I visited www.testmyids.com to trigger an
alert. No alerts. I used tcpreplay to replay attack traffic like it
was showed on the security onion blog. Still no alerts. I came across
this thread "http://groups.google.com/group/security-onion/
browse_thread/thread/67b510e525bf3d84". I used "nsm --all --status",
and I discovered that the "snort alert process failed". If I used "nsm
--all --stop and then nsm --all --start" all processes start. I check
the status again and the snort alert process failed. I ran the setup
script again and switched over to "securicata". Sguil had yet to
report any alerts. I checked squert which did not produce any alerts.
Any suggestions? Appreciate any help.

Doug Burks

unread,
Jul 12, 2011, 6:13:24 PM7/12/11
to securit...@googlegroups.com
Hi dqkona,

Thanks for using Security Onion!

I'm guessing that you are experiencing the effects of the Emerging
Threats ruleset update described here:
https://groups.google.com/forum/#!topic/security-onion/U1dED-Cajjw

To fix it, please follow the upgrade steps here:
http://securityonion.blogspot.com/2011/07/security-onion-20110709-now-available.html

(I've updated the Installation steps in the FAQ to reflect performing
a Security Onion update.)

Please let us know how it goes!

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

dqk...@yahoo.com

unread,
Jul 13, 2011, 1:39:22 PM7/13/11
to securit...@googlegroups.com

Hi Doug,

thanks for the fast response and the willingness to help. I followed the updated instructions. I ran through the default setup script (snort). When I checked all processes, this time the "snort_agent (sguil) and the snort (alert data)" processes were "OK". I started sguil and selected to monitor eth0 and ossec. After the update, the agent status for all entries within sguil were "OK". I clicked on testmyids.com and no alert. I ran through the setup again, this time using suricata (eth0)  + Emerging threats GPL. This time I received alerts when I was making system modifications.Screenshots attached. I ran testmyids.com - no alert. I am using a VM on a Mac host with NAT net connection. Thank you.

Doug Burks

unread,
Jul 13, 2011, 9:11:57 PM7/13/11
to securit...@googlegroups.com
Hi dqkona,

First, you said you clicked on testmyids.com. If you had previously
clicked testmyids.com, the page could have been cached by your browser
and would therefore have not generated any traffic. Try opening a
terminal and typing the following:
curl http://testmyids.com

If that generated an alert, great! If not...

I had to rush out the latest update so that sensors that were broken
after Friday's ET update could be fixed as quickly as possible. Since
I had to rush it out (and I was on vacation at the time), the update
only applies to previously configured sensors. I still have to build
a new update that will configure PulledPork properly when running
Setup to create a new sensor. I'm hoping to get that done sometime
this weekend. In the meantime, you can rebuild your VM using the
steps in the FAQ with one exception: run Setup to create your
sensor(s) BEFORE running the Security Onion 20110709 update. Then run
"curl http://testmyids.com" and everything should work fine.

Please let us know whether or not that helps.

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

Doug Burks

unread,
Jul 14, 2011, 7:00:05 AM7/14/11
to securit...@googlegroups.com
I went ahead and released Security Onion 20110714 so that PulledPork
is updated correctly for any new sensors:
http://securityonion.blogspot.com/2011/07/security-onion-20110714-now-available.html

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

dqk...@yahoo.com

unread,
Jul 14, 2011, 8:54:32 AM7/14/11
to security-onion
Hi Doug,

I just wanted to report that the latest update 20110714 fixed the
existing sensors. I did not have to rebuild. Running a simple test
like testmyids.com reported an alert in Sguil with default settings.
Excellent work! You are one-man army. At the beginning, I mentioned
that Security Onion looks promising. Now, I now that it delivers too!
Thank you.

On Jul 12, 9:32 am, "dqk...@yahoo.com" <dqk...@yahoo.com> wrote:
> Hi,
>
> I've recently discovered Security Onion. It looks promising, but I
> can't get the installation to work. I installed "security onion" by
> following the FAQ's here (http://code.google.com/p/security-onion/wiki/
> FAQ). When I ran through the setup script with all defaults (snort). I
> started the sguil client. I visitedwww.testmyids.comto trigger an

Doug Burks

unread,
Jul 15, 2011, 6:17:47 AM7/15/11
to securit...@googlegroups.com
Hello again dqkona,

I'm glad that worked for you! Thanks!

--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

Reply all
Reply to author
Forward
0 new messages