Suricata - SGUIL agent status
BBCan177
Modified suricata.yaml to my specific customization.
Server and Sensor changes -
sudo nsm_sensor_ps-stop
sudo sed -i 's|ENGINE=snort|ENGINE=suricata|g' /etc/nsm/securityonion.conf
sudo rule-update
sudo nsm_sensor_ps-start
But in SGUIL, the "Agent Status" shows "Down" for some of the snort agents?
Server-eth1 UP
Server-eth1-1 DOWN
Server-eth1-2 DOWN
Sensor-eth1 UP
sensor-eth1-1 DOWN
Am i missing something in the SURICATA.YAML config?
--SERVER--
top - 17:34:09 up 20 min, 1 user, load average: 4.50, 4.91, 3.92
Tasks: 249 total, 12 running, 233 sleeping, 0 stopped, 4 zombie
Cpu(s): 11.9%us, 53.3%sy, 5.5%ni, 5.9%id, 23.4%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 8046972k total, 7880868k used, 166104k free, 48280k buffers
Swap: 10023096k total, 8428k used, 10014668k free, 2737088k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3193 root 25 5 114m 27m 604 R 16 0.3 2:38.33 bro
3652 root 25 5 97808 23m 616 R 15 0.3 2:33.88 bro
4995 root 25 5 89616 23m 552 R 13 0.3 2:09.63 bro
4620 root 25 5 101m 23m 460 R 12 0.3 2:04.36 bro
5475 root 20 0 162m 102m 67m R 9 1.3 1:32.83 bro
4137 root 25 5 146m 88m 64m R 9 1.1 1:29.19 bro
5270 root 20 0 162m 102m 66m S 9 1.3 1:34.37 bro
5272 root 25 5 146m 88m 64m R 9 1.1 1:27.34 bro
5477 root 25 5 146m 88m 64m R 9 1.1 1:26.88 bro
4132 root 25 5 146m 88m 64m R 8 1.1 1:26.31 bro
4084 root 20 0 164m 104m 66m R 8 1.3 1:31.14 bro
4085 root 20 0 155m 103m 66m R 8 1.3 1:29.34 bro
2009 root 20 0 5988 2048 536 D 5 0.0 1:05.42 ossec-syscheckd
27 root 20 0 0 0 0 S 1 0.0 0:01.96 kswapd0
3594 root 20 0 88568 24m 1904 S 1 0.3 0:08.21 bro
4612 root 20 0 140m 31m 1844 S 1 0.4 0:10.01 bro
1499 mysql 20 0 1320m 235m 4144 S 1 3.0 0:29.27 mysqld
3173 root 20 0 285m 41m 2112 S 1 0.5 0:09.11 bro
4950 root 20 0 96796 24m 1860 S 1 0.3 0:09.31 bro
5265 sguil 20 0 2296m 1.9g 17m S 1 25.0 1:09.82 Suricata-Main
17717 root 20 0 233m 52m 3816 S 1 0.7 0:00.73 perl
Doug Burks
What you're seeing is normal. Regardless of the number of PF_RING
instances you configure in suricata.yaml, Suricata only outputs one
unified2 file and therefore only needs one barnyard2 and only one
snort_agent. If you plan on staying with Suricata for a while and
want to clean up your Sguil Agent Status, you can manually modify the
sensor table in securityonion_db and set active='N' for the old Snort
agents and then restart sguild.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
BBCan177
> What you're seeing is normal. Regardless of the number of PF_RING
> instances you configure in suricata.yaml, Suricata only outputs one
> unified2 file and therefore only needs one barnyard2 and only one
> snort_agent. If you plan on staying with Suricata for a while and
> want to clean up your Sguil Agent Status, you can manually modify the
> sensor table in securityonion_db and set active='N' for the old Snort
> agents and then restart sguild.
Hi Doug,
I ran the following for each of the "DOWN" agents and they are now cleared.
mysql -uroot -Dsecurityonion_db -e 'UPDATE sensor SET active="N" WHERE hostname="**SENSOR_NAME**";'
However, in SGUIL, "Snort Statistics" the Server and Sensor Snort agents have no statistics. Is that normal also? I waited hours to see if it would update on its own.
In SGUIL under the tab "System Messages" I have seen in the past, alerts for "Barnyard Disconnected". Does it re-connect on its own? SGUIL still was displaying alerts.
Do you know if Snort or Suricata is more prevalent in SO installations?
Would an IP alias database be possible in SGUIL (similar to what is in Snorby)? or geoip Country Code beside the IP address in SRC/DST IP?
Thanks for your help.
Doug Burks
> On Sunday, February 9, 2014 4:40:07 PM UTC-5, Doug Burks wrote:
>
>> What you're seeing is normal. Regardless of the number of PF_RING
>> instances you configure in suricata.yaml, Suricata only outputs one
>> unified2 file and therefore only needs one barnyard2 and only one
>> snort_agent. If you plan on staying with Suricata for a while and
>> want to clean up your Sguil Agent Status, you can manually modify the
>> sensor table in securityonion_db and set active='N' for the old Snort
>> agents and then restart sguild.
>
> Hi Doug,
>
> I ran the following for each of the "DOWN" agents and they are now cleared.
>
> mysql -uroot -Dsecurityonion_db -e 'UPDATE sensor SET active="N" WHERE hostname="**SENSOR_NAME**";'
>
> However, in SGUIL, "Snort Statistics" the Server and Sensor Snort agents have no statistics. Is that normal also? I waited hours to see if it would update on its own.
the same format as Snort, so Sguil is unable to display stats.
> In SGUIL under the tab "System Messages" I have seen in the past, alerts for "Barnyard Disconnected". Does it re-connect on its own? SGUIL still was displaying alerts.
agents that were no longer active? Normally, if an active barnyard
process dies, it should get restarted automatically by our watchdog
cron job.
> Do you know if Snort or Suricata is more prevalent in SO installations?
since it integrates more nicely with Sguil.
> Would an IP alias database be possible in SGUIL (similar to what is in Snorby)? or geoip Country Code beside the IP address in SRC/DST IP?
you end up patching it, please submit your patches upstream so that
others can benefit:
https://github.com/bammv/sguil
--
Doug Burks
BBCan177
> > However, in SGUIL, "Snort Statistics" the Server and Sensor Snort agents have no statistics. Is that normal also? I waited hours to see if it would update on its own.
>
>
>
> Yes, this is normal for Suricata as it does not output statistics in
>
> the same format as Snort, so Sguil is unable to display stats.
>
>
>
> > In SGUIL under the tab "System Messages" I have seen in the past, alerts for "Barnyard Disconnected". Does it re-connect on its own? SGUIL still was displaying alerts.
>
>
>
> Which barnyard disconnected? Could this be related to your old Snort
>
> agents that were no longer active? Normally, if an active barnyard
>
> process dies, it should get restarted automatically by our watchdog
>
> cron job.
>
>
>
> > Do you know if Snort or Suricata is more prevalent in SO installations?
>
>
>
> My guess would be Snort since more folks are familiar with it and
>
> since it integrates more nicely with Sguil.
>
>
>
> > Would an IP alias database be possible in SGUIL (similar to what is in Snorby)? or geoip Country Code beside the IP address in SRC/DST IP?
>
>
>
> Sguil is open source, so you could certainly modify it to do so. If
>
> you end up patching it, please submit your patches upstream so that
>
> others can benefit:
>
> https://github.com/bammv/sguil
>
Thanks Doug,
I noticed today that Barnyard disconnected twice -
07:21:38 Barnyard Disconnected
12:04:02 /nsm/sensor_data/Server-eth1 27%
12:04:02 /nsm/sensor_data/Sensor-eth1 16%
~
13:20:58 Barnyard Disconnected
13:34:02 /nsm/sensor_data/Sensor-eth1 27%
13:34:02 /nsm/sensor_data/Sensor-eth1 16%
~
I have noticed that Suricata is using another GB of memory over Snort.
I have to say that I prefer SGUIL over Snorby. It is such a fantastic tool.
BBCan177
> >
> > Sguil is open source, so you could certainly modify it to do so. If
> > you end up patching it, please submit your patches upstream so that
> > others can benefit:
> > https://github.com/bammv/sguil
I have been looking at the /etc/nsm/securityonion/sguild.conf but there are no settings for DNS? They are in the /etc/sguil/sguil.conf file. Does NSMnow put the dns settings in another config file?
Can we alter the Internal/External DNS lookup?
I realized I wasnt getting local Reverse DNS responses in SGUIL as i had set DNS-DOMAIN to "domain.com" instead of "xxx.domain.com". So I can now resolve local IP's with the local DNS server.
Doug Burks
> I have been looking at the /etc/nsm/securityonion/sguild.conf but there are no settings for DNS? They are in the /etc/sguil/sguil.conf file.
configured in /etc/sguil/sguil.conf.
> Can we alter the Internal/External DNS lookup?
that any changes you make may be overwritten by our package updates
unless you submit your patches upstream.
> I realized I wasnt getting local Reverse DNS responses in SGUIL as i had set DNS-DOMAIN to "domain.com" instead of "xxx.domain.com". So I can now resolve local IP's with the local DNS server.
Doug Burks
BBCan177
> That's correct, DNS lookups are performed by the Sguil client as
> configured in /etc/sguil/sguil.conf.
My thought here was to try to create a script to Lookup DNS requests (local or Remote) and add to the response from a local alias file and possibly a Geoip lookup. Merge the data into a single string and input that into SGUIL "IP Resolution" "SRC NAME:" and/or "DST NAME:"
Is that sound?
I tried to edit the sguil.conf file setting
set WHOIS_PATH /etc/sguil/sguil-whois.sh
But SGuil errors out with a permissions issue.
BBCan177
1)edited /etc/sguil/sguil.conf
set WHOIS_PATH /home/so-user/sguil-whois
2)create /home/so-user/sguil-whois
#!/bin/sh
#
# Simple script to proxy all whois requests through whois.geektools.com
# to help keep the bad guys from figuring out that we're onto them when
# Sguil looks up a record (http://blog.vorant.com/2007/09/ive-written-before-on-disguising-your.html)
#
# Added IP Alias Lookup and GEOIP Lookup
Lookup=$*
grep $Lookup /home/so-user/sguil-alias
echo
curl ipinfo.io/$Lookup
echo
/usr/bin/whois -h whois.geektools.com $*
3)chmod 775 sguil-whois
4)create /home/so-user/sguil-alias
x.x.x.x is Someone I know
y.y.y.y is Someone else I know
etc ...
5) From SGUIL you can goto "IP RESOLUTION" to see the returned responses.
6) Occasionally I received a "Error: can't read "state(reply)": no such element..." I searched the SO Group and found some solutions but haven't tried those yet.
