Hybrid Hunter fresh install questions

[Willem D'Haese]

Hello,

I've been waiting for some time to start using SecurityOnion, as we can't use Ubuntu in our org. So with the release of HH 1.3, I made an attempt to install HH Security Onion on a fresh CentOS installation.

The installation went quite smooth (except that I had to restart, as my disk was not large enough. I was a bit surprised,a s I did get a warning I needed 12 GB RAM, but there seems no check for adequate disk space before the installation starts.

So now I'm able to logon the system and changed the default passwords of TheHive, Cortex and Playbook.

But how do I start Sguil?

Checking Docker status

    Docker ----------------------------------------------------------- [ OK ]    

Checking container statuses

    so-nginx --------------------------------------------------------- [ OK ]    

    so-telegraf ------------------------------------------------------ [ OK ]    

    so-dockerregistry ------------------------------------------------ [ OK ]    

    so-soc ----------------------------------------------------------- [ OK ]    

    so-kratos -------------------------------------------------------- [ OK ]    

    so-idstools ------------------------------------------------------ [ OK ]    

    so-elasticsearch ------------------------------------------------- [ OK ]    

    so-kibana -------------------------------------------------------- [ OK ]    

    so-steno --------------------------------------------------------- [ OK ]    

    so-suricata ------------------------------------------------------ [ OK ]    

    so-zeek ---------------------------------------------------------- [ OK ]    

    so-curator ------------------------------------------------------- [ OK ]    

    so-elastalert ---------------------------------------------------- [ OK ]    

    so-soctopus ------------------------------------------------------ [ OK ]    

    so-influxdb ------------------------------------------------- [ MISSING ]    

    so-grafana -------------------------------------------------- [ MISSING ]    

    so-wazuh --------------------------------------------------------- [ OK ]    

    so-thehive ------------------------------------------------------- [ OK ]    

    so-thehive-es ---------------------------------------------------- [ OK ]    

    so-cortex -------------------------------------------------------- [ OK ]    

    so-playbook ------------------------------------------------------ [ OK ]    

    so-navigator ----------------------------------------------------- [ OK ]    

    so-strelka-coordinator -------------------------------------- [ MISSING ]    

    so-strelka-gatekeeper --------------------------------------- [ MISSING ]    

    so-strelka-manager ------------------------------------------ [ MISSING ]    

    so-strelka-frontend ----------------------------------------- [ MISSING ]    

    so-strelka-filestream --------------------------------------- [ MISSING ] 

I did not install Strelka, nor Grafana, but I don't see anyt Sguil docker? If someone could point out where I can find and open it please :)

Also when I click navigator link from the Security Onion homepage, I get "Invalid Host Header".

Thanks for having a look at my questions.

Willem

[Wes Lambert]

Hi Willam,

If you did not choose to install them, I would not be too worried -- I think this is more about so-status having the right information to pull from to provide you the correct status. Thanks for trying Security Onion Hybrid Hunter and reporting your issue- we are certainly aware there need to be improvements with regard to certain logic, and we are working on it!

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/0033815e-e374-425f-af13-103bd6df3a6f%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Willem D'Haese]

Hey Wes,

Thansk for your response. So how do I access the Sguil gui? Also how can I solve the "Invalid Host Header" error when browsing to navigator?

Willem

To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/0033815e-e374-425f-af13-103bd6df3a6f%40googlegroups.com.

[Willem D'Haese]

Wes, 

I tried to download the Windows Sguil executable from https://github.com/bammv/sguil/releases/tag/v0.9.0

Mi ip is allowed to connecto to my Onion instance. When trying to connect, I get the error

Unable to connect to <onionhostname> on port 7734.

Used the username and password I supplied ath the HH installation. 

Grtz

Willem

[Willem D'Haese]

When I telnet my Onion server on 7734, nothing seems to be listening => 

Could not open connection to the host, on port 7734: Connect failed

In what docker conatiner is sguild installed? How can I verify if sguild is running?

[Wes Lambert]

Hi William,

Please note, we no longer include Sguil in Security Onion Hybrid Hunter.  We now use TheHive as the main alert queueing/case management platform.

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/f9a477d6-2771-4af8-aa5a-8e9161fe40d8%40googlegroups.com.