Apr 29

Reporting & Monitoring with Squert

So, first things first .. while I was researching information for this post I very quickly realised that safesearch is a requirement! Who would have thought that outside of the NSM world people would be posting about this whole “squert” thing (and not in a very savoury fashion either!)

With that said, let’s move on to my next topic!

We’ve spent a couple of posts now using Security Onion to do some basic web application attack detection where we looked at an attack & wrote a basic rule to detect it. We then looked at using sguil for categorising events manually, using the autocat.conf file for automatically categorising events and configuring the sguild.conf file to generate an email alert when certain alerts were generated. Today we are going to look at using squert for monitoring and reporting. The basic web interface reports generated by squert are great for non-technical management (they always love pretty colours, bar graphs, pie charts etc.), but as an analyst you can also use the interface to drill down into the alerts to get far greater detail. This post will focus more on the types of reports that could be shown to management, or included in monthly reports and so on, as an analyst I would suspect you would much rather work in sguil (well, I would).

Read the rest of this entry »

Apr 28

Sguil, event categorisation, autocat.conf & alerting

So, we have already had a quick look at some basics with SecurityOnion for detecting a file execution attack and how to write a rule up to detect it. The next thing we might want to do as an analyst is to have events that show up in sguil categorised (both manually and automatically) and then to get an alert when particular events are triggered.

Categorising Alerts

Both sguil and squert have ability to classify events into categories, as you can see in the following images (figure 1 & figure 2). These categories can be used to group similar events together to help an analyst review the alerts that have been triggered on their network. For example, any form of ping sweep or port scan could possibly be classified as Category 6 – Reconnaissance/Probes/Scans. All of the category 6 alerts can then be removed from the main console windows allowing the analyst to concentrate other important alerts without having to review all of the other noisy traffic. The classification of events can be done manually through sguil, or automated with the use of the autocat.conf file (this will then classify the events in sguil, squert and other consoles).


Figure 1 – Sguil Categories


Figure 2 – Squert Categories

Read the rest of this entry »

Apr 15

File Execution Vulnerability & Security Onion – Basics

OK .. we have an application that is vulnerable to command execution (we are using the damn vulnerable web application, or DVWA distro for this)


It’s a simple application to ping a machine on the network, internet, or perhaps space! It’s a basic little thing that lets you enter an IP address and it will run the ping command and return the result.


It seems though, through a little bit of basic command line knowledge that you can also chain commands together and get them to run besides just the programmed ping command



Read the rest of this entry »

Apr 03

Stop – GCFA time!

Well, it looks like we have a new GCFA in town .. thats me!

I’ll be honest .. forensics really isn’t my thing. My mind doesn’t work the right way for it .. it just doesn’t click like other lethal forensicators.

I did however, tackle FOR508 with Rob Lee last year in Vegas after my GSE exam (why didn’t I pick something simple to give my head a rest) and I really enjoyed it! I hadn’t completed FOR408 so I really felt like I missed out on some of the basic foundation information that was required, and I felt that during my exam.

I put a fair bit of hard work and effort into passing the GCFA and its a cert i’m definitely proud of. Its not that simple or straight forward, and I now have the ability to go through a stack of old and broken hard drives at home and possibly get a bunch of old lost photos off of them now :)

I guess really the highlight to my whole exam was seeing Chris Mohan and his lovely hair .. that really got me through at the end of the day – Thanks Chris!

For now though, its back to this stinking Gold Paper .. I want to get the GSE and have a break!

Oh yeah .. im doing SEC660 in July hahahahahah

Mar 16

It’s so very quiet

Not much to say, I’m off to sit my GCFA exam in 2 weeks.

Must study and not get distracted!

Feb 05

Doug Burks talk about Security Onion at Shmoocon

You all probably know that i’m in the middle of doing a SANS gold paper on Security Onion .. here’s a talk Doug Burks did at Shmoocon on his distro

 

Doug Burks: Security Onion from Georgia Weidman on Vimeo.

Jan 18

Hacktivity 2011 – Michele Orru: Dr. Strangelove or How I learned to Stop Worrying and Love the BeEF

Hacktivity 2011 – Michele Orru: Dr. Strangelove or How I learned to Stop Worrying and Love the BeEF from Hacktivity on Vimeo.

Older posts «