Scribd Logo
Upload

Welcome to Scribd!

  • Lab4 Sguil and SQuert

    Uploaded by

    alwkilmunirh
    18 views16 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    18 views16 pages

    Lab4 Sguil and SQuert

    Uploaded by

    alwkilmunirh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 16

    www.tvtc.gov.

    sa

    Sguil and SQueRT in Security Onion


    Lab 4

    In this Lab, you will use the Sguil application in Security Onion to examine simulated
    attack on a network. This project will help you understand what was done during an
    attack by viewing the captured network traffic in a complete session.
    And You will use the SQueRT tool in Security Onion to help you analyze data in a
    meaningful way.
    In this Lab we'll covering the following:
    ❑ Logging into Sguil and Squert
    ❑ generating an IDS alert
    ❑ expiring an IDS alert
    ❑ Configuring Squert to show Unclassified events to match the main Sguil window
    Lab 4

    Sguil application is the practice of Network Security Monitoring and event driven analysis.
    is a collection of free software components for Network Security Monitoring (NSM) and
    event driven analysis of IDS alerts.
    NSM is defined as "collection, analysis, and escalation of indications and warnings to
    detect and respond to intrusions.“

    SQueRT is a web application that is used to query and view event data stored in a Sguil
    database (typically IDS alert data)
    Lab 4

    1. Start the Security Onion and log in using the credentials you established in the initial setup.
    2. Double-click the Setup script on the Desktop and follow the prompts to configure and start the
    Sguil processes.
    Lab 4
    Lab 4
    Lab 4
    Lab 4

    3. Double-click the Sguil desktop icon. Log into Sguil using the username/password you specified in the
    previous step. There may already be some alerts in the Sguil console. If not, open Firefox and click the
    testmyids.com bookmark and you should then see an alert appear in Sguil.
    Lab 4
    Lab 4

    Close the Squert and open again


    Lab 4

    4. Double-click the Squert desktop icon. The Squert main page appears. Click the "submit"
    button. Snort alerts appear at the bottom of the page and they should match what you saw in Sguil.
    Lab 4
    Lab 4

    5. Go back to Sguil, select an alert, and press the Fn + F8 key to expire it. Notice that the
    alert disappears from Sguil.
    Lab 4

    6. Go back to Squert and click the "submit" button again. Notice that the alert remains in
    Squert. Sguil's main console shows events that have not yet been classified, so we need to tell Squert
    to do the same. Click the "Status" drop-down box and select "Unclassified". Click the "submit"
    button and notice that the alert is now gone.
    Lab 4

    You might also like