Security Onion – Server + Sensor Testing

Now that we are done with the installation, it's time to go testing! There are two parts to testing:

1. Generating packets - that will likely be caught by your IDS rules
   
2. Viewing alerts - from the Analyst workstation
   

Generating packets

What we really want to do here is to "generate packets that will generate IDS alerts". There are a couple of ways to achieve this:

1. Adding local rules to the Sensor and sending crafted packets (using Scapy or Hping3) to trigger alerts. This post explains the method.
   

   A note on updating local rules: Add your local rules to the /etc/nsm/local.rules file of your Server and then run the "sudo rule-update" command in your Sensor machine. This will update the rules in your Sensor(s). Remember that, running rule-update on the Server causes the Server to download rules from the internet. Running rule-update on the Sensor causes the Sensor to download the rules from the Server.
   

2. Replaying an existing packet capture (pcap) file using tcpreplay. I find this method to be simpler. For one, there is no dearth of (malicious) pcap files on the internet and Security Onion itself provides some pcaps in the /opt/samples directory. So this is the method I am going to use.
   

The command: tcpreplay –i eth0 –t /tmp/mypcaps/test.pcap replay the contents of test.pcap over the eth0 interface. To run the command you can either use sudo or run directly as root (by running sudo su - before)

From the tcpreplay output you can see that it has successfully replayed 36286 packets. Also, check if Snort has written any alerts in the /nsm/sensor_data/<Sensor Machine Name>-<Intf>/snort-1/

(The snort-1 indicates it is Snort sensor number 1. Here I have only one sensor so it's enough to check in snort-1 directory)

Viewing Alerts

Ok, now after generating packets and getting convinced that Snort has generated some alerts, let's go and check the output in 3 different tools installed by default on a Security Onion Server:

1. Sguil
   
2. Snorby
   
3. Squert
   

For testing, I want to view the alerts in these tools from my Windows 7 host machine (which I would like to think of as a separate analyst workstation).

SGUIL

Sguil is built on Tcl/tk. For launching Sguil on Windows you need to install Sguil client for Windows and Active Tcl Community edition:

After you download and install the pre-requisites, launch Sguil and select the interface:

In the "Selecting the interface" screen has a checkbox for each interface that you can check/uncheck. The checkboxes are not clearly visible in my machine (probably because of display settings…?)

So once you select the interface and "Start SGUIL", you will see an output similar to this:

As you can see Sguil provides a list of all the alerts. For each alert, you can choose to view the Packet Data and the Rule that triggered the alert. Sguil also allows you to do DNS lookups on the same screen.

SNORBY

Snorby is installed by default in port 444 of your Security Onion Server machine. You have to use the URL https://<IP of server>:444/ to access Snorby.

Below is the output from Snorby for the same PCAP file. I love Snorby for it's really cool UI and the excellent drill down capabilities it offers. For example, you could click on "High" severity events and it would take you to the list of those events. From there if you select an event it shows you the individual packet details and the rule that triggered the alert. The drill down is possible from anywhere on the Dashboard (including the graphs).

SQUERT

Squert is another Web based GUI for Snort alerts that you can access from the URL: https://<IP of Server>/squert

In addition to the drill-down provided (similar to Snorby) Squert also offers a Map feature that plots the IP addresses on a map. Also, it has a good summary tab as well:

Conclusion

In this article we have seen how to test the setup created earlier. There are lots of interesting features in each of these GUI tools. But those will have to be covered in separate articles themselvesJ