Sguil Cheat Blatt¶
Überblick¶
Sguil (ausgesprochen "sgweel") ist eine umfassende Netzwerksicherheitsüberwachungsplattform (NSM), die Echtzeitanalyse und Korrelation von Netzwerksicherheitsereignissen ermöglicht. Entwickelt von Bamm Visscher, dient Sguil als zentrale Konsole für Sicherheitsanalysten, um Netzwerksicherheitsvorfälle in verteilten Sensornetzwerken zu überwachen, zu untersuchen und zu reagieren. Die Plattform integriert mehrere Sicherheitstools, darunter Snort zur Intrusionserkennung, Barnyard2 für die Alarmverarbeitung und verschiedene Netzwerküberwachungsprogramme, um ein einheitliches Sicherheitszentrum (SOC) zu schaffen. Die Stärke von Sguil liegt in der Fähigkeit, kontextreiche Sicherheitsereignisanalysen bereitzustellen, indem Alarme mit vollständigen Paketerfassungen, Sitzungsdaten und historischen Informationen korreliert werden.
Die Kernarchitektur von Sguil besteht aus drei Hauptkomponenten: Sensoren, die Netzwerkdaten sammeln und Alarme erzeugen, einem zentralen Server, der Sicherheitsereignisse aggregiert und korreliert, und Client-Schnittstellen, die Analysten mit leistungsstarken Untersuchungsfunktionen bereitstellen. Sensoren führen typischerweise Snort IDS, tcpdump zur Paketerfassung und verschiedene Log-Sammlungsmittel durch, während der zentrale Server eine MySQL-Datenbank für Ereignisspeicher und Korrelation aufrechterhält. Die Client-Schnittstelle bietet Echtzeit-Alarmüberwachung, Paketanalysefähigkeiten und kollaborative Funktionen, die Sicherheitsteams ermöglichen, Sicherheitsvorfälle effizient zu testen und zu untersuchen.
Sguils umfassender Ansatz zur Netzwerksicherheitsüberwachung macht es besonders wertvoll für Organisationen, die detaillierte Audit-Strecken beibehalten und eine forensische Analyse von Sicherheitsvorfällen durchführen müssen. Die Plattform unterstützt verteilte Bereitstellungen über mehrere Netzwerksegmente und ermöglicht Organisationen, komplexe Netzwerkinfrastrukturen zu überwachen und gleichzeitig zentrale Sichtbarkeit und Kontrolle zu gewährleisten. Mit seiner Open-Source-Stiftung und umfangreichen Anpassungsfähigkeiten ist Sguil zu einer Ecksteintechnologie für viele Sicherheits-Operationszentren und Notfall-Reaktionsteams weltweit geworden.
Installation¶
Ubuntu/Debian Installation¶
Installation von Sguil auf Ubuntu/Debian-Systemen:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install required dependencies¶
sudo apt install -y mysql-server mysql-client tcl tk tcl-dev tk-dev \ tclx8.4 tcllib mysqltcl wireshark tshark snort barnyard2 \ apache2 php php-mysql libmysqlclient-dev build-essential \ git wget curl
Install additional Tcl packages¶
sudo apt install -y tcl-tls tcl-trf
Download Sguil¶
cd /opt sudo git clone https://github.com/bammv/sguil.git sudo chown -R \(USER:\)USER sguil
Create Sguil user¶
sudo useradd -r -s /bin/false sguil sudo usermod -a -G sguil $USER
Setup directory structure¶
sudo mkdir -p /var/log/sguil sudo mkdir -p /var/lib/sguil sudo mkdir -p /etc/sguil sudo chown -R sguil:sguil /var/log/sguil /var/lib/sguil sudo chmod 755 /var/log/sguil /var/lib/sguil
Install Sguil components¶
cd /opt/sguil sudo cp -r server /opt/sguil-server sudo cp -r client /opt/sguil-client sudo cp -r sensor /opt/sguil-sensor ```_
CentOS/RHEL Installation¶
```bash
Install EPEL repository¶
sudo yum install -y epel-release
Install required packages¶
sudo yum groupinstall -y "Development Tools" sudo yum install -y mysql-server mysql mysql-devel tcl tk tcl-devel \ tk-devel wireshark snort barnyard2 httpd php php-mysql \ git wget curl
Install additional Tcl packages¶
sudo yum install -y tcl-tls
Start and enable MySQL¶
sudo systemctl start mysqld sudo systemctl enable mysqld
Secure MySQL installation¶
sudo mysql_secure_installation
Download and install Sguil¶
cd /opt sudo git clone https://github.com/bammv/sguil.git sudo chown -R \(USER:\)USER sguil
Create system user¶
sudo useradd -r -s /bin/false sguil
Setup directories¶
sudo mkdir -p /var/log/sguil /var/lib/sguil /etc/sguil sudo chown -R sguil:sguil /var/log/sguil /var/lib/sguil ```_
Docker Installation¶
Laufen Sguil in Docker Behälter:
```bash
Create Docker network for Sguil¶
docker network create sguil-network
Create MySQL container for Sguil database¶
docker run -d --name sguil-mysql \ --network sguil-network \ -e MYSQL_ROOT_PASSWORD=sguilpassword \ -e MYSQL_DATABASE=sguildb \ -e MYSQL_USER=sguil \ -e MYSQL_PASSWORD=sguilpass \ -v sguil-mysql-data:/var/lib/mysql \ mysql:5.7
Create Sguil server container¶
cat > Dockerfile.sguil-server << 'EOF' FROM ubuntu:20.04
Install dependencies¶
RUN apt-get update && apt-get install -y \ tcl tk tcl-dev tk-dev tclx8.4 tcllib mysqltcl \ mysql-client git && \ rm -rf /var/lib/apt/lists/*
Copy Sguil server¶
COPY server /opt/sguil-server WORKDIR /opt/sguil-server
Create sguil user¶
RUN useradd -r -s /bin/false sguil
Setup directories¶
RUN mkdir -p /var/log/sguil /var/lib/sguil && \ chown -R sguil:sguil /var/log/sguil /var/lib/sguil
EXPOSE 7734 7735
CMD ["./sguild"] EOF
Build and run Sguil server¶
docker build -f Dockerfile.sguil-server -t sguil-server . docker run -d --name sguil-server \ --network sguil-network \ -p 7734:7734 -p 7735:7735 \ -v sguil-logs:/var/log/sguil \ sguil-server
Create Sguil sensor container¶
cat > Dockerfile.sguil-sensor ``<< 'EOF' FROM ubuntu:20.04
Install dependencies¶
RUN apt-get update && apt-get install -y \ tcl tk snort barnyard2 tcpdump wireshark-common \ git && rm -rf /var/lib/apt/lists/*
Copy Sguil sensor¶
COPY sensor /opt/sguil-sensor WORKDIR /opt/sguil-sensor
Create sguil user¶
RUN useradd -r -s /bin/false sguil
EXPOSE 7736
CMD ["./sensor_agent.tcl"] EOF
Build and run Sguil sensor¶
docker build -f Dockerfile.sguil-sensor -t sguil-sensor . docker run -d --name sguil-sensor \ --network sguil-network \ --cap-add=NET_ADMIN \ --cap-add=NET_RAW \ -v /var/log/snort:/var/log/snort \ sguil-sensor ```_
Quelle Installation¶
```bash
Download latest Sguil source¶
cd /tmp wget https://github.com/bammv/sguil/archive/master.tar.gz tar -xzf master.tar.gz cd sguil-master
Install server components¶
sudo mkdir -p /opt/sguil-server sudo cp -r server/* /opt/sguil-server/ sudo chown -R sguil:sguil /opt/sguil-server
Install client components¶
sudo mkdir -p /opt/sguil-client sudo cp -r client/* /opt/sguil-client/ sudo chown -R \(USER:\)USER /opt/sguil-client
Install sensor components¶
sudo mkdir -p /opt/sguil-sensor sudo cp -r sensor/* /opt/sguil-sensor/ sudo chown -R sguil:sguil /opt/sguil-sensor
Make scripts executable¶
sudo chmod +x /opt/sguil-server/sguild sudo chmod +x /opt/sguil-client/sguil.tk sudo chmod +x /opt/sguil-sensor/sensor_agent.tcl
Create symbolic links¶
sudo ln -s /opt/sguil-server/sguild /usr/local/bin/sguild sudo ln -s /opt/sguil-client/sguil.tk /usr/local/bin/sguil sudo ln -s /opt/sguil-sensor/sensor_agent.tcl /usr/local/bin/sensor_agent ```_
Basisnutzung¶
Datenbank Setup¶
Aufbau der Sguil MySQL Datenbank:
```bash
Connect to MySQL as root¶
mysql -u root -p
Create Sguil database and user¶
CREATE DATABASE sguildb; CREATE USER 'sguil'@'localhost' IDENTIFIED BY 'sguilpassword'; GRANT ALL PRIVILEGES ON sguildb.* TO 'sguil'@'localhost'; FLUSH PRIVILEGES; EXIT;
Import Sguil database schema¶
cd /opt/sguil-server mysql -u sguil -p sguildb < lib/sql_scripts/create_sguildb.sql
Verify database creation¶
mysql -u sguil -p sguildb -e "SHOW TABLES;"
Create additional indexes for performance¶
mysql -u sguil -p sguildb << 'EOF' CREATE INDEX event_timestamp_idx ON event (timestamp); CREATE INDEX event_src_ip_idx ON event (src_ip); CREATE INDEX event_dst_ip_idx ON event (dst_ip); CREATE INDEX event_signature_idx ON event (signature); EOF ```_
Serverkonfiguration¶
Konfiguration des Sguil-Servers:
```bash
Create server configuration¶
cat >/etc/sguil/sguild.conf<< 'EOF'
Sguil Server Configuration¶
Database configuration¶
set DBHOST localhost set DBPORT 3306 set DBNAME sguildb set DBUSER sguil set DBPASS sguilpassword
Server configuration¶
set SERVER_HOST 0.0.0.0 set SERVER_PORT 7734 set SENSOR_PORT 7735
Logging configuration¶
set DEBUG 1 set DAEMON 0 set MAX_DBCONNECTIONS 10
File paths¶
set TMP_DIR /tmp set LOG_DIR /var/log/sguil set ARCHIVE_DIR /var/lib/sguil/archive
Email configuration¶
set SMTP_SERVER localhost set FROM_EMAIL sguil@localhost
Sensor configuration¶
set SENSOR_TIMEOUT 300 set MAX_SENSORS 50
Event processing¶
set MAX_EVENTS_PER_QUERY 1000 set EVENT_CACHE_SIZE 10000
Auto-categorization rules¶
set AUTO_CAT_RULES /etc/sguil/autocat.conf EOF
Create auto-categorization rules¶
cat >`` /etc/sguil/autocat.conf << 'EOF'
Auto-categorization rules for Sguil¶
| | # Format: signature_id | category | comment | |
DNS events¶
| | 1:2100001 | Cat V | DNS Query | | | | 1:2100002 | Cat V | DNS Response | |
HTTP events¶
| | 1:2100010 | Cat IV | HTTP Traffic | | | | 1:2100011 | Cat III | Suspicious HTTP | |
SSH events¶
| | 1:2100020 | Cat IV | SSH Traffic | | | | 1:2100021 | Cat II | SSH Brute Force | |
Malware events¶
| | 1:2100030 | Cat I | Malware Detected | | | | 1:2100031 | Cat I | Trojan Activity | | EOF
Set proper permissions¶
sudo chown sguil:sguil /etc/sguil/sguild.conf sudo chmod 600 /etc/sguil/sguild.conf ```_
Sguil Server starten¶
Start und Verwaltung des Sguil-Servers:
```bash
Start Sguil server manually¶
cd /opt/sguil-server sudo -u sguil ./sguild -c /etc/sguil/sguild.conf
Start in daemon mode¶
sudo -u sguil ./sguild -c /etc/sguil/sguild.conf -D
Create systemd service¶
sudo cat > /etc/systemd/system/sguild.service << 'EOF' [Unit] Description=Sguil Server After=network.target mysql.service
[Service] Type=simple User=sguil Group=sguil WorkingDirectory=/opt/sguil-server ExecStart=/opt/sguil-server/sguild -c /etc/sguil/sguild.conf -D Restart=always RestartSec=10
[Install] WantedBy=multi-user.target EOF
Enable and start service¶
sudo systemctl daemon-reload sudo systemctl enable sguild sudo systemctl start sguild
Check service status¶
sudo systemctl status sguild
View server logs¶
sudo journalctl -u sguild -f ```_
Sensorkonfiguration¶
Konfiguration von Sguil-Sensoren:
```bash
Create sensor configuration¶
cat > /etc/sguil/sensor_agent.conf << 'EOF'
Sguil Sensor Configuration¶
Server connection¶
set SERVER_HOST 192.168.1.100 set SERVER_PORT 7735 set HOSTNAME sensor01 set NET_GROUP Internal
Sensor configuration¶
set INTERFACE eth0 set SENSOR_ID 1 set ENCODING ascii
Snort configuration¶
set SNORT_PERF_FILE /var/log/snort/snort.stats set WATCH_DIR /var/log/snort
Packet capture¶
set PCAP_DIR /var/log/sguil/pcap set MAX_PCAP_SIZE 100000000 set PCAP_RING_BUFFER 1
Barnyard2 configuration¶
set BY_PORT 7736 set BY_HOST localhost
File monitoring¶
set PORTSCAN_DIR /var/log/sguil/portscan set SANCP_DIR /var/log/sguil/sancp
Logging¶
set DEBUG 1 set LOG_DIR /var/log/sguil EOF
Create sensor startup script¶
cat > /opt/sguil-sensor/start_sensor.sh << 'EOF'
!/bin/bash¶
Sguil Sensor Startup Script¶
SENSOR_DIR="/opt/sguil-sensor" CONFIG_FILE="/etc/sguil/sensor_agent.conf" LOG_DIR="/var/log/sguil" PCAP_DIR="/var/log/sguil/pcap"
Create directories¶
mkdir -p $LOG_DIR $PCAP_DIR
Start packet capture¶
tcpdump -i eth0 -s 1514 -w \(PCAP_DIR/sensor01.pcap & TCPDUMP_PID=\)!
Start Snort¶
snort -D -i eth0 -c /etc/snort/snort.conf -l /var/log/snort
Start Barnyard2¶
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo & BARNYARD_PID=$!
Start sensor agent¶
cd $SENSOR_DIR ./sensor_agent.tcl -c $CONFIG_FILE
Cleanup on exit¶
trap "kill $TCPDUMP_PID $BARNYARD_PID" EXIT EOF
chmod +x /opt/sguil-sensor/start_sensor.sh
Start sensor¶
sudo /opt/sguil-sensor/start_sensor.sh ```_
Erweiterte Funktionen¶
Kundenspezifische Regeln und Unterschriften¶
Benutzerdefinierte erstellen Snort Regeln für Sguil:
```bash
Create custom rules directory¶
sudo mkdir -p /etc/snort/rules/custom
Create custom rule file¶
cat > /etc/snort/rules/custom/local.rules << 'EOF'
Custom Sguil Rules¶
Detect suspicious DNS queries¶
| | alert udp any any -> any 53 (msg:"CUSTOM DNS Query to suspicious domain"; content:" | 01 00 00 01 | "; offset:2; depth:4; content:"malware"; nocase; sid:2100001; rev:1; classtype:trojan-activity;) | |
Detect HTTP POST to suspicious URLs¶
alert tcp any any -> any 80 (msg:"CUSTOM Suspicious HTTP POST"; method:POST; content:"upload"; http_uri; nocase; sid:2100002; rev:1; classtype:web-application-attack;)
Detect SSH brute force attempts¶
alert tcp any any -> any 22 (msg:"CUSTOM SSH Brute Force Attempt"; flags:S; threshold:type both, track by_src, count 10, seconds 60; sid:2100003; rev:1; classtype:attempted-recon;)
Detect large file downloads¶
alert tcp any 80 -> any any (msg:"CUSTOM Large File Download"; flow:established,from_server; dsize:>1000000; sid:2100004; rev:1; classtype:policy-violation;)
Detect IRC traffic¶
alert tcp any any -> any 6667 (msg:"CUSTOM IRC Traffic Detected"; content:"NICK"; offset:0; depth:4; sid:2100005; rev:1; classtype:policy-violation;) EOF
Update Snort configuration to include custom rules¶
echo 'include $RULE_PATH/custom/local.rules' >> /etc/snort/snort.conf
Restart Snort to load new rules¶
sudo systemctl restart snort ```_
Veranstaltung Korrelation Scripts¶
Erstellung von Ereigniskorrelations- und Analyseskripten:
```python
!/usr/bin/env python3¶
Sguil Event Correlation Script¶
import mysql.connector import json import time from datetime import datetime, timedelta import logging
class SguilCorrelator: def init(self, db_config): self.db_config = db_config self.setup_logging()
def setup_logging(self):
"""Setup logging configuration"""
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/sguil/correlator.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def connect_database(self):
"""Connect to Sguil database"""
try:
connection = mysql.connector.connect(**self.db_config)
return connection
except mysql.connector.Error as e:
self.logger.error(f"Database connection failed: \\\\{e\\\\}")
return None
def get_recent_events(self, hours=1):
"""Get recent events from Sguil database"""
connection = self.connect_database()
if not connection:
return []
try:
cursor = connection.cursor(dictionary=True)
# Calculate time threshold
time_threshold = datetime.now() - timedelta(hours=hours)
query = """
SELECT
sid, cid, signature, signature_gen, signature_id,
src_ip, src_port, dst_ip, dst_port, ip_proto,
timestamp, status
FROM event
WHERE timestamp >= %s
ORDER BY timestamp DESC
"""
cursor.execute(query, (time_threshold,))
events = cursor.fetchall()
cursor.close()
connection.close()
return events
except mysql.connector.Error as e:
self.logger.error(f"Query failed: \\\\{e\\\\}")
return []
def correlate_brute_force(self, events):
"""Correlate brute force attacks"""
brute_force_attacks = \\\\{\\\\}
for event in events:
# Look for SSH brute force patterns
if 'ssh' in event['signature'].lower() and 'brute' in event['signature'].lower():
src_ip = event['src_ip']
dst_ip = event['dst_ip']
key = f"\\\\{src_ip\\\\}->\\\\{dst_ip\\\\}"
if key not in brute_force_attacks:
brute_force_attacks[key] = \\\\{
'src_ip': src_ip,
'dst_ip': dst_ip,
'count': 0,
'first_seen': event['timestamp'],
'last_seen': event['timestamp'],
'events': []
\\\\}
brute_force_attacks[key]['count'] += 1
brute_force_attacks[key]['last_seen'] = event['timestamp']
brute_force_attacks[key]['events'].append(event)
# Filter significant attacks
significant_attacks = \\\\{k: v for k, v in brute_force_attacks.items() if v['count'] >= 5\\\\}
return significant_attacks
def correlate_port_scans(self, events):
"""Correlate port scanning activities"""
port_scans = \\\\{\\\\}
for event in events:
# Look for port scan indicators
if any(keyword in event['signature'].lower() for keyword in ['scan', 'probe', 'recon']):
src_ip = event['src_ip']
if src_ip not in port_scans:
port_scans[src_ip] = \\\\{
'src_ip': src_ip,
'target_ports': set(),
'target_hosts': set(),
'count': 0,
'first_seen': event['timestamp'],
'last_seen': event['timestamp'],
'events': []
\\\\}
port_scans[src_ip]['target_ports'].add(event['dst_port'])
port_scans[src_ip]['target_hosts'].add(event['dst_ip'])
port_scans[src_ip]['count'] += 1
port_scans[src_ip]['last_seen'] = event['timestamp']
port_scans[src_ip]['events'].append(event)
# Convert sets to lists for JSON serialization
for scan in port_scans.values():
scan['target_ports'] = list(scan['target_ports'])
scan['target_hosts'] = list(scan['target_hosts'])
# Filter significant scans
significant_scans = \\\\{k: v for k, v in port_scans.items()
if len(v['target_ports']) >= 5 or len(v['target_hosts']) >= 3\\\\}
return significant_scans
def correlate_malware_activity(self, events):
"""Correlate malware-related activities"""
malware_activities = \\\\{\\\\}
malware_keywords = ['trojan', 'malware', 'backdoor', 'botnet', 'c2', 'command']
for event in events:
signature_lower = event['signature'].lower()
if any(keyword in signature_lower for keyword in malware_keywords):
src_ip = event['src_ip']
if src_ip not in malware_activities:
malware_activities[src_ip] = \\\\{
'src_ip': src_ip,
'malware_types': set(),
'target_hosts': set(),
'count': 0,
'first_seen': event['timestamp'],
'last_seen': event['timestamp'],
'events': []
\\\\}
# Extract malware type
for keyword in malware_keywords:
if keyword in signature_lower:
malware_activities[src_ip]['malware_types'].add(keyword)
malware_activities[src_ip]['target_hosts'].add(event['dst_ip'])
malware_activities[src_ip]['count'] += 1
malware_activities[src_ip]['last_seen'] = event['timestamp']
malware_activities[src_ip]['events'].append(event)
# Convert sets to lists
for activity in malware_activities.values():
activity['malware_types'] = list(activity['malware_types'])
activity['target_hosts'] = list(activity['target_hosts'])
return malware_activities
def generate_correlation_report(self, correlations):
"""Generate correlation report"""
report = \\\\{
'timestamp': datetime.now().isoformat(),
'summary': \\\\{
'brute_force_attacks': len(correlations.get('brute_force', \\\\{\\\\})),
'port_scans': len(correlations.get('port_scans', \\\\{\\\\})),
'malware_activities': len(correlations.get('malware', \\\\{\\\\}))
\\\\},
'correlations': correlations
\\\\}
# Save report
report_file = f"/var/log/sguil/correlation-\\\\{datetime.now().strftime('%Y%m%d-%H%M%S')\\\\}.json"
with open(report_file, 'w') as f:
json.dump(report, f, indent=2, default=str)
self.logger.info(f"Correlation report generated: \\\\{report_file\\\\}")
return report
def run_correlation(self, hours=1):
"""Run complete correlation analysis"""
self.logger.info("Starting event correlation analysis")
# Get recent events
events = self.get_recent_events(hours)
self.logger.info(f"Analyzing \\\\{len(events)\\\\} events from last \\\\{hours\\\\} hour(s)")
if not events:
self.logger.info("No events to correlate")
return None
# Perform correlations
correlations = \\\\{
'brute_force': self.correlate_brute_force(events),
'port_scans': self.correlate_port_scans(events),
'malware': self.correlate_malware_activity(events)
\\\\}
# Generate report
report = self.generate_correlation_report(correlations)
# Log summary
summary = report['summary']
self.logger.info(f"Correlation complete: \\\\{summary['brute_force_attacks']\\\\} brute force, "
f"\\\\{summary['port_scans']\\\\} port scans, \\\\{summary['malware_activities']\\\\} malware activities")
return report
Usage¶
if name == "main": db_config = \\{ 'host': 'localhost', 'database': 'sguildb', 'user': 'sguil', 'password': 'sguilpassword' \\}
correlator = SguilCorrelator(db_config)
report = correlator.run_correlation(hours=24)
```_
Automatisierte Antwortskripte¶
Erstellen von automatisierten Antwortskripten:
```bash
!/bin/bash¶
Sguil Automated Response Script¶
Configuration¶
SGUIL_DB_HOST="localhost" SGUIL_DB_USER="sguil" SGUIL_DB_PASS="sguilpassword" SGUIL_DB_NAME="sguildb" RESPONSE_LOG="/var/log/sguil/automated_response.log" BLOCK_LIST="/etc/sguil/blocked_ips.txt"
Logging function¶
log_message() \\{ echo "$(date '+%Y-%m-%d %H:%M:%S') - \(1" >> "\)RESPONSE_LOG" \\}
Block IP address using iptables¶
block_ip() \\{ local ip="\(1" local reason="\)2"
# Check if IP is already blocked
if iptables -L INPUT -n|grep -q "$ip"; then
log_message "IP $ip already blocked"
return 0
fi
# Add iptables rule
iptables -I INPUT -s "$ip" -j DROP
if [ $? -eq 0 ]; then
log_message "BLOCKED IP: $ip - Reason: $reason"
echo "$ip" >> "$BLOCK_LIST"
# Send notification
send_notification "IP Blocked" "Automatically blocked IP $ip due to: $reason"
return 0
else
log_message "FAILED to block IP: $ip"
return 1
fi
\\}
Unblock IP address¶
unblock_ip() \\{ local ip="$1"
# Remove iptables rule
iptables -D INPUT -s "$ip" -j DROP 2>/dev/null
if [ $? -eq 0 ]; then
log_message "UNBLOCKED IP: $ip"
# Remove from block list
sed -i "/$ip/d" "$BLOCK_LIST"
return 0
else
log_message "FAILED to unblock IP: $ip (may not have been blocked)"
return 1
fi
\\}
Send notification¶
send_notification() \\{ local subject="\(1" local message="\)2"
# Send email notification (if mail is configured)
if command -v mail >/dev/null 2>&1; then
echo "$message"|mail -s "Sguil Alert: $subject" security@company.com
fi
# Send to syslog
logger -t sguil-response "$subject: $message"
\\}
Check for brute force attacks¶
check_brute_force() \\{ log_message "Checking for brute force attacks..."
# Query database for recent SSH brute force events
mysql -h "$SGUIL_DB_HOST" -u "$SGUIL_DB_USER" -p"$SGUIL_DB_PASS" "$SGUIL_DB_NAME" -N -e "
SELECT src_ip, COUNT(*) as count
FROM event
WHERE signature LIKE '%SSH%brute%'
AND timestamp >= DATE_SUB(NOW(), INTERVAL 1 HOUR)
GROUP BY src_ip
HAVING count >= 10
"|while read ip count; do
if [ -n "$ip" ]; then
block_ip "$ip" "SSH brute force attack ($count attempts in 1 hour)"
fi
done
\\}
Check for port scanning¶
check_port_scans() \\{ log_message "Checking for port scanning activities..."
# Query database for port scan events
mysql -h "$SGUIL_DB_HOST" -u "$SGUIL_DB_USER" -p"$SGUIL_DB_PASS" "$SGUIL_DB_NAME" -N -e "
SELECT src_ip, COUNT(DISTINCT dst_port) as port_count, COUNT(*) as event_count
FROM event
WHERE (signature LIKE '%scan%' OR signature LIKE '%probe%')
AND timestamp >= DATE_SUB(NOW(), INTERVAL 1 HOUR)
GROUP BY src_ip
HAVING port_count >= 20 OR event_count >= 50
"|while read ip port_count event_count; do
if [ -n "$ip" ]; then
block_ip "$ip" "Port scanning activity ($port_count ports, $event_count events)"
fi
done
\\}
Check for malware activity¶
check_malware() \\{ log_message "Checking for malware activities..."
# Query database for malware-related events
mysql -h "$SGUIL_DB_HOST" -u "$SGUIL_DB_USER" -p"$SGUIL_DB_PASS" "$SGUIL_DB_NAME" -N -e "
SELECT src_ip, signature, COUNT(*) as count
FROM event
WHERE (signature LIKE '%trojan%' OR signature LIKE '%malware%' OR signature LIKE '%backdoor%')
AND timestamp >= DATE_SUB(NOW(), INTERVAL 1 HOUR)
GROUP BY src_ip, signature
HAVING count >= 5
"|while read ip signature count; do
if [ -n "$ip" ]; then
block_ip "$ip" "Malware activity: $signature ($count events)"
fi
done
\\}
Check for high-priority alerts¶
check_high_priority() \\{ log_message "Checking for high-priority alerts..."
# Query database for high-priority events
mysql -h "$SGUIL_DB_HOST" -u "$SGUIL_DB_USER" -p"$SGUIL_DB_PASS" "$SGUIL_DB_NAME" -N -e "
SELECT src_ip, dst_ip, signature, COUNT(*) as count
FROM event
WHERE signature_gen = 1 AND signature_id IN (1, 2, 3) -- High priority signature IDs
AND timestamp >= DATE_SUB(NOW(), INTERVAL 30 MINUTE)
GROUP BY src_ip, dst_ip, signature
"|while read src_ip dst_ip signature count; do
if [ -n "$src_ip" ]; then
# Send immediate notification for high-priority events
send_notification "High Priority Alert" "Source: $src_ip, Target: $dst_ip, Signature: $signature, Count: $count"
# Consider blocking if multiple high-priority events
if [ "$count" -ge 3 ]; then
block_ip "$src_ip" "Multiple high-priority alerts: $signature"
fi
fi
done
\\}
Cleanup old blocked IPs¶
cleanup_blocks() \\{ log_message "Cleaning up old blocked IPs..."
# Remove blocks older than 24 hours
if [ -f "$BLOCK_LIST" ]; then
# Create temporary file with current blocks
temp_file=$(mktemp)
# Check each blocked IP
while read -r ip; do
if [ -n "$ip" ]; then
# Check if IP should remain blocked (implement your logic here)
# For now, keep all blocks for 24 hours
echo "$ip" >> "$temp_file"
fi
done ``< "$BLOCK_LIST"
# Replace block list
mv "$temp_file" "$BLOCK_LIST"
fi
\}
Main execution¶
main() \{ log_message "Starting automated response checks..."
# Create block list file if it doesn't exist
touch "$BLOCK_LIST"
# Run security checks
check_brute_force
check_port_scans
check_malware
check_high_priority
# Cleanup old blocks
cleanup_blocks
log_message "Automated response checks completed"
\}
Execute main function¶
main "$@" ```_
Automatisierungsskripte¶
Umfassendes Monitoring-Script¶
```python
!/usr/bin/env python3¶
Comprehensive Sguil monitoring and management¶
import mysql.connector import subprocess import json import time import os import sys from datetime import datetime, timedelta import logging import smtplib from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart
class SguilMonitor: def init(self, config_file="sguil_monitor.json"): self.load_config(config_file) self.setup_logging()
def load_config(self, config_file):
"""Load monitoring configuration"""
default_config = \\\{
"database": \\\{
"host": "localhost",
"user": "sguil",
"password": "sguilpassword",
"database": "sguildb"
\\\},
"monitoring": \\\{
"check_interval": 300, # 5 minutes
"alert_thresholds": \\\{
"events_per_hour": 1000,
"unique_sources": 100,
"high_priority_events": 10
\\\}
\\\},
"notifications": \\\{
"email": \\\{
"enabled": False,
"smtp_server": "localhost",
"smtp_port": 587,
"username": "",
"password": "",
"from": "sguil@company.com",
"to": "security@company.com"
\\\}
\\\},
"response": \\\{
"auto_block": True,
"block_threshold": 50,
"block_duration": 3600 # 1 hour
\\\}
\\\}
if os.path.exists(config_file):
with open(config_file, 'r') as f:
user_config = json.load(f)
# Merge configurations
self.config = \\\{**default_config, **user_config\\\}
else:
self.config = default_config
# Save default config
with open(config_file, 'w') as f:
json.dump(default_config, f, indent=2)
def setup_logging(self):
"""Setup logging configuration"""
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/sguil/monitor.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def connect_database(self):
"""Connect to Sguil database"""
try:
db_config = self.config["database"]
connection = mysql.connector.connect(**db_config)
return connection
except mysql.connector.Error as e:
self.logger.error(f"Database connection failed: \\\{e\\\}")
return None
def check_system_health(self):
"""Check Sguil system health"""
health_status = \\\{
"timestamp": datetime.now().isoformat(),
"services": \\\{\\\},
"database": \\\{\\\},
"disk_space": \\\{\\\},
"overall_status": "healthy"
\\\}
# Check Sguil server process
try:
result = subprocess.run(['pgrep', '-f', 'sguild'], capture_output=True, text=True)
health_status["services"]["sguild"] = "running" if result.returncode == 0 else "stopped"
except Exception as e:
health_status["services"]["sguild"] = f"error: \\\{e\\\}"
# Check Snort processes
try:
result = subprocess.run(['pgrep', '-f', 'snort'], capture_output=True, text=True)
health_status["services"]["snort"] = "running" if result.returncode == 0 else "stopped"
except Exception as e:
health_status["services"]["snort"] = f"error: \\\{e\\\}"
# Check database connectivity
connection = self.connect_database()
if connection:
try:
cursor = connection.cursor()
cursor.execute("SELECT COUNT(*) FROM event WHERE timestamp >``= DATE_SUB(NOW(), INTERVAL 1 HOUR)")
recent_events = cursor.fetchone()[0]
health_status["database"]["status"] = "connected"
health_status["database"]["recent_events"] = recent_events
cursor.close()
connection.close()
except Exception as e:
health_status["database"]["status"] = f"error: \\\\{e\\\\}"
else:
health_status["database"]["status"] = "disconnected"
# Check disk space
try:
result = subprocess.run(['df', '-h', '/var/log/sguil'], capture_output=True, text=True)
if result.returncode == 0:
lines = result.stdout.strip().split('\n')
if len(lines) > 1:
fields = lines[1].split()
health_status["disk_space"]["usage"] = fields[4]
health_status["disk_space"]["available"] = fields[3]
except Exception as e:
health_status["disk_space"]["error"] = str(e)
# Determine overall status
if (health_status["services"].get("sguild") != "running" or
health_status["services"].get("snort") != "running" or
health_status["database"].get("status") != "connected"):
health_status["overall_status"] = "critical"
elif health_status["disk_space"].get("usage", "0%").replace("%", "") > "90":
health_status["overall_status"] = "warning"
return health_status
def analyze_security_events(self, hours=1):
"""Analyze recent security events"""
connection = self.connect_database()
if not connection:
return None
try:
cursor = connection.cursor(dictionary=True)
# Get event statistics
time_threshold = datetime.now() - timedelta(hours=hours)
# Total events
cursor.execute("""
SELECT COUNT(*) as total_events
FROM event
WHERE timestamp >= %s
""", (time_threshold,))
total_events = cursor.fetchone()["total_events"]
# Events by severity
cursor.execute("""
SELECT
CASE
WHEN signature_id IN (1, 2, 3) THEN 'high'
WHEN signature_id IN (4, 5, 6) THEN 'medium'
ELSE 'low'
END as severity,
COUNT(*) as count
FROM event
WHERE timestamp >= %s
GROUP BY severity
""", (time_threshold,))
severity_stats = \\\\{row["severity"]: row["count"] for row in cursor.fetchall()\\\\}
# Top source IPs
cursor.execute("""
SELECT src_ip, COUNT(*) as count
FROM event
WHERE timestamp >= %s
GROUP BY src_ip
ORDER BY count DESC
LIMIT 10
""", (time_threshold,))
top_sources = cursor.fetchall()
# Top signatures
cursor.execute("""
SELECT signature, COUNT(*) as count
FROM event
WHERE timestamp >= %s
GROUP BY signature
ORDER BY count DESC
LIMIT 10
""", (time_threshold,))
top_signatures = cursor.fetchall()
# Unique source IPs
cursor.execute("""
SELECT COUNT(DISTINCT src_ip) as unique_sources
FROM event
WHERE timestamp >= %s
""", (time_threshold,))
unique_sources = cursor.fetchone()["unique_sources"]
cursor.close()
connection.close()
analysis = \\\\{
"timestamp": datetime.now().isoformat(),
"time_period_hours": hours,
"total_events": total_events,
"unique_sources": unique_sources,
"severity_breakdown": severity_stats,
"top_sources": top_sources,
"top_signatures": top_signatures
\\\\}
return analysis
except mysql.connector.Error as e:
self.logger.error(f"Event analysis failed: \\\\{e\\\\}")
return None
def check_alert_thresholds(self, analysis):
"""Check if analysis exceeds alert thresholds"""
if not analysis:
return []
alerts = []
thresholds = self.config["monitoring"]["alert_thresholds"]
# Check events per hour
events_per_hour = analysis["total_events"] / analysis["time_period_hours"]
if events_per_hour > thresholds["events_per_hour"]:
alerts.append(\\\\{
"type": "high_event_rate",
"message": f"High event rate: \\\\{events_per_hour:.0f\\\\} events/hour (threshold: \\\\{thresholds['events_per_hour']\\\\})",
"severity": "warning"
\\\\})
# Check unique sources
if analysis["unique_sources"] > thresholds["unique_sources"]:
alerts.append(\\\\{
"type": "many_unique_sources",
"message": f"Many unique sources: \\\\{analysis['unique_sources']\\\\} (threshold: \\\\{thresholds['unique_sources']\\\\})",
"severity": "warning"
\\\\})
# Check high priority events
high_priority_count = analysis["severity_breakdown"].get("high", 0)
if high_priority_count > thresholds["high_priority_events"]:
alerts.append(\\\\{
"type": "high_priority_events",
"message": f"High priority events: \\\\{high_priority_count\\\\} (threshold: \\\\{thresholds['high_priority_events']\\\\})",
"severity": "critical"
\\\\})
return alerts
def send_notification(self, subject, body, alerts=None):
"""Send notification about monitoring results"""
email_config = self.config["notifications"]["email"]
if not email_config.get("enabled", False):
return
try:
msg = MIMEMultipart()
msg['From'] = email_config["from"]
msg['To'] = email_config["to"]
msg['Subject'] = f"Sguil Monitor: \\\\{subject\\\\}"
# Add alerts to body if provided
if alerts:
body += "\n\nALERTS:\n"
for alert in alerts:
body += f"- [\\\\{alert['severity'].upper()\\\\}] \\\\{alert['message']\\\\}\n"
msg.attach(MIMEText(body, 'plain'))
server = smtplib.SMTP(email_config["smtp_server"], email_config["smtp_port"])
server.starttls()
if email_config.get("username") and email_config.get("password"):
server.login(email_config["username"], email_config["password"])
text = msg.as_string()
server.sendmail(email_config["from"], email_config["to"], text)
server.quit()
self.logger.info("Notification sent successfully")
except Exception as e:
self.logger.error(f"Failed to send notification: \\\\{e\\\\}")
def auto_response(self, analysis, alerts):
"""Perform automated response actions"""
if not self.config["response"]["auto_block"]:
return
# Check for sources that should be blocked
block_threshold = self.config["response"]["block_threshold"]
for source in analysis.get("top_sources", []):
if source["count"] >= block_threshold:
self.block_ip(source["src_ip"], f"Exceeded event threshold: \\\\{source['count']\\\\} events")
def block_ip(self, ip, reason):
"""Block IP address using iptables"""
try:
# Check if already blocked
result = subprocess.run(['iptables', '-L', 'INPUT', '-n'], capture_output=True, text=True)
if ip in result.stdout:
self.logger.info(f"IP \\\\{ip\\\\} already blocked")
return
# Add block rule
subprocess.run(['iptables', '-I', 'INPUT', '-s', ip, '-j', 'DROP'], check=True)
self.logger.info(f"Blocked IP \\\\{ip\\\\}: \\\\{reason\\\\}")
# Log to file
with open('/var/log/sguil/blocked_ips.log', 'a') as f:
f.write(f"\\\\{datetime.now().isoformat()\\\\} - BLOCKED \\\\{ip\\\\}: \\\\{reason\\\\}\n")
except subprocess.CalledProcessError as e:
self.logger.error(f"Failed to block IP \\\\{ip\\\\}: \\\\{e\\\\}")
def generate_report(self, health_status, analysis, alerts):
"""Generate monitoring report"""
report = \\\\{
"timestamp": datetime.now().isoformat(),
"health_status": health_status,
"security_analysis": analysis,
"alerts": alerts,
"summary": \\\\{
"overall_health": health_status.get("overall_status", "unknown"),
"total_events": analysis.get("total_events", 0) if analysis else 0,
"alert_count": len(alerts),
"critical_alerts": len([a for a in alerts if a.get("severity") == "critical"])
\\\\}
\\\\}
# Save report
report_file = f"/var/log/sguil/monitor-report-\\\\{datetime.now().strftime('%Y%m%d-%H%M%S')\\\\}.json"
with open(report_file, 'w') as f:
json.dump(report, f, indent=2)
self.logger.info(f"Monitoring report saved: \\\\{report_file\\\\}")
return report
def run_monitoring_cycle(self):
"""Run complete monitoring cycle"""
self.logger.info("Starting Sguil monitoring cycle")
# Check system health
health_status = self.check_system_health()
# Analyze security events
analysis = self.analyze_security_events(hours=1)
# Check alert thresholds
alerts = self.check_alert_thresholds(analysis) if analysis else []
# Generate report
report = self.generate_report(health_status, analysis, alerts)
# Send notifications if needed
if alerts or health_status.get("overall_status") != "healthy":
subject = "System Alert" if health_status.get("overall_status") != "healthy" else "Security Alert"
body = f"Sguil monitoring report generated at \\\\{datetime.now()\\\\}\n\n"
body += f"System Status: \\\\{health_status.get('overall_status', 'unknown')\\\\}\n"
if analysis:
body += f"Events in last hour: \\\\{analysis['total_events']\\\\}\n"
body += f"Unique sources: \\\\{analysis['unique_sources']\\\\}\n"
self.send_notification(subject, body, alerts)
# Perform automated response
if analysis and alerts:
self.auto_response(analysis, alerts)
self.logger.info("Monitoring cycle completed")
return report
def start_continuous_monitoring(self):
"""Start continuous monitoring"""
self.logger.info("Starting continuous Sguil monitoring")
check_interval = self.config["monitoring"]["check_interval"]
while True:
try:
self.run_monitoring_cycle()
time.sleep(check_interval)
except KeyboardInterrupt:
self.logger.info("Monitoring stopped by user")
break
except Exception as e:
self.logger.error(f"Monitoring cycle failed: \\\\{e\\\\}")
time.sleep(60) # Wait 1 minute before retrying
Usage¶
if name == "main": monitor = SguilMonitor()
if len(sys.argv) > 1 and sys.argv[1] == "--continuous":
monitor.start_continuous_monitoring()
else:
monitor.run_monitoring_cycle()
```_
Integrationsbeispiele¶
ELK Stack Integration¶
```python
!/usr/bin/env python3¶
Sguil to Elasticsearch integration¶
import mysql.connector import json from datetime import datetime from elasticsearch import Elasticsearch
class SguilElasticsearchIntegration: def init(self, sguil_db_config, elasticsearch_config): self.sguil_db_config = sguil_db_config self.es = Elasticsearch([elasticsearch_config])
def connect_sguil_db(self):
"""Connect to Sguil database"""
return mysql.connector.connect(**self.sguil_db_config)
def fetch_events(self, since_timestamp=None):
"""Fetch events from Sguil database"""
connection = self.connect_sguil_db()
cursor = connection.cursor(dictionary=True)
if since_timestamp:
query = "SELECT * FROM event WHERE timestamp > %s ORDER BY timestamp"
cursor.execute(query, (since_timestamp,))
else:
query = "SELECT * FROM event ORDER BY timestamp DESC LIMIT 1000"
cursor.execute(query)
events = cursor.fetchall()
cursor.close()
connection.close()
return events
def transform_event(self, event):
"""Transform Sguil event for Elasticsearch"""
return \\\\{
"@timestamp": event["timestamp"].isoformat(),
"sguil": \\\\{
"sid": event["sid"],
"cid": event["cid"],
"signature": event["signature"],
"signature_gen": event["signature_gen"],
"signature_id": event["signature_id"],
"signature_rev": event["signature_rev"]
\\\\},
"source": \\\\{
"ip": event["src_ip"],
"port": event["src_port"]
\\\\},
"destination": \\\\{
"ip": event["dst_ip"],
"port": event["dst_port"]
\\\\},
"network": \\\\{
"protocol": event["ip_proto"]
\\\\},
"event": \\\\{
"severity": self.get_severity(event["signature_id"]),
"category": self.get_category(event["signature"])
\\\\}
\\\\}
def get_severity(self, signature_id):
"""Determine event severity"""
if signature_id in [1, 2, 3]:
return "high"
elif signature_id in [4, 5, 6]:
return "medium"
else:
return "low"
def get_category(self, signature):
"""Determine event category"""
signature_lower = signature.lower()
if any(word in signature_lower for word in ["trojan", "malware", "backdoor"]):
return "malware"
elif any(word in signature_lower for word in ["scan", "probe", "recon"]):
return "reconnaissance"
elif any(word in signature_lower for word in ["brute", "force", "login"]):
return "brute_force"
elif any(word in signature_lower for word in ["dos", "ddos", "flood"]):
return "denial_of_service"
else:
return "other"
def index_events(self, events, index_name="sguil-events"):
"""Index events in Elasticsearch"""
for event in events:
doc = self.transform_event(event)
doc_id = f"\\\\{event['sid']\\\\}-\\\\{event['cid']\\\\}"
self.es.index(
index=f"\\\\{index_name\\\\}-\\\\{datetime.now().strftime('%Y.%m.%d')\\\\}",
id=doc_id,
body=doc
)
def sync_events(self, index_name="sguil-events"):
"""Sync events from Sguil to Elasticsearch"""
# Get last synced timestamp
try:
result = self.es.search(
index=f"\\\\{index_name\\\\}-*",
body=\\\\{
"size": 1,
"sort": [\\\\{"@timestamp": \\\\{"order": "desc"\\\\}\\\\}],
"_source": ["@timestamp"]
\\\\}
)
if result["hits"]["hits"]:
last_timestamp = result["hits"]["hits"][0]["_source"]["@timestamp"]
else:
last_timestamp = None
except Exception:
last_timestamp = None
# Fetch and index new events
events = self.fetch_events(last_timestamp)
if events:
self.index_events(events, index_name)
print(f"Indexed \\\\{len(events)\\\\} events to Elasticsearch")
Usage¶
sguil_config = \\{ 'host': 'localhost', 'database': 'sguildb', 'user': 'sguil', 'password': 'sguilpassword' \\}
es_config = \\{ 'host': 'localhost', 'port': 9200 \\}
integration = SguilElasticsearchIntegration(sguil_config, es_config) integration.sync_events() ```_
Integration von Splunk¶
```bash
!/bin/bash¶
Sguil to Splunk integration script¶
SGUIL_DB_HOST="localhost" SGUIL_DB_USER="sguil" SGUIL_DB_PASS="sguilpassword" SGUIL_DB_NAME="sguildb" SPLUNK_HEC_URL="https://splunk.company.com:8088/services/collector/event" SPLUNK_HEC_TOKEN="your-hec-token"
Export Sguil events to JSON for Splunk¶
export_events_to_splunk() \\{ local since_timestamp="$1"
# Query Sguil database
mysql -h "$SGUIL_DB_HOST" -u "$SGUIL_DB_USER" -p"$SGUIL_DB_PASS" "$SGUIL_DB_NAME" -e "
SELECT
UNIX_TIMESTAMP(timestamp) as time,
'sguil' as source,
'sguil:event' as sourcetype,
JSON_OBJECT(
'sid', sid,
'cid', cid,
'signature', signature,
'signature_gen', signature_gen,
'signature_id', signature_id,
'src_ip', src_ip,
'src_port', src_port,
'dst_ip', dst_ip,
'dst_port', dst_port,
'ip_proto', ip_proto,
'timestamp', timestamp
) as event
FROM event
WHERE timestamp > '$since_timestamp'
ORDER BY timestamp
" -N|while read time source sourcetype event; do
# Send to Splunk HEC
curl -k -X POST "$SPLUNK_HEC_URL" \
-H "Authorization: Splunk $SPLUNK_HEC_TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"time\": $time, \"source\": \"$source\", \"sourcetype\": \"$sourcetype\", \"event\": $event\\\\}"
done
\\}
Get last sync timestamp¶
LAST_SYNC_FILE="/var/log/sguil/last_splunk_sync" if [ -f "\(LAST_SYNC_FILE" ]; then LAST_SYNC=\)(cat "\(LAST_SYNC_FILE") else LAST_SYNC=\)(date -d "1 hour ago" '+%Y-%m-%d %H:%M:%S') fi
Export events¶
export_events_to_splunk "$LAST_SYNC"
Update last sync timestamp¶
date '+%Y-%m-%d %H:%M:%S' > "$LAST_SYNC_FILE" ```_
Fehlerbehebung¶
Gemeinsame Themen¶
** Probleme der Datenbankverbindung:** ```bash
Check MySQL service¶
sudo systemctl status mysql sudo systemctl start mysql
Test database connection¶
mysql -h localhost -u sguil -p sguildb -e "SELECT COUNT(*) FROM event;"
Check database permissions¶
mysql -u root -p -e "SHOW GRANTS FOR 'sguil'@'localhost';"
Repair database tables¶
mysql -u sguil -p sguildb -e "REPAIR TABLE event;" mysql -u sguil -p sguildb -e "OPTIMIZE TABLE event;" ```_
** Sensor Connectivity Issues:** ```bash
Check sensor agent process¶
ps aux|grep sensor_agent
Test network connectivity to server¶
telnet sguil-server 7735
Check sensor logs¶
tail -f /var/log/sguil/sensor_agent.log
Verify sensor configuration¶
cat /etc/sguil/sensor_agent.conf
Test Snort configuration¶
snort -T -c /etc/snort/snort.conf ```_
Leistungsfragen: ```bash
Check database performance¶
mysql -u sguil -p sguildb -e "SHOW PROCESSLIST;" mysql -u sguil -p sguildb -e "SHOW ENGINE INNODB STATUS\G"
Optimize database¶
mysql -u sguil -p sguildb -e "ANALYZE TABLE event;" mysql -u sguil -p sguildb -e "OPTIMIZE TABLE event;"
Check disk space¶
df -h /var/log/sguil df -h /var/lib/mysql
Monitor system resources¶
top -p $(pgrep sguild) iostat -x 1 ```_
Leistungsoptimierung¶
Optimierung der Sguil-Leistung:
```bash
MySQL optimization¶
cat >> /etc/mysql/mysql.conf.d/sguil.cnf << 'EOF' [mysqld]
Sguil optimizations¶
innodb_buffer_pool_size = 2G innodb_log_file_size = 256M innodb_flush_log_at_trx_commit = 2 query_cache_size = 256M query_cache_type = 1 max_connections = 200 EOF
Restart MySQL¶
sudo systemctl restart mysql
Archive old events¶
mysql -u sguil -p sguildb -e " DELETE FROM event WHERE timestamp < DATE_SUB(NOW(), INTERVAL 30 DAY); "
Create database indexes¶
mysql -u sguil -p sguildb -e " CREATE INDEX idx_event_timestamp ON event (timestamp); CREATE INDEX idx_event_src_ip ON event (src_ip); CREATE INDEX idx_event_dst_ip ON event (dst_ip); CREATE INDEX idx_event_signature_id ON event (signature_id); " ```_
Sicherheitsüberlegungen¶
Zugriffskontrolle¶
** Datenbanksicherheit:** - Verwenden Sie starke Passwörter für Datenbankkonten - Einschränkung des Datenbankzugriffs auf notwendige Hosts nur - Regelmäßige Sicherung der Sguil-Datenbank - Implementierung der Datenbankverschlüsselung für sensible Daten - Datenbankzugriffsprotokolle überwachen
Netzwerksicherheit: - Verschlüsselte Verbindungen zwischen Komponenten verwenden - Implementierung von Firewall-Regeln für Sguil-Ports - Regelmäßige Sicherheitsupdates für alle Komponenten - Überwachen Sie den Netzverkehr in Sguil-Infrastruktur - Netzwerksegmentierung implementieren
Datenschutz¶
Ereignisse Datensicherheit: - Verschlüsseln Sie sensible Ereignisdaten im Ruhezustand - Umsetzung von Datenschutzbestimmungen - Sichere Paketerfassung Speicher - Regelmäßige Reinigung von temporären Dateien - Implementierung der Zugangsprotokollierung für Ereignisdaten
** Sicherheit:** - Regelmäßige Sicherheitsbewertungen der Sguil-Infrastruktur - Monitor für unberechtigte Zugriffsversuche - Durchführung richtiger Backup- und Recovery-Verfahren - Regelmäßige Aktualisierungen von Sguil und Abhängigkeiten - Incident Response Verfahren für Sguil Kompromiss
Referenzen¶
- [Sguil Offizielle Website](https://LINK_5
- Sguil GitHub Repository
- [Netzwerksicherheitsüberwachung mit Sguil](https://LINK_5
- Snort IDS Dokumentation
- MySQL Performance Tuning