nil.enroll(aetheric_username, quantum_class_id) (adric) wrote,
nil.enroll(aetheric_username, quantum_class_id)

Some SO beta sucesses monitoring home lab network

Having all but wrapped up my studies of SEC 503 and stealing a few hours from SEC 401 (teaching it Tuesday nights) and Liar and Outliers (reading a review copy) this afternoon I made good progress with Security Onion 12.04 beta which I've been fooling around with on the lab network at home.

I've got SO beta running monitoring two network interfaces, with Snorby, Squert, squil, and even ELSA all working in their most basic forms. This is all credit to the Onion but I've fussed with previous betas for quite a while off and on trying to get it all up and running so that was pleasant to finally achieve.

I finally found and applied the patch that let's sguil pivot to Wireshark on Windows. This makes sguil even more awesome, though it's age is starting to show. It requires an older version of Tcl/Tk to run and has no IPv6 support :(

I've added some trivial rules to local.rules. All of the tools are seeing them and alerts fire, are categorized, hit the database , show up in reports, as expected. Sguil even gets the rule definitions and pcaps, though snorby doesn't like to find my rule definitions. As above this is exactly what is supposed to happen, but it's cool to be able to add rules, reload the rule configs, reload web pages and see the alerts register. I should be able to make more sophisticated rules using what I learned in SEC 503 when I bring the books home.

So, what did you do on Saturday?

Tags: home lab, nsm, snort

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment