Squert
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Squert.
From http://www.squertproject.org/:
Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.
Squert was originally developed by Paul Halliday:
http://www.squertproject.org/
Security Onion maintains its own fork of Squert:
https://blog.securityonion.net/2016/09/squert-development.html
Squert is a PHP web interface to the Sguil database and works best with Chromium/Chrome browsers.
Squert authenticates against the Sguil user database, so you should be able to login to Squert using the same username/password you use to login to Sguil.
Squert was recently updated to use prepared statements: https://blog.securityonion.net/2018/01/security-advisory-for-squert.html
If you start seeing "Prepared statement needs to be re-prepared" in /var/log/apache2/error.log, please see the following:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MySQLTuning#table_definition_cache
Squert gives you access to the following data types:
- NIDS alerts
- HIDS alerts
- Asset data from PRADS (if PRADS and pads_agent are enabled)
- HTTP logs from Bro (if http_agent is enabled)
The default view shows alerts from today. To show older alerts, click "INTERVAL", then click the 2 right arrows, set your custom date, and click Squert's refresh button (two circular arrows).
The timeplot at the top of the EVENTS page, represents events as they occur each day.
In summary, the timeplot:
- plots the raw number of events on a per minute basis.
- uses the X-axis as the hour of the day and the Y-axis is the number of events minute.
- treats each region equivalent to one hour.
- plots and underlines the number of events in each region for that hour.
queue only
Default is on.
This option refers to only showing events that are of a status of 0, or uncategorized and still residing in the active queue. If you would like to see all events, change it to off.
grouping
Default is on.
This option refers to the grouping of the same type of event within a particular timeframe. If you would like to see the events as un-grouped, change this option to off.
The alert pane consists of several columns, explained below:
QUEUE - refers to the number of grouped events in the queue
SC - number of distinct source IPs for the given alert
DC - number of distinct destination IPs for the given alert
ACTIVITY - number of events for a given alert on a per hour basis
LAST EVENT - time event last occurred
SIGNATURE - event IDS signature
ID - event signature ID
PROTO - protocol relative/recognized within/in regard to event
% TOTAL - percentage of event grouping vs. entire event count
Squert can pivot to CapMe for full packet capture. To do this, drill into an event and click on the Event ID.
Squert can pivot to Kibana to query Bro logs, OSSEC logs, syslog, etc. To do this, click an IP address, port, or signature, and then click Kibana. In Security Onion 14.04, Squert pivots to Kibana using a relative hyperlink, so it should use the same hostname or IP address that you used to connect to Squert.
If you're running the latest version of Squert, you can also add your own pivots as follows:
- In the upper right corner of Squert, click the Filters button.
- Set the type to URL.
- Click the + button.
- Click your New entry.
- Fill out the alias, name, notes, and URL fields as applicable.
- Click the Update button.
- Close the Filters and URLs window.
- To test, drill into an event and click an IP address. A context menu will appear and display your new link. Click the new link and verify that it opens a new browser tab going to the site you specified and passing the IP address that you clicked on.
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs