Thursday, September 13, 2018

Setting up web based sguil


One of the problems with using Sguil to do network forensics investigations is the client. You need to make sure that your system can support how it runs and it in the end is a think client. The nice thing about OSX is that is has wish installed so getting is running is as simple as running it but the other issue is client hangups etc.  

Recently the author Bamm Visscher updated the code to include a web client on the server. In this post I am going to get it installed on a fresh install of Security Onion. One of the hurdles that you will have is that SO is already running a web server on 443 so we will have to make some modifications. Lets get started. 


First you will need to clone the repo. 

cd /opt/ && git clone https://github.com/bammv/sguil.git 

This will place a fresh install in your opt directory where we will begin. 

Lets stop sguil and do a quick little back up of you current files 

sudo so-sguild-stop && mkdir /opt/sguil_bak && tar zcvf /opt/sguil_bak/lib.bak.tgz /usr/lib/sguild/ && tar zcvf /opt/sguil_bak/sguild.tgz /usr/bin/sguild

Now that we have our back up lets copy our lib files over

sudo rsync -avh /opt/sguil/server/lib/* /usr/lib/sguild/

Ok now lets edit the config. Note change 4433 to whatever port you want to use for the web page.


echo "set HTTPS 1" >> /etc/sguild/sguild.conf 
echo "set HTTPS_PORT 4433" >> /etc/sguild/sguild.conf
echo "set HTML_PATH {/opt/sguil/server/html}" >> /etc/sguild/sguild.conf

Once we have the config in place we need to edit sguild really quick.

sed s/cert.pem/wcert.pem /usr/bin/sguildsed s/privkey.pem/wprivkey.pem /usr/bin/sguild


Last thing before we log into the console we need to generate the keys for the web service 

sudo openssl req -newkey rsa:2048 -new -nodes -x650 -keyout /etc/sguild/certs/wprivkey.pem -out /etc/sguild/certs/wcert.pem

Now that everything is in place go ahead and fire up sguild

sudo so-sguild-start 

You should see everything start ok. When this is done you can open up your browser and head to localhost:4433 or whatever you chose in the previous configs.  You should be presented with your login. This is all the same information that you created while setting up SO.  See below.





After playing with the web client I like the fact that I now no longer have to have a think client and can log in with any device and browser. 

I also wrapped up the above commands into a very simple shell script so that its very easy to get operational.

https://github.com/bl4ck0ut/scripts/blob/master/web_sguil.sh 

Also you can watch the script in action getting sguil web setup.





No comments:

Post a Comment

Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide

Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...