One of the problems with using Sguil to do network forensics investigations is the client. You need to make sure that your system can support how it runs and it in the end is a think client. The nice thing about OSX is that is has wish installed so getting is running is as simple as running it but the other issue is client hangups etc.
Recently the author Bamm Visscher updated the code to include a web client on the server. In this post I am going to get it installed on a fresh install of Security Onion. One of the hurdles that you will have is that SO is already running a web server on 443 so we will have to make some modifications. Lets get started.
First you will need to clone the repo.
cd /opt/ && git clone https://github.com/bammv/sguil.git
This will place a fresh install in your opt directory where we will begin.
Lets stop sguil and do a quick little back up of you current files
sudo so-sguild-stop && mkdir /opt/sguil_bak && tar zcvf /opt/sguil_bak/lib.bak.tgz /usr/lib/sguild/ && tar zcvf /opt/sguil_bak/sguild.tgz /usr/bin/sguild
Now that we have our back up lets copy our lib files over
sudo rsync -avh /opt/sguil/server/lib/* /usr/lib/sguild/
Ok now lets edit the config. Note change 4433 to whatever port you want to use for the web page.
echo "set HTTPS 1" >> /etc/sguild/sguild.conf
echo "set HTTPS_PORT 4433" >> /etc/sguild/sguild.conf
echo "set HTML_PATH {/opt/sguil/server/html}" >> /etc/sguild/sguild.conf
Once we have the config in place we need to edit sguild really quick.
sed s/cert.pem/wcert.pem /usr/bin/sguildsed s/privkey.pem/wprivkey.pem /usr/bin/sguild
Last thing before we log into the console we need to generate the keys for the web service
sudo openssl req -newkey rsa:2048 -new -nodes -x650 -keyout /etc/sguild/certs/wprivkey.pem -out /etc/sguild/certs/wcert.pem
Now that everything is in place go ahead and fire up sguild
sudo so-sguild-start
You should see everything start ok. When this is done you can open up your browser and head to localhost:4433 or whatever you chose in the previous configs. You should be presented with your login. This is all the same information that you created while setting up SO. See below.
After playing with the web client I like the fact that I now no longer have to have a think client and can log in with any device and browser.
I also wrapped up the above commands into a very simple shell script so that its very easy to get operational.
https://github.com/bl4ck0ut/scripts/blob/master/web_sguil.sh
Also you can watch the script in action getting sguil web setup.
No comments:
Post a Comment