In Sguil, I'm only seeing TCP flags for the source IP. Sent screenshot to Edward.

for the sancp output or the pads fifo?

Sancp output

On Friday, September 28, 2012, Kacper Why wrote:

for the sancp output or the pads fifo?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/21#issuecomment-8970348.

Doug Burks
http://securityonion.blogspot.com

if not, it prolly won't be too hard to get this working properly. if we combine with #19 by storing the whole initial packet, the initiator flags would be saved. we'd have to store the reponder packet too to track tcp flags the other way

For my planning, are you able to provide an ETA for this? Thanks!

sorry, only provide ETA for business stuff and then usually kicking and screaming ;-)
with that being said, patches are graciously accepted

I looked into it some today and the output should have d_tcpFlags which are being logged.. so perhaps we're outputting them wrong for sguil. can you post the screenshot here?

Here's a screenshot:
http://security-onion.googlecode.com/files/prads_sancp_output_in_sguil.png

Every TCP connection that I've looked at shows Dest Flags Summary as blank.

If you'd like to see this for yourself, you can build a Security Onion 12.04 VM:
http://code.google.com/p/security-onion/wiki/Beta

Thanks!

I have a theory that you are getting a new connection in sguil. Prads registers a new connection on the SYN packet, in which case it does not know the destination tcp flags yet. hmmz design design.

Should we output a connection only when we see the synack?

But the Source Flags Summary is showing the FIN, SYN, PSH, ACK flags as being set at some point over the course of the connection. This sounds to me like a completed connection?

aye indeed. hmmz

Hm. My vm setup is b0rked atm so I can't try out the Security Onion offhand.
Still. There is a slight difference between how cxtracker and prads produce sguil-compatible output.

How have you setup sancp_agent to pick up the sancp output?

I'm running sancp_agent the same way I've always done with sancp. Here's the command line:

tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/hostname-int/sancp_agent.conf

sancp_agent.conf is as follows:

# DEBUG is VERY chatty. Use it only when needed (1=on, 0=off)
set DEBUG 1
# Run in background (1=yes, 0=no)
set DAEMON 0
# Name of sguild server
set SERVER_HOST localhost 
# Port sguild listens on for sensor connects
set SERVER_PORT 7736
# Local hostname (sensors monitoring multiple interfaces need to use a unique 'hostname' for each interface)
set HOSTNAME hostname-int
# The net id is used to correlate data from different agents. 
set NET_GROUP hostname-int 
# The root of your log dir for data like pcap, portscans, sessions, etc
set LOG_DIR /nsm/sensor_data 
# Enable sancp stats (1=enable 0=disable)
set SANCP 1
# Where stats from sancp are kept
set SANCP_DIR ${LOG_DIR}/${HOSTNAME}/sancp
# Keep a heartbeat going w/PING PONG in milliseconds. (0 to disable)
set PING_DELAY 300000 
# SANCP files
set SANCP_CHECK_DELAY_IN_MSECS 10000
set MAX_COPY 10

I took a look at the connection tracking output, the sancp output and what sguil is expecting.
sguild expects sancp to be configured this way:

format stats sancp_id,start_time_gmt,stop_time_gmt,duration,ip_proto,src_ip_decimal,src_port,dst_ip_decimal,dst_port,src_pkts,src_bytes,dst_pkts,dst_bytes,sflags,dflags

which is what I'm seeing on my end and what prads is outputting when asked through -L dir/
can you confirm that's what you are seeing in your output directory?

Here's an example of what I see in my output directory:

1351619482000063861|2012-10-30 17:51:22|2012-10-30 17:51:30|8|6|2915181871|443|3232292529|50521|7|143228|0|0|27|0

The format looks to be what sguild is expecting, but the dflags field is always 0.

Looking better so far, thanks!