Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Making Decisions with Sguil

Hopefully by now it's easy to appreciate the power of investigating events with Sguil. Navigating through a sea of full content, alert, and session data is not the end game, however. NSM is about providing actionable intelligence, or interpretations of indications and warnings, to decision makers. Sguil also helps us manage and classify the events occurring across our protected domains.

Sguil uses the following alert categories and associated function keys to mark alerts with those categories in its database.

  • F1: Category I: Unauthorized Root/Admin Access

  • F2: Category II: Unauthorized User Access

  • F3: Category III: Attempted Unauthorized Access

  • F4: Category IV: Successful Denial-of-Service Attack

  • F5: Category V: Poor Security Practice or Policy Violation

  • F6: Category VI: Reconnaissance/Probes/Scans

  • F7: Category VII: Virus Infection

  • F8: No action necessary

  • F9: Escalate

If analysts believe an alert indicates normal activity, they highlight the event and press the F8 key. If they believe the event indicates an event of categories I through VII, they mark the appropriate number. If they cannot make a decision, they escalate the alert by using the F9 key. Note that only alerts can be categorized; session data cannot be classified.

Assume the analyst in our scenario makes a few decisions such that several of the alerts previously shown have been marked using the appropriate function keys. Once the events are classified, they are marked in Sguil's MySQL database with the credentials of the classifying user and any comments he or she may have made. Aggregated events (i.e., those with CNT greater than 1) are all marked with the same category if the aggregated event is highlighted and classified. Figure 10.7 shows an excerpt from the results of the same query for events to or from 66.92.162.97.

10fig07.gifFigure 10.7 Query for events after classification

Notice the analyst has marked the LOCAL Incoming connection attempt port 22 TCP and WEB-MISC /~ftp access alerts as Category VI (reconnaissance events). The Web server's response (shown by ATTACK-RESPONSES 403 Forbidden) is NA for no action required. Typically NSM analysts mark target responses as NA when the event that prompted the response alert has a corresponding inbound alert, like the WEB-MISC items.

The second alert, for WEB-MISC /~root access, is marked ES for escalated. When an event is classified as escalated, it is moved to the Escalated Events tab. This tab appears near the top of the Sguil display, to the right of the RealTime Events tab. The Escalated Events tab is where more senior NSM analysts hang out. In a multitier NSM operation, front-line or tier-one analysts analyze and validate or escalate events in the RealTime Events tab. More experienced personnel handle everything else, placed in the Escalated Events tab by the tier-one personnel. Querying for the event history for this escalated alert reveals the annotations shown in Figure 10.8.

10fig08.gifFigure 10.8 Event history

Apparently user sguil first marked the event as a Category VI event, then changed her mind two minutes later. To regain access to the original alert for purposes of reclassification, she would have to run a new query for the alert in question. After the classified alert marked with event ID 1.73474 appeared in the query results window, she marked it escalated with the F9 key. All escalation classifications require a comment to assist the decision-making process of the senior engineers. We see the analyst wrote that this event "looks different from the others." In Sguil transcripts, the analyst sees that a Web request for /~root yields a response like this:

DST: You don't have permission to access /~root
DST: on this server.<P>

A query for a nonexistent user name like abelard triggers this response from the target:

DST: The requested URL /~abelard was not found on
     this server.<P>

By noting these differences, the intruder enumerates user accounts on the Web server.

Once the more experienced analyst decides on a course of action, he or she makes a new classification decision by using the appropriate function key.

  • + Share This
  • 🔖 Save To Your Account