Making Decisions with Sguil
Hopefully by now it's easy to appreciate the power of investigating events with Sguil. Navigating through a sea of full content, alert, and session data is not the end game, however. NSM is about providing actionable intelligence, or interpretations of indications and warnings, to decision makers. Sguil also helps us manage and classify the events occurring across our protected domains.
Sguil uses the following alert categories and associated function keys to mark alerts with those categories in its database.
F1: Category I: Unauthorized Root/Admin Access
F2: Category II: Unauthorized User Access
F3: Category III: Attempted Unauthorized Access
F4: Category IV: Successful Denial-of-Service Attack
F5: Category V: Poor Security Practice or Policy Violation
F6: Category VI: Reconnaissance/Probes/Scans
F7: Category VII: Virus Infection
F8: No action necessary
If analysts believe an alert indicates normal activity, they highlight the event and press the F8 key. If they believe the event indicates an event of categories I through VII, they mark the appropriate number. If they cannot make a decision, they escalate the alert by using the F9 key. Note that only alerts can be categorized; session data cannot be classified.
Assume the analyst in our scenario makes a few decisions such that several of the alerts previously shown have been marked using the appropriate function keys. Once the events are classified, they are marked in Sguil's MySQL database with the credentials of the classifying user and any comments he or she may have made. Aggregated events (i.e., those with CNT greater than 1) are all marked with the same category if the aggregated event is highlighted and classified. Figure 10.7 shows an excerpt from the results of the same query for events to or from 184.108.40.206.
Figure 10.7 Query for events after classification
Notice the analyst has marked the LOCAL Incoming connection attempt port 22 TCP and WEB-MISC /~ftp access alerts as Category VI (reconnaissance events). The Web server's response (shown by ATTACK-RESPONSES 403 Forbidden) is NA for no action required. Typically NSM analysts mark target responses as NA when the event that prompted the response alert has a corresponding inbound alert, like the WEB-MISC items.
The second alert, for WEB-MISC /~root access, is marked ES for escalated. When an event is classified as escalated, it is moved to the Escalated Events tab. This tab appears near the top of the Sguil display, to the right of the RealTime Events tab. The Escalated Events tab is where more senior NSM analysts hang out. In a multitier NSM operation, front-line or tier-one analysts analyze and validate or escalate events in the RealTime Events tab. More experienced personnel handle everything else, placed in the Escalated Events tab by the tier-one personnel. Querying for the event history for this escalated alert reveals the annotations shown in Figure 10.8.
Figure 10.8 Event history
Apparently user sguil first marked the event as a Category VI event, then changed her mind two minutes later. To regain access to the original alert for purposes of reclassification, she would have to run a new query for the alert in question. After the classified alert marked with event ID 1.73474 appeared in the query results window, she marked it escalated with the F9 key. All escalation classifications require a comment to assist the decision-making process of the senior engineers. We see the analyst wrote that this event "looks different from the others." In Sguil transcripts, the analyst sees that a Web request for /~root yields a response like this:
DST: You don't have permission to access /~root DST: on this server.<P>
A query for a nonexistent user name like abelard triggers this response from the target:
DST: The requested URL /~abelard was not found on this server.<P>
By noting these differences, the intruder enumerates user accounts on the Web server.
Once the more experienced analyst decides on a course of action, he or she makes a new classification decision by using the appropriate function key.