int13h / squert Goto Github PK

Input boxes can allow XSS.

Guys, I am trying to implement Squert in my enviroment, but I going through some problems in the configuring.

1. squert.sql don't create neither user_info nor history tables, so it can't run mysql script.
2. Working around these issues, I don't know how login in the Squert.

Could anybody help me?

Thanks!

http://www.openfpc.org/

bammv/sguil@3678b2a

On low resolution devices the sections expand outside of the viewable area.

Topic says it...in this install countries don't show up...the created map shows nothing, and the IP tab shows no countries. What could I have missed? Thanks.

Its not a huge deal but the scale looks terrible if a result is less than 10.

Perhaps this: http://code.google.com/p/wkhtmltopdf/

This is with the new one (didn't have permission to reopen the ticket:

Fetching AFRINIC Checksum..
Bookmark not found, Fetching AFRINIC Data.
Verifying transfer.. Looks good, processing..
can't read "countryArray(ZA)": no such element in array
while executing
"set answer $countryArray($cc)"
(procedure "cLong" line 4)
invoked from within
"cLong $cc"
(procedure "proData" line 46)
invoked from within
"proData $OUTFILE $fileID"
("foreach" body line 95)
invoked from within
"foreach site [list $site1 $site2 $site3 $site4 $site5] {

    set siteDesc [lindex $site 0]
    set siteLoc [lindex $site 1]
    set siteF..."
invoked from within

"if {$fail == "no"} {

### Open new result file for writing
set fileID [open $resultsFile "w"]

## Lets go!
foreach site [list $site1 $..."
(file "./ip2c.tcl" line 239)

Add summary reports.

It could look like this

http://flic.kr/p/9sM9gK http://flic.kr/p/9sM9gx

Also it would be nice to have Tooltips, zoom ...
but don’t know if it’s possible without java ….

Other graphs would be very useful too:

Top 10 – 100 most sessions established

Top 10 – 100 longest sessions

Top 10 – 100 largest amount of traffic sent per session

Top ports
etc.

Would love to see an option to just always have the rule source when we look at the packet detail. Also, would be neat if clicking on the packet detail could also drop/scroll down the detail instead of opening a new window.

Hi,

I get this timeout when using squert behind ftp/http/https proxy:

Populating SQueRT IP-to-country mappings...
AFRINIC timed out. Moving on..
APNIC timed out. Moving on..
ARIN timed out. Moving on..
LACNIC timed out. Moving on..
RIPE timed out. Moving on..
No new information exists, exiting.

Seems that ip2c.tcl use ftp tcl module that doesn't have proxy support and doesn't care about proxy settings in /etc/environment and/or .bashrc.
The only fix that I can see is rewriting ip2c.tcl with curl tcl module or http tcl module which both have proxy support.

Kind regards.

As far as I'm aware, you are only able to use one custom filter in the new filter system. I've tried chaining them with ,, and, and &&, but the first filter is always the one which is applied.

When a transcript is requested the event timestamp as seen in the interface is used. If a user supplied offset is in place transcript requests will fail (PCAPS are in UTC)

These should definitely be clickable. Maybe a sub that lists those addresses with associated distinct signature counts; drill down from there.

Long country names should have a cr/lf so as not to overwrite the pie chart.

http://i290.photobucket.com/albums/ll269/DigiDemon/Screenshot2011-07-30at63146PM.png

James

Yea...it's a beefy request ;) Reason is, the sguil client runs TERRIBLE on Mac...I think it's due to how tcl is implemented on Mac...but it's pretty bad. The more database manipulation I can do, the better.

I'll post some images to better demonstrate the issue.

Here's a selection of SNMP events between 2 nodes from sunday:
(608 events)

Here's a selection of SNMP events between the same nodes on monday:
(1524 events)

now, having sunday as the selected date/timeframe, select all the events (608):

and press F8 to dismiss them:

all 608 sunday events were classified.

But what happened to the same type events on monday between the same nodes?
Let's check:

...they were all classified as well, even though they were not included in the classification selection.

When the comment box is opened it should contain a 'quick pick' list of objects (ip,port,sid,sig etc) for the current context. When clicked they would be added to the comment text.

Would be nice....sometimes someone say...installs the Ask Toolbar....totally whacks out stats since it's so wordy. Would be nice to just click and delete.

Low priority. Currently I print both the Summary and IP tabs to PDF. For the Summary, I have to edit out (YAY InkScape) everything above the word "Brief". For the IP tab, everything above "Top Source IP's". Would be neat to have a view printable option to print and give to the boss :) Thanks for your hard work on this.

In the 0.9.4 branch, the .inc/rule.php will output snort rules without sanitation. Some of the rules contain HTML tags such as <script> so the browser interprets this information as HTML and you are unable to see the complete definition of the rule. Using the htmlspecialchars function corrects the rule so it can be displayed by the browser properly.

This database is more detailed and APIs are available which should increase performance as well.

Topic says it....I usually don't escalate events, but did today. Both query and Event Distribution by Category don't show it.

Does anyone notice there a problem using Squert with Safari on OSX since version 1.2 ? The front page simply doesn't load properly after login (see image)

I upgraded to commit d99e036 from 2014-04-28, and have lost the ability to double click to highlight/copy text. I've tried Firefox and Chrome so far. Anyone else experiencing this?

As long as we have a valid session allow requests from other sources.

I guess this is just a documentation error.

On the filters help, status is indicated as one of the available fields to be used.

Using "status" as a field (ex: "filter": "(event.status = $)" ) doesn't work.
There's probably another table with a status field in the query result.

event.status must be used as a field.

Make it so that EDV (link graphs) can be called by any object

Logic issues, shift clicking goes haywire if items have been resorted after load

OSSEC events have their (very relevant) details in the payload.
But Squert is not showing the payload of OSSEC events. The check for the existence of payload is not taking the format of OSSEC events into account.

I'm sure there are better ways to do it, but for the sake of testing, here's a very dirty hack to show OSSEC event payload/details in Squert:

In squert.js at line 1632,
replace:
if (!theData[2]) {
p_hex = "No Data Sent.";
p_ascii = "No Data Sent.";
} else {
p_pl = theData[1].data_payload;
p_length = theData[1].data_payload.length;

with:
if (!theData[2] && !theData[1].data_payload) {
p_hex = "No Data Sent.";
p_ascii = "No Data Sent.";
} else {
if (!theData[1].data_payload) {
p_pl = theData[2].data_payload;
p_length = theData[2].data_payload.length;
} else {
p_pl = theData[1].data_payload;
p_length = theData[1].data_payload.length;
}

The sql table creation statement for the user_info table is missing in the given .sql file.

Seems like the table looks rudimentary like:

CREATE TABLE `user_info` (
  `userid` smallint(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(25) NOT NULL,
  `lastlogin` timestamp NULL DEFAULT NULL,
  `userhash` varchar(50) DEFAULT NULL,
  `email` varchar(320) NOT NULL DEFAULT 'none',
  `TYPE` enum('ADMIN','USER') NOT NULL DEFAULT 'USER',
  `timeout` smallint(5) unsigned NOT NULL DEFAULT '5000',
  PRIMARY KEY (`userid`,`username`)
)

The check for the existance of the countryArray variable should be done without the $ sign, orelse it will always fail.

in ip2c.tcl at line 184,
if { $cc != "" && [info exists $countryArray($cc)] } {

should be
if { $cc != "" && [info exists countryArray($cc)] } {

As it is, the db tables will be populated with 'Unknown" for the country names.

Tnx,
Pedro Simoes

Provide mechanism to accept IP bad/good host lists.

How hard would it be to make it so if user 1 logged in they could only view data from sensor 1 and if user 2 logs in they can only view data from sensor 2 etc? Please let me know. Thanks!

Hey all.

So I'm adding c=US under the Exclude area on the Query tab. Results still show United States. Any help in what I can do to fix this? Thanks.

James

Can you leave a version of 1.0 up?

So...I know this is a timezone issue. I'm not able to run in UTC. So...I'm wondering where/what I need to do to get things on the same page. SQueRT reports:

Last Event: 11-09-30 11:09:39 (5.99 hours ago)

So I know something thinks it's GMT...question is what thinks that? Barnyard2? Sguild? The snort_agent? Need some guidance as I just can't seem to find it. Thank you.

James

If events are selected and classed in level 3 they need to be removed from the level 2 SCID list (tied to chk_all).

If the checkbox is ticked and a classification action is performed after events are classified in L3 (but before the current view is destroyed) these previously classified events will be reclassified.

Provide undo link after classification action

My session seems to timeout fairly quickly having me to relogin. Any way I can change this to a longer time? Thanks.