From NSMWiki
Jump to: navigation, search

Feeding ModSecurity Alerts into Sguil

ModSecurity alerts can be fed into Sguil by using the modsec2sguil program. It acts as a drop-in replacement to barnyard.


Sguil Setup

Setup a Sguil sensor_agent with a unique sensorname. Disable all Snort specific options like sessions, sancp, portscans. Start it and make sure you see it online in the Sguil Client.

Apache setup

The following asumes your Apache logs to /var/log/apache2/ and that ModSecurity concurrent logging will log to /var/log/apache2/audit_log/data/

Step 1. Create the directory /var/log/apache2/audit_log/data/queue

Step 2. Put this in your Apache configuration:

SecAuditLogType Concurrent

SecAuditLogStorageDir /var/log/apache2/audit_log/data/

SecAuditLog "|/path/to/ /var/log/apache2/audit_log/data/ /var/log/apache2/audit_log/index"

SecAuditLogParts ABCDEFGHZ

Step 3. Restart apache. You should see symbolic links appear in the queue directoy. Depending on your setup they might appear on simple webserver visits or you might have to run a tool like nikto to trigger events.

Putting it together

Next, use to connect to Sguil. It is run as follows: -n <sensorname> -l /var/log/apache2/audit_log/data/queue/

The script enters an endless loop in which it will continuesly check for new alert files in the queue dir. Press Ctrl-C to kill it.