Sguil: full content logging in combination with Snort_inline
Just spend some time trying to get the transcripts part of Sguil working with my Snort_inline sensor. Without an obvious clue it returned no data for every alert that was received. After much trial and error, and especially much help by Bamm Visscher on IRC, i noticed that i recorded the full packet data from my ppp0 device. Then i remembered issues i had before with that, namely that the logging occurs after NAT. Snort_inline however, gets the packets from the system before NAT. That results in a mismatch causing the sensor not to be able to provide the transcript requested. Changing the interface to record the full packets from to eth0 solved the problem!
Partially, that is. Because i have multiple ethernet adapters in the firewall serving multiple network segments, the problem is not entirely solved yet. Eth0 is covered, but what about eth1? Running log_packets.sh twice won’t work, because it can only run once per sensor (not to confuse with once per box), and the snort_inline process is one sensor for all nics. Using -i any will work, but is messy, because all natted connections will be recorded twice, once from before nat and once from after. On #snort-gui it was suggested to checkout adapter bonding. This, it turns out, only works from adapters on the same segment. In some forum i found by google it was suggested to do use -i any, but filter on the mac address of the ethernet adapters. When i brought that up on #snort-gui, Bamm Visscher suggested just filtering on the external ipaddress. That seems to work fine…