Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
Squil is a builtin component of SecurityOnion and is the primary analyst console for security monitoring. There isn’t a more powerful and capable solution available for event analysis, correlation and review.
The ability to know when new devices are added to your network, inventory those devices, and locate them is one of the best controls to implement for network security. This guide will go through the process of how I locate unknown and newly discovered devices on my network.
You will need to have access to managed switches to locate devices that you discover on your network. You will also need a way to actively scan your network. The best free way to scan your network is with nmap but this can be time consuming. I prefer to go with an active network scanner such as Nessus and/or a passive network scanner like Nessus Network Monitor.
If your company has funds for security products I highly suggest purchasing Tenables Nessus products for both passive and active scanning. Please refer to Tenables website to setup these scanners.
When I find devices on my network that are not in inventory or are discovered as new devices with passive scanners, I like to go directly to my core switches and search for MAC addresses. Nessus Network Monitor is excellent at giving you the MAC address of newly discovered devices. On my core switch I use the below commands.
CoreSW# show mac address-table address 6c:62:xx:xx:xx:xx Vlan Mac Address Type Ports ---- ----------- -------- ----- 100 6c:62:xx:xx:xx:xx DYNAMIC Te1/1/2 Total Mac Addresses for this criterion: 1
From this information you can then locate the port by executing the below command.
CoreSW# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
Stack.xxxxxxxx.com
Ten 1/1/2 165 R S I WS-C3850- Ten 1/0/8
From this information you would then go to the device that is listed as being connected to our CoreSW on Te1/1/2 which is the Stack.xxxxxx.com device. Repeat these steps until you have a specific port that the devices is connected to.
Once the end device is found you can locate it by shutting down the port and finding the device that is no longer connected or by tracing our the cable.
Kismet is an 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n traffic.
Kisemt is part of Kali Linux but can be installed on various Linux operating systems.
To install Kismet
download kismet tar file from https://openmaniak.com/kismet_install.php
tar -xvf kismet-2007-10-R1.tar.gz
cd kismet-2007-10-R1
./configure
make
make dep
make
make sudoinstall
or the easy way
root@kali:~# apt-get install kismet
Kismet Usage
root@kali:~# kismet
Start the Kismet server, using the wireless interface as the capture source (-c wlan0) and use the external GPSD option (–use-gpsd-gps):
kismet_server -c wlan0 –use-gpsd-gps
Chris Nadeau 