Tuesday, May 17, 2022

SecurityOnion@Home: Sostat

If you haven't noticed, my attention span jumps around a bit, it's currently focused on SecurityOnion 2.3, but I fall down a lot of rabbit holes, today it looks like sostat is what I was curious about.  With that, sostat is one of the scripts that I currently miss from moving from 16.04 is sostat.  It was widely used by the remote teams for troubleshooting.  With a copy of sostat and maybe a few other choice logs it was easy to diagnose what was wrong with a remote system.  

I know that there is a task in the backlogs to re-add sostat which would be great.   Till then I had some time and started to try and re-create the magic.  (It's not very good), but it gets the job done.  Still struggling with trying to get Stenographer stats via the log file (Need some learning on cat/awk).   

Most of it was just taking the 16.04 sostat and replaying it on my 2.3, locating file locations, changing a few things.   

A few things I noticed so far based on 16.04 sostat:  (Most of the ones here I asked on the Github Discussion to validate in the last day or so)

  1. No sensortab file 
  2. No securityonion.conf
  3. No interfaces folder breakouts (Per PCAP/Suricata)
  4. I see mysql, but there is no mysql command (Do Uncategorized events exist?)
Easy ones to move over were (May not be 100% the same, or correct) 

  • so-status 
  • Link Statistics
  • Disk Space
  • CPU Usage
  • Version Info - Changed to:  cat /etc/soversion
  • Zeek Packet - Changed to so-zeek-status (Might not be 100% the same)
  • Suricata Packet Drops - Changed LATEST_STATS to grep /opt/so/log/suricata.stats.log (Seems to work)

Ones that I could not figure out:
  • Stenographer - Tried to compare to the Netsniff (need to remind myself about sed/awk I think)
  • Network Sockets - No Lsof on SecurityOnion 2.3
  • Top 20 Alerts/Uncategorized 
  • Log Archive - Doesn't look like it breaks out daily logs.
A preview of the tail end of it for now





No comments:

Post a Comment