Archive

Archive for the ‘Tools’ Category

Sguil database schema

April 7th, 2010 Comments off

I can’t find this anywhere else, so I’m just going to quickly throw it up here. These are the tables and columns of a Sguil database. I think there are some extra tables (nessus, etc.) because this is from running a SecurityOnion live CD which uses NSMNow to do the Sguil setup.  Also Sguil seems to copy the following tables for each date and sensor: data, event, icmphdr, sancp, tcphdr, and udphdr, e.g. each day it will make data_sensorname_20100407.

Database: server1_db
+--------------------------+
|          Tables          |
+--------------------------+
| data                     |
| event                    |
| history                  |
| icmphdr                  |
| nessus                   |
| nessus_data              |
| pads                     |
| portscan                 |
| sancp                    |
| sensor                   |
| status                   |
| tcphdr                   |
| udphdr                   |
| user_info                |
| version                  |
+--------------------------+
Database: server1_db  Table: data
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field        | Type             | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid          | int(10) unsigned |                   | NO   | MUL |         |       | select,insert,update,references |         |
| cid          | int(10) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| data_payload | text             | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: event
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field             | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid               | int(10) unsigned     |                   | NO   | MUL |         |       | select,insert,update,references |         |
| cid               | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature         | varchar(255)         | latin1_swedish_ci | NO   | MUL |         |       | select,insert,update,references |         |
| signature_gen     | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature_id      | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature_rev     | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| timestamp         | datetime             |                   | NO   | MUL |         |       | select,insert,update,references |         |
| unified_event_id  | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| unified_event_ref | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| unified_ref_time  | datetime             |                   | YES  |     |         |       | select,insert,update,references |         |
| priority          | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| class             | varchar(20)          | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| status            | smallint(5) unsigned |                   | YES  | MUL | 0       |       | select,insert,update,references |         |
| src_ip            | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| dst_ip            | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| src_port          | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| dst_port          | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| icmp_type         | tinyint(3) unsigned  |                   | YES  | MUL |         |       | select,insert,update,references |         |
| icmp_code         | tinyint(3) unsigned  |                   | YES  | MUL |         |       | select,insert,update,references |         |
| ip_proto          | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_ver            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_hlen           | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_tos            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_len            | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_id             | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_flags          | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_off            | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_ttl            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_csum           | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| last_modified     | datetime             |                   | YES  | MUL |         |       | select,insert,update,references |         |
| last_uid          | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| abuse_queue       | enum('Y','N')        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| abuse_sent        | enum('Y','N')        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: history
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| uid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| timestamp | datetime             |                   | NO   | MUL |         |       | select,insert,update,references |         |
| status    | smallint(5) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| comment   | varchar(255)         | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: icmphdr
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| icmp_csum | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| icmp_id   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| icmp_seq  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: nessus
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type        | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| uid       | int(11)     |                   | NO   |     |         |       | select,insert,update,references |         |
| rid       | varchar(40) | latin1_swedish_ci | NO   | PRI |         |       | select,insert,update,references |         |
| ip        | varchar(15) | latin1_swedish_ci | NO   | MUL |         |       | select,insert,update,references |         |
| timestart | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
| timeend   | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Wildcard: nessus_data
+-------------+
|   Tables    |
+-------------+
| nessus_data |
+-------------+
Database: server1_db  Table: pads
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field       | Type                | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| hostname    | varchar(255)        | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| sid         | int(10) unsigned    |                   | NO   | PRI |         |       | select,insert,update,references |         |
| asset_id    | int(10) unsigned    |                   | NO   | PRI |         |       | select,insert,update,references |         |
| timestamp   | datetime            |                   | NO   |     |         |       | select,insert,update,references |         |
| ip          | int(10) unsigned    |                   | NO   |     |         |       | select,insert,update,references |         |
| service     | varchar(40)         | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| port        | int(10) unsigned    |                   | NO   |     |         |       | select,insert,update,references |         |
| ip_proto    | tinyint(3) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| application | varchar(255)        | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| hex_payload | varchar(255)        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: portscan
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type             | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| hostname  | varchar(255)     | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| timestamp | datetime         |                   | YES  | MUL |         |       | select,insert,update,references |         |
| src_ip    | varchar(16)      | latin1_swedish_ci | YES  | MUL |         |       | select,insert,update,references |         |
| src_port  | int(10) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| dst_ip    | varchar(16)      | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| dst_port  | int(10) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| data      | text             | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: sancp
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field      | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid        | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| sancpid    | bigint(20) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| start_time | datetime             |           | NO   | MUL |         |       | select,insert,update,references |         |
| end_time   | datetime             |           | NO   |     |         |       | select,insert,update,references |         |
| duration   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| ip_proto   | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| src_ip     | int(10) unsigned     |           | YES  | MUL |         |       | select,insert,update,references |         |
| src_port   | smallint(5) unsigned |           | YES  | MUL |         |       | select,insert,update,references |         |
| dst_ip     | int(10) unsigned     |           | YES  | MUL |         |       | select,insert,update,references |         |
| dst_port   | smallint(5) unsigned |           | YES  | MUL |         |       | select,insert,update,references |         |
| src_pkts   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| src_bytes  | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| dst_pkts   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| dst_bytes  | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| src_flags  | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| dst_flags  | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: sensor
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
| Field       | Type             | Collation         | Null | Key | Default           | Extra          | Privileges                      | Comment |
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
| sid         | int(10) unsigned |                   | NO   | PRI |                   | auto_increment | select,insert,update,references |         |
| hostname    | varchar(255)     | latin1_swedish_ci | NO   | MUL |                   |                | select,insert,update,references |         |
| agent_type  | varchar(40)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| net_name    | varchar(40)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| interface   | varchar(255)     | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| description | text             | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| bpf_filter  | text             | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| updated     | timestamp        |                   | NO   |     | CURRENT_TIMESTAMP |                | select,insert,update,references |         |
| active      | enum('Y','N')    | latin1_swedish_ci | YES  |     | Y                 |                | select,insert,update,references |         |
| ip          | varchar(15)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| public_key  | varchar(255)     | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
Database: server1_db  Table: status
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field       | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| status_id   | smallint(5) unsigned |                   | NO   | PRI |         |       | select,insert,update,references |         |
| description | varchar(255)         | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| long_desc   | varchar(255)         | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: tcphdr
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| tcp_seq   | int(10) unsigned     |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_ack   | int(10) unsigned     |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_off   | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_res   | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_flags | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_win   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_csum  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_urp   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: udphdr
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field    | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid      | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid      | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| udp_len  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| udp_csum | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Wildcard: user_info
+-----------+
|  Tables   |
+-----------+
| user_info |
+-----------+
Database: server1_db  Table: version
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type        | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| version   | varchar(32) | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| installed | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Categories: Tools

Scapy crash on Vista / Windows 7

August 7th, 2009 Comments off

I love Scapy, a Python library that wraps around Pcap and various other things to let you do all kinds of cool network stuff.  I originally got into Scapy because I wanted to do packet forgery and injection in Windows.  It can also do sniffing, modification, and visualization.

Scapy is the sole reason I got started in Python.  For someone familiar with Python, it’s really easy to use; for everyone else, these examples should help.  Scapy requires a bit of setup on Windows, but it’s not too difficult – follow the setup guide here.  Unless you use Vista or Windows 7.

Until recently, Vista/Win7 users suffered some weird crashes in Scapy.  I found a related bug report on its Trac system and added some details to it.  Happily, the smart developer person fixed the bug (see the whole conversation here).  It was in the custom, patched version of pypcap, and he posted a link to a new one.

Update: The setup guide has a link to the correct version now, so everything should be just fine if you follow it.

Categories: Tools

Shiny new things

July 17th, 2009 Comments off

Yesterday I saw this post by wishi: BinVis re-released – Visual Reverse Engineering and Forensics.  Though I’m a fan of Greg Conti’s rumint (and I wish he’d ever update it, dammit), I had never heard of BinVis.  I was intrigued by the title since I’m nothing more than a curious idiot when it comes to reversing.  I tried the old version of the tool – get it here – and while I haven’t a damned clue what it does, I can confidently say it creates lots of pretty pictures and colors.  And that’s what matters to me.

On a somewhat related note, NMAP 5.00 IS RELEASED! OMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMGOMG

I do wish Fyodor would have someone re-design or at least re-skin his site.  It looks hideous.

Categories: Tools