Changes Coming in Sguil 0.6.1

Sguil 0.6.0p1 introduced the use of MERGE tables in MySQL to improve database performance.

Sguil 0.6.1, in development now, will bring UNION functionality to database queries. This will also improve performance.

Consider the following standard event or alert query in Sguil. This query says return Snort alerts where 151.201.11.227 is the source IP OR the destination IP. OR is a slow operation compared to UNION. Sguil 0.6.1 will use a new query.

Here we look for Snort alerts where 220.98.198.35 is the source IP address, and use UNION to return those results with alerts where 220.98.198.35 is the destination IP address.

UNION functionality was not available in MySQL 3.x, but it appeared in 4.x. Many Sguil users are running MySQL 5.x now.

Those screen shots just show the WHERE portions of the database queries. Here is each version of similar queries look like in their entirety:

Sguil 0.5.3 and older:

SELECT sensor.hostname, sancp.sancpid, sancp.start_time as datetime, sancp.end_time,
       INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port,
       sancp.ip_proto, sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes
FROM sancp
IGNORE INDEX (p_key)
INNER JOIN sensor ON sancp.sid=sensor.sid
WHERE sancp.start_time > '2005-08-02' AND ( sancp.src_ip = INET_ATON('82.96.96.3') OR
    sancp.dst_ip = INET_ATON('82.96.96.3') )

EXPLAIN
+----+-------------+--------+--------+--------------------------+---------+---------+-------------------+-----------+-------------+
| id | select_type | table  | type   | possible_keys            | key     | key_len | ref               | rows      | Extra       |
+----+-------------+--------+--------+--------------------------+---------+---------+-------------------+-----------+-------------+
|  1 | SIMPLE      | sancp  | ALL    | src_ip,dst_ip,start_time | NULL    |    NULL | NULL              | 100458818 | Using where |
|  1 | SIMPLE      | sensor | eq_ref | PRIMARY                  | PRIMARY |       4 | sguildb.sancp.sid |         1 |             |
+----+-------------+--------+--------+--------------------------+---------+---------+-------------------+-----------+-------------+

The actual query returns an empty set after 5mins 29.14secs on Bamm's database.

Sguil 0.6.0p1:

(
   SELECT sensor.hostname, sancp.sancpid, sancp.start_time as datetime, sancp.end_time,
          INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port,
          sancp.ip_proto, sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes
   FROM sancp
   IGNORE INDEX (p_key)
   INNER JOIN sensor ON sancp.sid=sensor.sid
   WHERE sancp.start_time > '2005-08-02' AND sancp.src_ip = INET_ATON('82.96.96.3')
 ) UNION (
   SELECT sensor.hostname, sancp.sancpid, sancp.start_time as datetime, sancp.end_time,
          INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port,
          sancp.ip_proto, sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes
   FROM sancp
   IGNORE INDEX (p_key)
   INNER JOIN sensor ON sancp.sid=sensor.sid
   WHERE sancp.start_time > '2005-08-02' AND sancp.dst_ip = INET_ATON('82.96.96.3')
)

EXPLAIN
+----+--------------+------------+--------+-------------------+---------+---------+-------------------+------+-------------+
| id | select_type  | table      | type   | possible_keys     | key     | key_len | ref               | rows | Extra       |
+----+--------------+------------+--------+-------------------+---------+---------+-------------------+------+-------------+
|  1 | PRIMARY      | sancp      | ref    | src_ip,start_time | src_ip  |       5 | const             |  108 | Using where |
|  1 | PRIMARY      | sensor     | eq_ref | PRIMARY           | PRIMARY |       4 | sguildb.sancp.sid |    1 |             |
|  2 | UNION        | sancp      | ref    | dst_ip,start_time | dst_ip  |       5 | const             |  108 | Using where |
|  2 | UNION        | sensor     | eq_ref | PRIMARY           | PRIMARY |       4 | sguildb.sancp.sid |    1 |             |
|NULL| UNION RESULT |  union1,2  | ALL    | NULL              | NULL    |    NULL | NULL              | NULL |             |
+----+--------------+------------+--------+-------------------+---------+---------+-------------------+------+-------------+

The actual query returns an empty set in .33secs on Bamm's database.

Comments

Anonymous said…
This seems more complex on the human end. I would rather offload that work. But my db is not so taxed that I can make it sweat with a query. YMMV, esp at a big shop.
1:01 PM
Anonymous said…
I agree, it is slightly more complex on the human end. Howerver, I expect most analysts rarely edit the WHERE conditions of the queries beyond changing the timestamp, so I don't think the change will have much of a negative impact. On the other hand, the speed increases for those of us running big DBs on not so big hardware is huge.

Of course, any recommendations for a cleaner/friendlier interface are welcome. I openly admit I am not the greatest at UI design (I am using Tk for gawds sake). Rich has made more (accepted) recommendations than I can count. I've gone so far as to to coin a term to describe my UI design ineptness, but we won't mention that here ;)

Bammkkkk
3:51 PM
Anonymous said…
This functionality would be most exellent! As it stands now I keep a mysql prompt available at all times to run queries like this. And yes, I also heavily modify the WHERE clause.
9:13 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more