Yikes. I wouldn't. This code was proof of concept more than anything else. It 
was refined and packed into squert. Unless the intent is to create visuals 
outside of alert data, this isn't necessary.

The Squert visualization in Security Onion is currently broken.  I'll use this 
Issue for fixing it.

So far, I know we need to do the following:
chmod 777 /var/www/squert/images
sed -i 's|/usr/local/bin/dot|/usr/bin/dot|g' /var/www/squert/config.php

At this point, I'm getting a png image in /var/www/squert/images, but the 
Squert web page shows no image and I see the following error in the Apache log:
PHP Fatal error:  Call to undefined function imagecreatetruecolor() in 
/var/www/squert/edv.php

Doug,


Is libpng installed?

Hi Paul,

Thanks for the suggestion.  libpng was installed using "aptitude install 
libpng".  It shows up as installed when doing "aptitude search libpng":
v   libpng-dev                                                             -    

p   libpng-sixlegs-java                                                    - 
Sixlegs Java PNG Decoder                                                        

p   libpng-sixlegs-java-doc                                                - 
Documentation for Sixlegs Java PNG Decoder                                      

i   libpng12-0                                                             - 
PNG library - runtime                                                           

v   libpng12-0-dev                                                         -    

p   libpng12-dev                                                           - 
PNG library - development                                                       

i   libpng3                                                                - 
PNG library - runtime                                                           

v   libpng3-dev                                                            -    

p   libpnglite-dev                                                         - 
lightweight C library for loading and writing PNG images                        

v   libpngwriter                                                           -    

v   libpngwriter-dev                                                       -    

p   libpngwriter0-dev                                                      - 
easy to use graphics library (development)                                      

p   libpngwriter0c2                                                        - 
easy to use graphics library (runtime)                                          


I do have PNG files being outputted to /var/www/squert/images:
root@doug:/var/www/squert/images# ls -alh
total 180K
drwxrwxrwx  2     1001 vboxsf   4.0K 2011-01-08 12:53 .
drwxr-xr-x 10     1001 vboxsf   4.0K 2011-01-08 12:35 ..
-rw-r--r--  1 www-data www-data  61K 2011-01-08 12:38 
20110108-12:38:40-231-test3.png
-rw-r--r--  1 www-data www-data  33K 2011-01-08 12:41 
20110108-12:41:06-425-test4.png
-rw-r--r--  1 www-data www-data  33K 2011-01-08 12:42 
20110108-12:42:57-484-test5.png
-rw-r--r--  1 www-data www-data  33K 2011-01-08 12:53 
20110108-12:53:16-283-test6.png

and I can view them manually.  They just aren't showing up properly inside of 
the Squert interface.  What is supposed to happen after the files are output to 
the images directory?

I think this will work:

aptitude install php5-gd
chmod 777 /var/www/squert/images
sed -i 's|/usr/local/bin/dot|/usr/bin/dot|g' /var/www/squert/config.php
/etc/init.d/apache2 restart

Will test more later.

GD was guess number 2 :).

Afterglow uses libpng, PHP uses GD; my bad. When it is working you will get a 
bunch of 'filename_thumb.png' in that same dir. It is the thumbs that are 
loaded into the interface.

Request from Paul Halliday:

Could you make the following changes to the visuals properties file:

Take a look at .props/ids.props and in the Event and Target sections
comment (#) out these two lines:

#size.event=.03+$fields[3]
#size.target=.03+$fields[3]

They are beta options (well, the whole thing is beta) and under most
circumstances (small installations in particular) can make the result
hard to Interpret. I plan to make the properties files easier to deal
with but it is pretty low in the queue.

Consolidated list of changes so far:

chmod 777 /var/www/squert/images
sed -i 's|/usr/local/bin/dot|/usr/bin/dot|g' /var/www/squert/config.php
sed -i 's|size.event|#size.event|g' /var/www/squert/.props/ids.props 
sed -i 's|size.target|#size.target|g' /var/www/squert/.props/ids.props 
aptitude install php5-gd
/etc/init.d/apache2 restart

Resolved in Security Onion 20110116:
http://securityonion.blogspot.com/2011/01/security-onion-20110116.html