COMMENT= "Sguil NSM security monitoring client" COMMENT= "Sguil NSM security monitoring sensor" COMMENT= "Sguil NSM security monitoring server"
Sguil - A tcl/tk interface for network security monitoring Sguil (pronounced "sgweel") is a graphical interface to snort (www.snort.org), an open source intrusion detection system. The actual interface and GUI server are written in tcl/tk (www.tcl.tk). Sguil also relies on other open source software in order to function properly. http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar feedback and corrections appricated. Quick test: ########################## ### install ### ########################## cd /usr/ports/devel ftp -V http://secure.lv/~nikns/stuff/ports/itcl-3.3.tar ftp -V http://secure.lv/~nikns/stuff/ports/itk-3.3.tar ftp -V http://secure.lv/~nikns/stuff/ports/iwidgets-4.0.1.tar ftp -V http://secure.lv/~nikns/stuff/ports/mysqltcl-3.02.tar ftp -V http://secure.lv/~nikns/stuff/ports/tcltls-1.5.0.tar ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar tar xvf itcl-3.3.tar tar xvf itk-3.3.tar tar xvf iwidgets-4.0.1.tar tar xvf mysqltcl-3.02.tar tar xvf tcltls-1.5.0.tar tar xvf tclx-8.4.tar cd /usr/ports/net ftp -V http://secure.lv/~nikns/stuff/ports/barnyard-0.2.0.tar ftp -V http://secure.lv/~nikns/stuff/ports/sancp-1.6.1.tar tar xvf barnyard-0.2.0.tar tar xvf sancp-1.6.1.tar cd /usr/ports/security ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar tar xvf sguil-0.6.1.tar cd sguil && make install cd /usr/ports/net/snort && make install cd /usr/ports/databases/mysql && env SUBPACKAGE="-server" make install ########################## ### configure ### ########################## mkdir -p /sguild_data/rules/gateway mkdir -p /snort_data/gateway/sancp cd /tmp ftp -V http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz tar zxvf snortrules-pr-2.4.tar.gz rules mv rules/* /sguild_data/rules/gateway/ # add user with password sguild -adduser <username> #in /etc/snort/snort.conf check for following lines: var RULE_PATH /sguild_data/rules/gateway output log_unified: filename snort.log, limit 128 preprocessor perfmonitor: time 300 file /snort_data/gateway/snort.stats pktcnt 10000 #in /etc/barnyard.conf check for following lines: config interface: <interface> output sguil #in /usr/local/bin/log_packets.sh check for following config: INTERFACE="<interface>" OPTIONS="-m 122" ########################## ### startup ### ########################## # start everything in seperate screen for debugging and check # if everything starts fine screen sh mysqld_safe [detach] log_packets.sh start screen sh snort -l /snort_data/gateway -c /etc/snort/snort.conf -U -A none -m 122 -i <interface> [detach] screen sh sancp -d /snort_data/gateway/sancp/ -i <interface> -c /etc/sancp_sguil.conf [detach] screen sh sguild # for first time you will have to hit 'y': # pid(10278) Loading access list: /etc/sguild/sguild.access # pid(10278) Adding sensor to access list: 127.0.0.1 # pid(10278) Adding client to access list: 127.0.0.1 # pid(10278) Email Configuration: # pid(10278) Config file: /etc/sguild/sguild.email # pid(10278) Enabled: No # pid(10278) Connecting to localhost on 3306 as root # pid(10278) MySQL Version: version 5.0.22-log # pid(10278) Error: mysqluse/db server: Unknown database 'sguildb' # The database sguildb does not exist. Create it ([y]/n)?: y [detach] screen sh sensor_agent.tcl [detach] screen sh barnyard -c /etc/barnyard.conf -d /snort_data/gateway \ -g /etc/snort/gen-msg.map -p /etc/snort/classification.config \ -s /etc/snort/sid-msg.map -f snort.log -w /etc/snort/waldo.file [detach]
