Kernel_Killer
November 17th, 2003, 03:49
Just thought I'd add some small tweaks for sguil that isn't exactly in the base install.

First off. If you want the time to match your system time, which I'm sure you do, we'll have to edit some code.


sguild:

Line 480

set timestamp [clock format [clock seconds] -gmt true -f "%Y-%m-%d %T"]

change "-gmt true" to "-gmt false"


sguil.tk:

Line 204

$gmtClock configure -text "[GetCurrentTimeStamp] GMT"

change the "GMT" to reflect your timezone. (i.e. EST, CST, etc.)


Line 885

set timestamp [clock format [clock seconds] -gmt true -f "%Y-%m-%d %T"]

change to "-gmt false" also


barnyard.conf:

Line 23

#config localtime

uncomment for the logs to show at system time


Next is setting the E-mail function for the client.


sguil.conf:

Lines 81-95

Pretty self explanitory. Set the mail server to go through, the address it's coming from, the address to CC to, and what should show as the header and footer.


You can also change the sguil client colors.


sguil.conf:

Lines 46-48 define the color to use for the incident severity
Lines 50-52 define the color for the incident severity
Lines 54-63 set the color to use for each catagory
Line 65 sets the background color
Line 66 sets the forground color
Line 69 will set rather or not to use alternating colors for each line of log
Line 71-73 define what colors to alternate with "Line 69"


Even though you can send E-mail from the client, you can have sguild send E-mail upon a certain type of attack being detected.


sguild.conf:

Line 31 Set E-mail Recipt To
Line 33 set E-mail From
Line 35 set the E-mail subject
Line 38 set what you want to be sent (Default will work just fine)

%sn=sensor name
%msg=snort message
%t=timestamp
%sip=src ip
%dip=dest ip
%sp=src port
%dp=dst port

Line 42 Set the classes you want to be notified on (You can get the list from your classification.config file in your snort conf directory)

A few examples:

not-suspicious
bad-unknown
attempted-dos
attempted-admin
shellcode-detect

Line 46 Disables Snort IDs from the classes from line 42. (You can get a list of the SIDs from your sid-msg.map file in the snort conf directory)

Line 50 set the SIDs to enable (This is used to add SIDs not used in classification.conf.)

Enjoy! :D

soup4you2
November 19th, 2003, 11:27
gonna have to try those.. finally got it working again.. forgot how much of a pain in the ass it is to get working right..

Another tweak.. is. since my work pc is 1024x768 it kinda makes it a bitch to read.. so in the client i change this in the conf

set RTPANES 1
set RTPANE_PRIORITY(0) "1 2 3 4 5"

have you come up w/ a good set of colors kk?