Kernel_Killer
November 17th, 2003, 03:49
Just thought I'd add some small tweaks for sguil that isn't exactly in the base install.
First off. If you want the time to match your system time, which I'm sure you do, we'll have to edit some code.
sguild:
Line 480
set timestamp [clock format [clock seconds] -gmt true -f "%Y-%m-%d %T"]
change "-gmt true" to "-gmt false"
sguil.tk:
Line 204
$gmtClock configure -text "[GetCurrentTimeStamp] GMT"
change the "GMT" to reflect your timezone. (i.e. EST, CST, etc.)
Line 885
set timestamp [clock format [clock seconds] -gmt true -f "%Y-%m-%d %T"]
change to "-gmt false" also
barnyard.conf:
Line 23
#config localtime
uncomment for the logs to show at system time
Next is setting the E-mail function for the client.
sguil.conf:
Lines 81-95
Pretty self explanitory. Set the mail server to go through, the address it's coming from, the address to CC to, and what should show as the header and footer.
You can also change the sguil client colors.
sguil.conf:
Lines 46-48 define the color to use for the incident severity
Lines 50-52 define the color for the incident severity
Lines 54-63 set the color to use for each catagory
Line 65 sets the background color
Line 66 sets the forground color
Line 69 will set rather or not to use alternating colors for each line of log
Line 71-73 define what colors to alternate with "Line 69"
Even though you can send E-mail from the client, you can have sguild send E-mail upon a certain type of attack being detected.
sguild.conf:
Line 31 Set E-mail Recipt To
Line 33 set E-mail From
Line 35 set the E-mail subject
Line 38 set what you want to be sent (Default will work just fine)
%sn=sensor name
%msg=snort message
%t=timestamp
%sip=src ip
%dip=dest ip
%sp=src port
%dp=dst port
Line 42 Set the classes you want to be notified on (You can get the list from your classification.config file in your snort conf directory)
A few examples:
not-suspicious
bad-unknown
attempted-dos
attempted-admin
shellcode-detect
Line 46 Disables Snort IDs from the classes from line 42. (You can get a list of the SIDs from your sid-msg.map file in the snort conf directory)
Line 50 set the SIDs to enable (This is used to add SIDs not used in classification.conf.)
Enjoy! :D
First off. If you want the time to match your system time, which I'm sure you do, we'll have to edit some code.
sguild:
Line 480
set timestamp [clock format [clock seconds] -gmt true -f "%Y-%m-%d %T"]
change "-gmt true" to "-gmt false"
sguil.tk:
Line 204
$gmtClock configure -text "[GetCurrentTimeStamp] GMT"
change the "GMT" to reflect your timezone. (i.e. EST, CST, etc.)
Line 885
set timestamp [clock format [clock seconds] -gmt true -f "%Y-%m-%d %T"]
change to "-gmt false" also
barnyard.conf:
Line 23
#config localtime
uncomment for the logs to show at system time
Next is setting the E-mail function for the client.
sguil.conf:
Lines 81-95
Pretty self explanitory. Set the mail server to go through, the address it's coming from, the address to CC to, and what should show as the header and footer.
You can also change the sguil client colors.
sguil.conf:
Lines 46-48 define the color to use for the incident severity
Lines 50-52 define the color for the incident severity
Lines 54-63 set the color to use for each catagory
Line 65 sets the background color
Line 66 sets the forground color
Line 69 will set rather or not to use alternating colors for each line of log
Line 71-73 define what colors to alternate with "Line 69"
Even though you can send E-mail from the client, you can have sguild send E-mail upon a certain type of attack being detected.
sguild.conf:
Line 31 Set E-mail Recipt To
Line 33 set E-mail From
Line 35 set the E-mail subject
Line 38 set what you want to be sent (Default will work just fine)
%sn=sensor name
%msg=snort message
%t=timestamp
%sip=src ip
%dip=dest ip
%sp=src port
%dp=dst port
Line 42 Set the classes you want to be notified on (You can get the list from your classification.config file in your snort conf directory)
A few examples:
not-suspicious
bad-unknown
attempted-dos
attempted-admin
shellcode-detect
Line 46 Disables Snort IDs from the classes from line 42. (You can get a list of the SIDs from your sid-msg.map file in the snort conf directory)
Line 50 set the SIDs to enable (This is used to add SIDs not used in classification.conf.)
Enjoy! :D