byron
June 17th, 2005, 11:49
Knowing that there are some Sguil experts here in these forums I'll take a shot.
I'm developing a fairly large Snort implementation primarily on Soekris net4801s, which incidentally are already built and deployed to remote locations, and a few larger and more robust boxes at corporate HQ. The Soekris boxen run a very stripped version of OpenBSD 3.6. To get to the point, I'd like to use Squil for monitoring. However, it is my understanding that Sguil's agent piece requires Tcl which of course is not included in the stripped OpenBSD Soekris builds, nor is the chief architect really interested in pushing Tcl out. Not to mention my concerns about the Soekris hardware's ability to run all the required processes for Sguil without dropping too many packets. Can Sguil still run, albeit handicapped, without the agent piece running on the sensors? If it were possible what functionality would be lost, session data and passive OS fingerprinting? Would it be possible to run the Sguil client to monitor all sensors even if only a couple of them (the more robust HQ boxes) actually ran the Sguil agents?
If it were not possible to monitor these remote sensors with Sguil what would you use to monitor/manage such small footprint boxes without the ability to run things like Perl, Tcl or hell even Cron? I'm afraid that I'll be forced to write a bunch of custom shell scripts to accomplish most of this.
byron
^who hates re-inventing the wheel
I'm developing a fairly large Snort implementation primarily on Soekris net4801s, which incidentally are already built and deployed to remote locations, and a few larger and more robust boxes at corporate HQ. The Soekris boxen run a very stripped version of OpenBSD 3.6. To get to the point, I'd like to use Squil for monitoring. However, it is my understanding that Sguil's agent piece requires Tcl which of course is not included in the stripped OpenBSD Soekris builds, nor is the chief architect really interested in pushing Tcl out. Not to mention my concerns about the Soekris hardware's ability to run all the required processes for Sguil without dropping too many packets. Can Sguil still run, albeit handicapped, without the agent piece running on the sensors? If it were possible what functionality would be lost, session data and passive OS fingerprinting? Would it be possible to run the Sguil client to monitor all sensors even if only a couple of them (the more robust HQ boxes) actually ran the Sguil agents?
If it were not possible to monitor these remote sensors with Sguil what would you use to monitor/manage such small footprint boxes without the ability to run things like Perl, Tcl or hell even Cron? I'm afraid that I'll be forced to write a bunch of custom shell scripts to accomplish most of this.
byron
^who hates re-inventing the wheel