bsdjunkie
July 8th, 2003, 13:20
Anyone use this yet or have any impressions? It looks pretty kewl. I may have to try it out.
http://sguil.sourceforge.net/
elmore
July 8th, 2003, 13:36
D00d awesome, I've been looking for a good front-end for snort since PureSecure went commercial and since I really don't like acid that much. Maybe this is my answer. I'll have to check it out for sure!
KrUsTy!
July 8th, 2003, 13:41
Looks very cool! Think I'm going to check this out and see how it runs...
soup4you2
July 8th, 2003, 14:32
Oh man my wet dreams have been answered.... na just kidding but it looks pretty sweet..... i'm going to have to play with it......
nice find....
|MiNi0n|
July 8th, 2003, 14:34
slickity boo :lol:
elmore
July 9th, 2003, 00:27
I just downloaded this tonight! I'll post some results when I get it going!
soup4you2
July 9th, 2003, 09:08
I was playing around with it a bit last night...
got all the things setup.. and workin.. had to completely rebuild snort since i was putting all the data into sql databases..
but still having a couple issues getting barnyard to read the correct spool files.
soup4you2
July 9th, 2003, 15:02
Ok i've traced my last problem back to the sensor_agent.tcl script...
sguild shows this once i fire it up...
[code:1:0a37fad1e1]
Sensor Data Rcvd: SsnFile ssn_log.1211225318 merlin
Recieving session file ssn_log.1211225318.
Loading 1 cnxs from ssn_log.1211225318 into DB.
mysql -D DATABSE -h localhost -P 3306 -u USER --password=PASSWORD -e "LOAD DATA LOCAL INFILE '/tmp/ssn_log.1211225318.tmp' INTO TABLE sessions FIELDS TERMINATED BY '|'"
Unable to load session data into DB.
ERROR 1148 at line 1: The used command is not allowed with this MySQL version
[/code:1:0a37fad1e1]
and here's a couple functions inside the file... perhaps somebody can see where the error lies...
[code:1:0a37fad1e1]
proc SendSsnDataToSvr { fileName } {
global SERVER_HOST SERVER_PORT DEBUG HOSTNAME
if [catch {set socketID [socket $SERVER_HOST $SERVER_PORT]}] {
puts "Unable to connect to $SERVER_HOST on port $SERVER_PORT"
} else {
fconfigure $socketID -translation binary
puts $socketID "SsnFile [file tail $fileName] $HOSTNAME"
CopyDataToServer $fileName $socketID
}
}
proc CheckForSsnFiles {} {
global SSN_DIR SSN_CHECK_DELAY_IN_MSECS DEBUG CONNECTED
if {$CONNECTED} {
if {$DEBUG} {puts "Checking for Session files in $SSN_DIR."}
foreach fileName [glob -nocomplain $SSN_DIR/ssn_log.*] {
puts $fileName
SendSsnDataToSvr $fileName
}
}
after $SSN_CHECK_DELAY_IN_MSECS CheckForSsnFiles
}
[/code:1:0a37fad1e1]
and here's the basic function in the sguild daemon that inserts stuff into mysql.. I'm sure this is where the error lies...
[code:1:0a37fad1e1]
proc RcvPortscanFile { socketID fileName } {
global DEBUG TMPDATADIR DBHOST DBPORT DBNAME DBUSER DBPASS
if {$DEBUG} {puts "Recieving portscan file $fileName."}
fconfigure $socketID -translation binary
set PS_OUTFILE $TMPDATADIR/$fileName
set fileID [open $PS_OUTFILE w]
fcopy $socketID $fileID
close $fileID
close $socketID
if {$DEBUG} {puts "Loading $fileName into DB."}
if {$DBPASS != "" } {
set cmd "mysql -D $DBNAME -h $DBHOST -P $DBPORT -u $DBUSER --password=$DBPASS\
-e \"LOAD DATA LOCAL INFILE '$PS_OUTFILE' INTO TABLE portscan FIELDS TERMINATED\
BY '|'\""
if {$DEBUG} {puts $cmd}
} else {
set cmd "mysql -D $DBNAME -h $DBHOST -P $DBPORT -u $DBUSER\
-e \"LOAD DATA LOCAL INFILE '$PS_OUTFILE' INTO TABLE portscan FIELDS TERMINATED\
BY '|'\""
if {$DEBUG} {puts $cmd}
}
if [catch {eval exec $cmd} loadError] {
puts "Unable to load PS data into DB."
puts $loadError
} else {
file delete $PS_OUTFILE
}
}
[/code:1:0a37fad1e1]
soup4you2
July 9th, 2003, 16:27
figured it out....
--enable-local-infile Enable LOAD DATA LOCAL INFILE (default: disabled)
on the mysql server
soup4you2
July 9th, 2003, 17:33
well it's installed and working right now... need to get home so i can really play around with it...
Definatly something i'm going to document on what i did
bsdjunkie
July 9th, 2003, 20:44
Definately tell me what you think of it.. I wont have time to install till this weekend most likely. But from the pics, its looks very nice..
soup4you2
July 9th, 2003, 20:55
ok all errors went away now.. but the gui portion of it is not showing anything.. snort sure as hell is working though....
i was talking around w/ some of the guys on their irc channel and they said to definatly use the CVS version and not the one for download on their site... they rarely update the download version...
so i'm going to update it and give it another shot later...
had to upgrade my box to mysql 4 in the process... 323server doesnt want to seem to compile on bsd 5.1 for me...
bamm
July 10th, 2003, 13:24
Barnyard doesn't work (by default) with mysql4 yet. Some of the required client libs changed. You may be able to manually add support (I think information for doing so has been posted to the snort-users/snort-devel lists on sourceforge), but you're on your own if you do. I can't garuantee the op_sguil plugin will work correctly.
soup4you2
July 10th, 2003, 13:43
Just got the cvs version today... plan on giving that one a go..
they were talking about it supporting ssl which is a bonus to me..
but on the other one it appears that nothing is being inserted into the sql tables... need to play around w/ it more and see what i can come up w/
soup4you2
July 10th, 2003, 15:30
Finally got everything workin... Yaaaa!
btw for those who are interested.. i will be making a article about it..
and also here is a diagram showing how each thing works with each other...
[code:1:483384aed4]
*SENSOR(1)..SENSOR(n)* *GUI Server* *CLIENT(1)*
---------------------- ---------------------- ---------------
| log_packets.sh |-----pcap------->| |<-------->| |
---------------------- | | | sguil.tk |
|----| sensor_agent.tcl | | xscriptd |<- ->| |
| ----------^----------- | | \ / ---------------
| | | | | | \ /
| | snort | ---------------------- \/
| | | | | | /\
| ----------|----------- | | / \ *CLIENT(n)*
| | V | | sguild |<-- \ ---------------
portscan | barnyard |---RT-Events---->| | ->| |
and | | | |<-------->| sguil.tk |
session ---------------------- ---------------------- | |
data | ^ ---------------
| archived |
| packet |
| data |
| | |
| | |
| V |
| ---------------------- |
| | | |
| | | |
| | | |
|--->| mysql DB |<---------------------------|
| |
| |
| |
----------------------
*DATABASE*
[/code:1:483384aed4]
soup4you2
July 10th, 2003, 19:17
Well all i gotta saw is Sweet.....
Definatly worth ditching acid and installing this puppie....
some mighty nice work you guys have been doin bamm
soup4you2
July 14th, 2003, 10:14
Well the only drawback i've seen so far.. is that it's killing my diskspace....
bamm
July 14th, 2003, 10:38
log_packets.sh is a script that starts a second snort process in packet logger mode. By default it logs all traffic in/out of the monitored network. On my production sensors, snort is the only thing running and most of the disk is dedicated for those pcap files. If you're running this on your home workstation, have a look at log_packets.sh and institute some filters. There is an example in there for filtering outbound HTTP traffic. If you are running P2P apps or doing some large downloads, you will want to set up some filters for that.
soup4you2
July 14th, 2003, 12:38
Will do.... i was also thinking of slapping in a 4th 40gb drive which it's getting to the point i will need to do so anyways...
i still also gotta tweak out the rules and stuff...
perhaps a future recommendation is that all the logs go into a mysql database.. i think that would be nice.. and save on some diskspace..
btw everything seems to work great w/ mysql 4 , somebody on irc said i t would cause a bunch of problems...
bsdjunkie
July 14th, 2003, 12:47
How much disk space are we looking at? I box I was going to put it on is kinda small, about 8 gig, but i think I have a 40gig laying around usused yet...
bamm
July 14th, 2003, 12:55
Glad everything works w/mysql4. I hadn't tried it yet but others had problems compiling barnyard with it.
As far as diskspace, it depends on how much traffic you're watching, how long you want to archive data for, and your comfort factor. The pcap logs are used for creating transcripts of activity and for viewing activity in ethereal. Snort will only log the packet that triggered the event (or ueber packet), and the packets following the 'trigger' (when the 'tag' function is used). By using log_packets.sh to log all (most if a filter is used) you can see what happened prior, during, and after an attack. It's kind of hard to explain the signifcance of it all here. I am in the process of creating a 'public' sguil server (insert crack comments here ;) ). Once it's up and running, I'll generate some traffic that I can use to help explain it's usefulness.
Oh, and using the DB for pcap logging would be more insane than running a public sguil server ;)
bsdjunkie
July 14th, 2003, 13:03
Ok, I should be ok then. Once it starts looking a little Full, Ill just store it on my fileserver, which has plenty of space...
By using log_packets.sh to log all (most if a filter is used) you can see what happened prior, during, and after an attack.
I wish Cisco IDS did this, kinda sucks im stuck with them at work, but oh well....
BTW, I like how the display is layed out.. Reading through IDS logs daily is a pain on a poorly thought out GUI.
soup4you2
July 14th, 2003, 14:05
How much disk space are we looking at?
Letting it just run over the weekend it took up over 5 gigs..
but like i said there's still a lot of tweaking i gotta do...
soup4you2
July 16th, 2003, 10:12
so has anybody else set this up?
anybody need help?
bamm
July 16th, 2003, 22:56
I must be on crack. I know the install is a PITA, so to let people test drive the client w/o the going thru the hassle I set up a semi-public sguil server. Semi-public means that I am announcing it's location slowing in forums where people have shown interest :) Anyway, download the latest sguil client (0.2.5) here: http://sourceforge.net/project/showfiles.php?group_id=71220&release_id=170920
Then configure the client to connect to bamm.dyndns.org on the standard ports. Use any username and password as authentication is turned off. Of course you still need the tcl/tk libs on your system. [/url]
Kernel_Killer
July 18th, 2003, 19:55
WEll, I can say "I can't wait until I get this working." Just get closer day by day. :D
bsdjunkie
July 18th, 2003, 20:33
Played with the demo today... Im definately gonna spend some time this weekend on this.. :D
Kernel_Killer
July 20th, 2003, 01:46
Well, I'm very very impressed! I setup a remote client since getting the client to run of FreeBSD was giving problems. Went ahead and checked out bamm's semi-server, and watched for awile. Think I'll hit it some more. :D
It was definatly a rough 3 days to get it working, but it was well worth it!
SolarfluX
July 23rd, 2003, 01:56
That looks sweet!
Btw, which OS did you get this running on, soup? OpenBSD? FreeBSD?
soup4you2
July 23rd, 2003, 09:24
That looks sweet!
Btw, which OS did you get this running on, soup? OpenBSD? FreeBSD?
i've got it running on FreeBSD 5.1
i've been slacking w/ the vpn and all but i was working on putting it
on my obsd 3.3 box
then i was going to generate the howto..
however what was current on the cvs i dont think is current anymore.. so i might have to redo the document so far so it will work w/ whatever is on the cvs server..