Kernel_Killer
July 17th, 2003, 18:24
Ok. I setup snort so htat I could try out sguil. Followed the docs and all, and patched my 2 spp_*.c files. Now when I run snort, I get this error:

> snort -l /var/snort -c /usr/local/etc/snort/snort.conf -T

Using LOCAL time
ERROR: Please activate spp_conversation before trying to activate spp_portscan2
Fatal Error, Quitting..

I checked the /work/snort-2.0.0/serc/preprocessors/ and the files are there, and surely getting compiled.

Another concern, is that the docs show 'gen-msg.map snort.conf classification.config reference.config sid-msg.map' are made. Well, the *.map files are no where to be found. I checked the Makefile, and they aren't even there to be made. The docs do refer to 1.9.0. Are those files not in 2.0.0? It doesn't cause a problem, just curious.

soup4you2
July 17th, 2003, 18:48
when you compiled snort dont do make clean

your missing files are in work/snort/etc/

copy them to your /usr/local/etc/snort dir

Kernel_Killer
July 17th, 2003, 20:25
Excellent!!!! Thanx s4u2!

Kernel_Killer
July 17th, 2003, 20:48
Well, all was good. The spp_conversation was commented out of my snort.conf, but now that's gone. Now another error is poping up.

ERROR: Unable to open rules file: ../share/snort/classification.config or /usr/local/etc/snort/../share/snort/classification.config

I have a copy of that file in /usr/local/etc/snort, & /usr/local/share/snort. I tried doing a 'chmod 744 class*' just to see if it was a perm issue, but no luck with that. :?

Kernel_Killer
July 17th, 2003, 21:14
Nevermind. Configuring snort.conf at 3am with sleep dep is not a good idea. Wrong relitive path.

Kernel_Killer
July 17th, 2003, 23:27
Ok. Down to the last bit, so I think. Everything is setting a running correctly, except the base, sguild. Here is the error:

[code:1:fa422d5aba]
can't find package sha1
while executing
"package require sha1"
(file "./sguild" line 1029)
[/code:1:fa422d5aba]

Ok. So I thought,"Big Deal. Just need the SHA1 algo package". Quote: "So I thought" . I installed 'sha', p5-Digest-SHA1, p5-Crypt-HCE_SHA, and no luck what so ever. Surely this is a simple problem, but I can't seem to get it to resolve.

soup4you2
July 18th, 2003, 09:28
i believe those are the only packages i needed for SHA1

p5-Digest-SHA1-2.03 Perl interface to the SHA-1 Algorithm

Kernel_Killer
July 18th, 2003, 19:48
Ok. This is getting crazy. Here's what I have now:

sguild.tk :

[code:1:6f8730c245]
invalid command name "font"
while executing
"font create ourStandardFont -family Helvetica -size 10 -weight bold"
invoked from within
"if { [file exists $FONTFILE] } {
for_file fontLine $FONTFILE {
eval font create [lindex $fontLine 0] [lrange $fontLine 1 end]
}
} else {
fon..."
(file "./sguil.tk" line 3198)
[/code:1:6f8730c245]

tcl/tk packages:

mysqltcl-2.14 TCL module for accessing MySQL databases based on msqltcl
tcl-8.3.5_2 Tool Command Language
tcl-8.4.3,1 Tool Command Language
tclX-8.3.5 Extended TCL
tcllib-1.3 A collection of utility modules for Tcl

I'm using tcl 8.3 for all these since 8.3 seems to generate more errors.

Then I get an error from sguild running in MySQL:

[code:1:6f8730c245]
mysql --local-infile -D sguildb -h localhost -P 1211 -u root --password=password -e "LOAD DATA LOCAL INFILE '/tmp/ssn_log.2006915363.tmp' INTO TABLE sessions FIELDS TERMINATED BY '|'"
Unable to load session data into DB.
ERROR 1148 at line 1: The used command is not allowed with this MySQL version
[/code:1:6f8730c245]

I'm using 3.23 BTW

This is gettting crazy, but not giving up. Think I'll try installing on the Linux box just to see what I get from it, in hopes that it will help me diagnose my problems.

Kernel_Killer
July 20th, 2003, 00:42
OK, switched to MySQL 4, and a lot fixed itself. Now, the only problem I have is that I have to connect from another client, and get a USERNAME/PASS error.

OK. All is well with the test account, but no perms of course. I found out it was in the sguild.users file. How do you go about adding users? It's obvious that the first part is 'user(.)(.)' , but how do I get the encrypted pass? I've googled this, and all I found was the docs that said, "add users to sguild.users". :?

EDIT: Found out how to make the keys. RTFM KK! Just noticed that log_packets.sh doesn't log. Nothing shows in /var/snort/dailylogs. Only issue left (I think). :?

Kernel_Killer
July 25th, 2003, 01:49
Ok. Been off thsi project for a little bit. i get this error from sguild, from sensor_agent.tcl:


mysql --local-infile -D sguildb -h localhost -P 1211 -u root --password=pass -e "LOAD DATA LOCAL INFILE '/tmp/ssn_log.2546955964.tmp' INTO TABLE sessions FIELDS TERMINATED BY '|'"
Unable to load session data into DB.
ERROR 1148 at line 1: The used command is not allowed with this MySQL version


It happens everytime this command is executed from sensor_agent.tcl:


Copying /snort_data/ssn_logs/ssn_log.2547093467 to host.
Bytes copied: 93


This is constant through the running. After that I tried sguild.tk off a remote host, and nothing was in the logs.

soup4you2
July 25th, 2003, 08:59
hahaha i know that error

you need to reinstall Mysql

you need to give it the arg --enable-local-infile

the best way to do this i think is just to edit the make file

look for:

[code:1:b2cd650897]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db
.endif
[/code:1:b2cd650897]

and add in:

[code:1:b2cd650897]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db --enable-local-infile
.endif
[/code:1:b2cd650897]

my howto on this is comming close to finished..

Kernel_Killer
July 25th, 2003, 17:28
Thanx soup! That HOW-TO is goign t obe great. BTW, I've had better luck with MySQL 4. Less errors. A lot less. The TCL and TK packages is what got me. Still can't run sguild.tk locally. Oh well. Using a remote box is just as good.

One more Q, did you setup your own users? If so, how?

Kernel_Killer
July 25th, 2003, 18:17
Well, I added '--enable-local-infile' to the correct location, and did a clean install. Also tried MySQL 4.1, 3.23 again, and get the error with them all. Still getting the error for some reason. :?

soup4you2
July 25th, 2003, 19:27
sguild -adduser
or
sguild -deluser

theres also openssl support too :) for communication between the server and the client

soup4you2
July 25th, 2003, 19:29
Well, I added '--enable-local-infile' to the correct location, and did a clean install. Also tried MySQL 4.1, 3.23 again, and get the error with them all. Still getting the error for some reason. :?

i could not test it w/ 3.32 because it wont compile on bsd 5.1 but 4.0 works.. you might wanna give that one a try.. at any rate my howto should be done by next week,.,

strog has taken on the job of being my "proofing bitch" so i'll send it to him then post it once i get it back..

oh yea strog doesnt like the title proofing bitch so let me rephrase that to almight master of spelling and grammer changer person.

Kernel_Killer
July 25th, 2003, 20:38
I was using 4.0 first thing. I moved up to 4.1 just for the hell of it. In all 3 versions, the error still exists. I'll try 4.0 one more time.

soup4you2
July 25th, 2003, 21:55
I was using 4.0 first thing. I moved up to 4.1 just for the hell of it. In all 3 versions, the error still exists. I'll try 4.0 one more time.

ok i'm logging into your box and fixing it..

soup4you2
July 26th, 2003, 15:52
looked like a combination of things..

fixed your package database, reinstalled mysql, snort, barnyard.

looks like you forgot some areas in patching barnyard... looks good now i set most of them in daemon mode.. just create yourself a startup script and your good to go..

when you wanna use it remember to run sensor_agent, xscripted, and sguil (client)

Kernel_Killer
July 26th, 2003, 18:03
WEll, looks like all is good now. Just have to set it to where I can view the logs now. Thinking the dirs are not set correctly which wouldn't surprise me if I set them wrong. Thanx again Soup, and I'll be working on the conf file for a bit tonight, and tommorow. :D

soup4you2
July 28th, 2003, 16:15
If anybody wants to know whats up with the howto..

the overall install of sguil is completed.. i'm waiting on some information on fine-tuning snort to insert into it..

then i'm going to send it off to elmore or strog for proofing... Then the programmer of sguil (bamm) is going to take a look at it to see if i left anything out or wants to add anything in..

once i get it back from him it will be posted..

Kernel_Killer
July 28th, 2003, 17:33
I can't wait! There are so many apps to keep up with, that I got lost in the configs. A strong how-to is going to help everyone, and show the overlooked tweaks that can be done.