Thursday, July 08, 2004

Sguil Development Issues

Lots has been happening in the Sguil world this past week. Bamm released Sguil 0.5.0 last week. The major development was the merging of xscriptd functionality into sguild. That's one less component to worry about.

I also made some changes to the instructions for building IncrTcl in my Sguil installation guide, thanks to Mark Bergstrom. My guide still applies to Sguil 0.5.0, although the advice on xscriptd now belongs in the sguild configuration section. I'll produce a new guide for Sguil 0.5.1 when it arrives, as I hope to incorporate Snort 2.2.0 as well.

After nearly four years of asking Bamm for feature requests in various apps he's written, I finally committed my own change to Sguil. I committed a change to sguil.tk and qrylib.tcl to support querying for events by source or destination port. Unfortunately I made a mistake merging my changes into the version I checked into CVS, and Bamm made a correction to sguil.tk shortly after my commit! I duplicated a line by mistake.

Nevertheless, I thought it might be interesting to share the commands I used to check out and then check in the Sguil code for those who don't use CVS.

First I checked out the latest Sguil distro. I made a directory to separate that code from my home directory, and then set an environment variable telling CVS to use SSH for transport:

drury:/home/analyst$ cd sguil_devel

drury:/home/analyst/sguil_devel$ export CVS_RSH=ssh


Next I checked out the Sguil code:

drury:/home/analyst/sguil_devel$ cvs -d:ext:taosecurity@cvs.sf.net:/cvsroot/sguil
checkout sguil

taosecurity@cvs.sf.net's password:

cvs checkout: Updating sguil

U sguil/README

cvs checkout: Updating sguil/client

U sguil/client/sguil.conf

U sguil/client/sguil.tk

cvs checkout: Updating sguil/client/lib

U sguil/client/lib/dkffont.tcl

U sguil/client/lib/email17.tcl

...truncated...

Next I made the changes I needed to the Sguil code, and committed them. Note I did this from the 'sguil' directory:

drury:/home/analyst/sguil_devel/sguil$ cvs commit

cvs commit: Examining .

cvs commit: Examining client

cvs commit: Examining client/lib

...edited...
cvs commit: Examining web/data

cvs commit: Examining web/lib

taosecurity@cvs.sf.net's password:


After entering my password, I was dropped into a vi session. There I was asked to create my log entry for the changes I made. When done CVS checked in the files I modified:

Checking in client/sguil.tk;

/cvsroot/sguil/sguil/client/sguil.tk,v <-- sguil.tk

new revision: 1.121; previous revision: 1.120

done

Mailing sguil-cvs@lists.sf.net...

Generating notification message...

Generating notification message... done.

Checking in client/lib/qrylib.tcl;

/cvsroot/sguil/sguil/client/lib/qrylib.tcl,v <-- qrylib.tcl

new revision: 1.19; previous revision: 1.18

done

Mailing sguil-cvs@lists.sf.net...

Generating notification message...

Generating notification message... done.


In the #snort-gui IRC channel on irc.freenode.net, this message appeared:

taosecurity * sguil/client (2 files in 2 dirs):
Added ability to query events for source or destination ports.

CIA-7 is a reference to the CIA Open Source Notification System, an IRC bot. You can see that message saved here. We also use Infobot and Pastebot to keep track of various pieces of information in the #snort-gui channel.

1 comment:

Goldie said...
This comment has been removed by a blog administrator.