Troubleshooting New Sguil Installation

Today I worked on installing a new Sguil sensor. I am trying to do so using scripts that I've mentioned before, but I am adapting the scripts to work with the newest FreeBSD and packages available. None of them are ready for public viewing. In fact, they are exceedingly pathetic. All they do is save me from typing commands. There is no error checking, intelligence, or anything of redeemable value. If I ever get some time I am going to help InstantNSM support FreeBSD, instead of getting my lousy scripts to production grade.

In any event, I was having trouble running sguild and sensor_agent.tcl. I forgot to capture the error I received, but one was complained that Tclx was not installed and the other said mysqltcl was not installed. I knew both were installed via package.

sensor-v:/home/sguil$ pkg_info | grep -i tcl
mysqltcl-3.01 TCL module for accessing MySQL databases based on msqltcl
tcl-8.4.13_1,1 Tool Command Language
tclX-8.4 Extended TCL
tcllib-1.7_1 A collection of utility modules for Tcl
tcltls-1.5.0 SSL extensions for TCL; dynamicly loadable

You can see the packages on sensor-c.

sensor-c:/home/analyst$ pkg_info | grep -i tcl
mysqltcl-3.01 TCL module for accessing MySQL databases based on msqltcl
tcl-8.4.13,1 Tool Command Language
tclX-8.4 Extended TCL
tcllib-1.7_1 A collection of utility modules for Tcl
tcltls-1.5.0 SSL extensions for TCL; dynamicly loadable

I decided to check using the Tcl interpreter.

sensor-v:/home/sguil$ tclsh
% package require Tclx
couldn't load file "/usr/local/lib/tclx8.4/libtclx8.4.so":
/usr/local/lib/tclx8.4/libtclx8.4.so: Undefined symbol "__h_errno"
% package require mysqltcl
couldn't load file "/usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3":
/usr/local/lib/mysql/libmysqlclient.so.15: Undefined symbol "gethostbyname_r"

That's not good. Here's what should happen, on a working sensor.

sensor-c:/home/analyst$ tclsh
% package require mysqltcl
3.01
% package require Tclx
8.4
% package require mysqltcl
3.01

Next I checked hashes of the critical files, first on the good sensor.

sensor-c:/home/analyst$ md5 /usr/local/lib/tclx8.4/libtclx8.4.so
MD5 (/usr/local/lib/tclx8.4/libtclx8.4.so) = 51c311403e358a8c369fc9d195b94de8
sensor-c:/home/analyst$ md5 /usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3
MD5 (/usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3) = 071d8d664cde06611adf333dc065b1d6

Now the nonworking sensor.

sensor-v:/home/analyst$ md5 /usr/local/lib/tclx8.4/libtclx8.4.so
MD5 (/usr/local/lib/tclx8.4/libtclx8.4.so) = 2db9e4320ffeee548f2768ca9aa7c353
sensor-v:/home/analyst$ md5 /usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3
MD5 (/usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3) = 96957f535baf6b77df0cc5cb56ed45be

They hashes are different. Let's see what these files are.

sensor-c:/home/analyst$ file /usr/local/lib/tclx8.4/libtclx8.4.so
/usr/local/lib/tclx8.4/libtclx8.4.so: ELF 32-bit LSB shared object,
Intel 80386, version 1 (FreeBSD), stripped
sensor-c:/home/analyst$ file /usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3
/usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3: ELF 32-bit LSB shared object,
Intel 80386, version 1 (FreeBSD), not stripped

Now sensor-v.

sensor-v:/home/analyst$ file /usr/local/lib/tclx8.4/libtclx8.4.so
/usr/local/lib/tclx8.4/libtclx8.4.so: ELF 32-bit LSB shared object,
Intel 80386, version 1 (FreeBSD), stripped
sensor-v:/home/sguil$ file /usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3
/usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3: ELF 32-bit LSB shared object,
Intel 80386, version 1 (FreeBSD), not stripped

I decided to move the bad files on sensor-v out of the way and replace them with good copies from sensor-c.

sensor-v:/root# mv /usr/local/lib/tclx8.4/libtclx8.4.so
/usr/local/lib/tclx8.4/libtclx8.4.so.noworkie
sensor-v:/root# cp /tmp/libtclx8.4.so /usr/local/lib/tclx8.4/
sensor-v:/root# mv /usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3
/usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.3.noworkie
sensor-v:/root# cp /tmp/libmysqltcl.so.3 /usr/local/lib/tcl8.4/mysqltcl/

Now I ran the Tcl interpreter again on sensor-v.

sensor-v:/home/sguil$ tclsh
% package require Tclx
8.4
% package require mysqltcl
3.01

Everything is in order. I am suspicious though. Why would those two files not be correct on a fresh installation?

Comments

Anonymous said…
Hmmm, I wonder what's going on with InstantNSM. The pages all say "Coming Soon". I haven't seen an update to that site at all. Looks like the last update was in January 2006.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics