Tuesday, November 09, 2010

Updates to Sguil on FreeBSD Scripts

Early last year I posted Notes on Installing Sguil Using FreeBSD 7.1 Packages where I examined using the various FreeBSD ports for Sguil. In that post I showed that a lot of work was required to deploy Sguil, even if you used the ports or packages. Previously I've written about a set of scripts I maintain for deploying Sguil platforms in my lab. I decided to take a look at those scripts and update them for a modern environment, since a lot has happened in the almost two years since I last used the scripts.

First, I tested my old scripts on FreeBSD 7.x, and now 8.x is common. Second, Snort is available, and with it the new DAQ mechanism for accessing network traffic. Third, Barnyard has been deprecated in favor of Barnyard2, thanks to the guys at the NSMNow project. There have been a lot of changes with rules and other areas. I also wanted to try running a 64 bit environment on a Dell R200 as my primary lab sensor. Finally, I decided to switch from using CVS at Sourceforge to Git at Sourceforge. I'll explain that in a separate post.

The end result of my work is available now at http://taosecurity.git.sourceforge.net. Please remember that these scripts are basically a way for me to document how I installed certain versions of various NSM applications on a specific FreeBSD platform. There's no error checking, and no support available. Basically, if you want to see how I deploy all of the non-client parts of Sguil on FreeBSD 8.1, feel free to check out the scripts.

One aspect of this that might be helpful is that by reading the scripts you can follow how to go from a basic FreeBSD installation to a completely functioning, all-in-one (minus the client) Sguil platform.

1 comment:

Joe said...

Thanks Richard!