Thursday, July 08, 2004

Sguil Development Issues

Lots has been happening in the Sguil world this past week. Bamm released Sguil 0.5.0 last week. The major development was the merging of xscriptd functionality into sguild. That's one less component to worry about.

I also made some changes to the instructions for building IncrTcl in my Sguil installation guide, thanks to Mark Bergstrom. My guide still applies to Sguil 0.5.0, although the advice on xscriptd now belongs in the sguild configuration section. I'll produce a new guide for Sguil 0.5.1 when it arrives, as I hope to incorporate Snort 2.2.0 as well.

After nearly four years of asking Bamm for feature requests in various apps he's written, I finally committed my own change to Sguil. I committed a change to and qrylib.tcl to support querying for events by source or destination port. Unfortunately I made a mistake merging my changes into the version I checked into CVS, and Bamm made a correction to shortly after my commit! I duplicated a line by mistake.

Nevertheless, I thought it might be interesting to share the commands I used to check out and then check in the Sguil code for those who don't use CVS.

First I checked out the latest Sguil distro. I made a directory to separate that code from my home directory, and then set an environment variable telling CVS to use SSH for transport:

drury:/home/analyst$ cd sguil_devel

drury:/home/analyst/sguil_devel$ export CVS_RSH=ssh

Next I checked out the Sguil code:

drury:/home/analyst/sguil_devel$ cvs
checkout sguil's password:

cvs checkout: Updating sguil

U sguil/README

cvs checkout: Updating sguil/client

U sguil/client/sguil.conf

U sguil/client/

cvs checkout: Updating sguil/client/lib

U sguil/client/lib/dkffont.tcl

U sguil/client/lib/email17.tcl


Next I made the changes I needed to the Sguil code, and committed them. Note I did this from the 'sguil' directory:

drury:/home/analyst/sguil_devel/sguil$ cvs commit

cvs commit: Examining .

cvs commit: Examining client

cvs commit: Examining client/lib

cvs commit: Examining web/data

cvs commit: Examining web/lib's password:

After entering my password, I was dropped into a vi session. There I was asked to create my log entry for the changes I made. When done CVS checked in the files I modified:

Checking in client/;

/cvsroot/sguil/sguil/client/,v <--

new revision: 1.121; previous revision: 1.120



Generating notification message...

Generating notification message... done.

Checking in client/lib/qrylib.tcl;

/cvsroot/sguil/sguil/client/lib/qrylib.tcl,v <-- qrylib.tcl

new revision: 1.19; previous revision: 1.18



Generating notification message...

Generating notification message... done.

In the #snort-gui IRC channel on, this message appeared:

taosecurity * sguil/client (2 files in 2 dirs):
Added ability to query events for source or destination ports.

CIA-7 is a reference to the CIA Open Source Notification System, an IRC bot. You can see that message saved here. We also use Infobot and Pastebot to keep track of various pieces of information in the #snort-gui channel.

1 comment:

Goldie said...
This comment has been removed by a blog administrator.