New Sguil VM Available for Testing

Using the scripts I described yesterday, I built a new Sguil VM. It is available here:

freebsd54-sguil-24mar06-pub1.tar.bz2 (310 MB)

SHA256 (freebsd54-sguil-24mar06-pub1.tar.bz2) =

The VM is in bzip2 format. Windows users can extract it with bsdtar for Windows.

The OS is FreeBSD 5.4 with the latest security patches. Sguil 0.6.1 is set up with all components on the same system. This VM is similar to my two old VMs using FreeBSD 6.0 and Sguil 0.6.0p1.

I tried to address issues people discussed. I could not build the disks using SCSI because FreeBSD did not recognize them. I know the VM works in VMware Workstation and VMware Server Beta. I did not yet test it in VMware Player. VMware ESX Server probably doesn't work because it doesn't like IDE disks. This VM uses a 6 GB virtual disk. I gave the /nsm partition 2 GB space so you can try collecting more traffic.

I built the VM with two interfaces. As configured they are both bridging vmnet0 (the default interface). I personally change this before running the VM "in production," such that lnc0 bridges to a management interface (vmnet0 and eth0) and lnc1 bridges to a sniffing interface (vmnet2 and eth1). Yes, I am running this VM on Linux and VMware Server Beta.

Here are the accounts on the VM in (system) name: password; comment format.

  • (FreeBSD) sguil: sguil; not in wheel group

  • (FreeBSD) analyst: analyst; in wheel group

  • (FreeBSD) root: r00t

  • (MySQL) sguil: sguil

  • (MySQL) root: r00t

  • (Sguil) sguil: sguil

To get everything running:

  1. Boot the VM. Log in as user analyst. Run 'startx' to open an X session.

  2. Open an xterm. su - root. Run '', '', '/usr/local/bin/ restart'.

  3. Open a second xterm. su - sguil. Run '', '', ''.

  4. Open a third xterm. Run ''.

  5. The Sguil client window will appear. Use server 'localhost', port '7734', user 'sguil', password 'sguil'.

  6. Select sensor 'taosecurity' when given the option.

  7. Congratulations. You are running Sguil!

When all components are running, 'sockstat -4' output will look something like this:

sguil barnyard 4502 11 tcp4
sguil tclsh8.4 4464 3 tcp4
sguil tclsh8.4 4464 4 tcp4 *:*
sguil tclsh8.4 4464 5 tcp4
sguil tclsh8.4 4429 11 tcp4 *:7734 *:*
sguil tclsh8.4 4429 12 tcp4 *:*
sguil tclsh8.4 4429 13 tcp4
mysql mysqld 1845 10 tcp4 *:*

The Sguil client connects to port 7734 TCP, where the server is listening. Barnyard connects to port 7735 TCP. The sguild server listens on port 7736 TCP for connections from sensor_agent.tcl. MySQL listens on port 3306 TCP. Note in this deployment everything is listening on localhost except for MySQL. I usually don't have port 7734 TCP listening on public IPs. I instead use SSH port forwarding to tunnel the client communications:

ssh -L 7734:localhost:7734 analyst@sensor_mgt_ip

When I start my client I then connect to localhost, port 7734.

The easiest way to test the whole setup is to netcat to port 22 TCP on a system watched by the sensor. Enter the text 'GOBBLES' when connected to port 22 TCP. There is a Snort rule that fires when Snort sees this text on port 22 TCP.

You should see an alert appear in the Sguil console.

If you have any questions, please post them here as comments. You may also get help posting them via email to sguil-users at lists dot sourceforge dot net.


zooz said…
I ran netcat on localhost where sguil is installed and wasn't able to detect anything on the sguil client. what am i missing? what parameters did you use w/ nc?


ps: huge difference from snort/base combo... really cool
zooz, visit us in #snort-gui on and chat.
zooz said…
i'm trying to get to through the sguil client but it's haulting...

is it not up?

thx again for the tip on #snort-gui

justin81 said…
Hi, I have started up the VM, right-clicked and chosen XTerm. I am presented with the following prompt in Xterm:
I enter
su - root.
It asks for a password so I reply with
The system prompts me with
Taosecurity:/root# so I respond with
and it responds with Command not found and puts me back at the root command. I have tried the rest of the commands and
/usr/local/bin/ restart and in both cases it again, tells me the command is not recognised.
Can you tell me what I'm doing wrong, please?
Many thanks
Justin Forde.
justin81: This post and VM are almost 6 years old. Forget about it. Try instead!
justin81 said…
Cheers Richard, will do.

Popular posts from this blog

Five Reasons I Want China Running Its Own Software

Cybersecurity Domains Mind Map

A Brief History of the Internet in Northern Virginia