Wednesday, February 28, 2007

Sguil Client on Ubuntu

Inspired by an old post, John Curry, and David Bianco's NSM Wiki, I decided I would install the Sguil client on Ubuntu. It was really easy.

First I edited the /etc/apt/sources.list file to include the "universe" package collections:

deb edgy universe
deb-src edgy universe

Next I updated the apt cache and added the libraries I needed.

richard@neely:~$ sudo apt-get update
richard@neely:~$ sudo apt-get install tclx8.4 tcllib iwidgets4 wireshark
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
itcl3 itk3 libadns1 libpcre3 tcl8.4 tk8.4 wireshark-common
Suggested packages:
itcl3-doc itk3-doc iwidgets4-doc tclreadline tclx8.4-doc
Recommended packages:
The following NEW packages will be installed:
itcl3 itk3 iwidgets4 libadns1 libpcre3 tcl8.4 tcllib tclx8.4 tk8.4 wireshark
0 upgraded, 11 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.0MB of archives.
After unpacking 51.4MB of additional disk space will be used.
Do you want to continue [Y/n]? y

When done I downloaded the sguil-client-0.6.1.tar.gz archive, and modified sguil.conf thus:

set ETHEREAL_PATH /usr/bin/wireshark

That's it. I was able to start Sguil and access servers.


Pete said...


You could convert the rpm packages to debs using alien and install sguil that way. This of course assumes that the rpms are still maintained.

I used to do this back in college.


geek00L said...


It is pretty straight forward though :)

Pete said...

Not disagreeing I'm just saying that it's good practice to have everything managed with the systems native package management.


Anonymous said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

Note Sguil 0.7.0 requires tcltls too.

Anonymous said...

If only OS X were as easy as debian...