Sguil 0.7.0 on Ubuntu 9.10

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10.

It was really easy with the exception of one issue I had to troubleshoot, explained below.

First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10.

richard@janney:~$ dpkg --list | grep -i tcl
ii tcl8.4 8.4.19-3
Tcl (the Tool Command Language) v8.4 - run-t
ii tk8.4 8.4.19-3
Tk toolkit for Tcl and X11, v8.4 - run-time
richard@janney:~$ sudo apt-get install tclx8.4 tcllib
iwidgets4 tcl-tlsReading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
itcl3 itk3
Suggested packages:
itcl3-doc itk3-doc iwidgets4-doc tclx8.4-doc
The following NEW packages will be installed:
itcl3 itk3 iwidgets4 tcl-tls tcllib tclx8.4
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,127kB of archives.
After this operation, 18.1MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 karmic/universe itcl3 3.2.1-5 [99.4kB]

Next install wireshark via apt-get. I don't show that here.

The server I want to connect to is running Sguil 0.7.0, not the version currently in CVS. If you try connecting from a CVS client to a 0.7.0 server, the client will report an error like

error writing "sock6": connection reset by peer

On the server side you will see Sguil die on error:

pid(37598) Client Connect: 39901 sock15
pid(37598) Validating client access:
pid(37598) Valid client access:
pid(37598) Sending sock15: SGUIL-0.7.0 OPENSSL ENABLED
pid(37598) Client Command Received: VersionInfo {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598) ERROR: Client connect denied - mismatched versions
Error: can not find channel named "sock15"
can not find channel named "sock15"
while executing
"close $socketID"
(procedure "ClientVersionCheck" line 11)
invoked from within
"ClientVersionCheck $socketID $data1 "
("VersionInfo" arm line 1)
invoked from within
"switch -exact $clientCmd {
DeleteEventID { $clientCmd $socketID $index1 $index2 }
DeleteEventIDList { $clientCmd $socketID $data1 }
(procedure "ClientCmdRcvd" line 38)
invoked from within
"ClientCmdRcvd sock15"
SGUILD: killing child procs...
SGUILD: Exiting...

If you diff the from 0.7.0 against from CVS these differences explain what is happening:

richard@janney:~/sguil/client$ diff /home/richard/Downloads/sguil-0.7.0/client/
< # $Id:,v 1.249 2008/03/25 15:59:34 bamm Exp $ #
> # $Id:,v 1.254 2008/09/21 02:59:25 bamm Exp $ #
< # store $data in $origData because ctoken changes the var it is working on.
< #set origData $data
< #set serverCmd [ctoken data " "]
< #set data1 [string trimleft $data]
< # data1 has indices 1 on etc etc
< #set index1 [ctoken data " "]
< #set data2 [string trimleft $data]
> PassChange { $serverCmd [lindex $data 1] [lindex $data 2] }
< puts $socketID "VersionInfo $tmpVERSION"
> puts $socketID [list VersionInfo $tmpVERSION]

Finally I like to edit my sguil.conf as shown to account for Wireshark's location and to reduce the number of panes from the default of 3 down to 1.

richard@janney:~/Downloads/sguil-0.7.0/client$ diff sguil.conf.orig sguil.conf
< set WIRESHARK_PATH /usr/sbin/wireshark
> set WIRESHARK_PATH /usr/bin/wireshark
< set RTPANES 3
> set RTPANES 1
< set RTPANE_PRIORITY(0) "1"
< set RTPANE_PRIORITY(1) "2 3"
< set RTPANE_PRIORITY(2) "4 5"
> set RTPANE_PRIORITY(0) "1 2 3 4 5"
> #set RTPANE_PRIORITY(1) "2 3"
> #set RTPANE_PRIORITY(2) "4 5"

At this point I can use the Sguil client.

Unfortunately I continue to have a problem with DNS resolution. (I reported one a while back.)

can't read "state(reply)": no such element in array
can't read "state(reply)": no such element in array
while executing
"binary scan $state(reply) SSSSSS mid hdr nQD nAN nNS nAR"
(procedure "Flags" line 13)
invoked from within
"Flags $token flags"
(procedure "dns::name" line 3)
invoked from within
"dns::name $tok"
(procedure "GetHostbyAddr" line 47)
invoked from within
"GetHostbyAddr $srcIP"
(procedure "ResolveHosts" line 23)
invoked from within
invoked from within
cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFrame.dnsButton invoke"
("uplevel" body line 1)
invoked from within
"uplevel #0 [list $w $cmd]"
(procedure "tk::CheckRadioInvoke" line 3)
invoked from within
"tk::CheckRadioInvoke .eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
(command bound to event)

I noticed a similar error on the sguil-users mailing list and tried installing libudp-tcl, but I got the same error.


Popular posts from this blog

Five Reasons I Want China Running Its Own Software

Cybersecurity Domains Mind Map

A Brief History of the Internet in Northern Virginia