tag:blogger.com,1999:blog-4088979.post114316301917937545..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: New Sguil Scripts and VMRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-39830891886194861102007-02-08T22:32:00.000-05:002007-02-08T22:32:00.000-05:00Hi Kevin,You're in the /usr/local/etc/nsm director...Hi Kevin,<BR/><BR/>You're in the /usr/local/etc/nsm directory when you tell barnyard to read gen-msg.map and sid-msg.map. The -d flag tells barnyard where to find spool files, not anything else.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35481052256718517502007-02-08T09:48:00.000-05:002007-02-08T09:48:00.000-05:00I'm having a problem with the startup scripts. It...I'm having a problem with the startup scripts. It seems they are not pulling in the variables. For instance in the barnyard start up script <BR/><BR/>SENSOR=taosecurity<BR/>cd /usr/local/etc/nsm/<BR/><BR/>barnyard -c barnyard.conf -d /nsm/$SENSOR/ -g gen-msg.map -s sid-msg.map -f snort.log -w /nsm/$SENSOR/waldo.file<BR/><BR/>It doesn't then look for the gen-msg.map inside the /nsm/taosecurity. It stays in the /usr/local/etc/nsm dir and looks for it. The snort startup script is doing the same. What am I doing wrong here?<BR/>I'm using freebsd 5.5<BR/>Thanks,Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36198197961107474372007-02-07T14:38:00.000-05:002007-02-07T14:38:00.000-05:00Thanks, I'm just going to give it a try on freebsd...Thanks, I'm just going to give it a try on freebsd 5.5.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-10993319140541848442007-02-07T13:31:00.000-05:002007-02-07T13:31:00.000-05:00Always start here, where you'll see Sguil Installa...Always <a href="http://www.taosecurity.com/research.html">start here</a>, where you'll see <a href="http://taosecurity.blogspot.com/2006/09/latest-sguil-scripts.html">Sguil Installation Script</a>. Note they probably need another round of modification and have not been tested since first written.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-80118661149058583692007-02-07T13:29:00.000-05:002007-02-07T13:29:00.000-05:00Where can I find this scrips now?Where can I find this scrips now?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1144184126654725112006-04-04T16:55:00.000-04:002006-04-04T16:55:00.000-04:00Just to leave a quick follow-up comment, I upgrade...Just to leave a quick follow-up comment, I upgraded my system using these commands:<BR/><BR/>portsnap fetch<BR/>portsnap update<BR/>portupgrade -varRPP<BR/>portupgrade -varR<BR/><BR/>Now the sguil daemon runs, but it doesn't open port 7734 for the sguil client to connect to. I've exhausted my troubleshooting skills to get this working again.<BR/><BR/>I'm going to try a reinstall as a last resort, but I wanted to post a small comment just in case this is useful to you.<BR/><BR/>-davisAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143649800673427222006-03-29T11:30:00.000-05:002006-03-29T11:30:00.000-05:00Davis,Thanks for the feedback.Check out /usr/local...Davis,<BR/><BR/>Thanks for the feedback.<BR/><BR/>Check out /usr/local/etc/rc.d/snort.sh for info on how to use rc.d to start Snort automatically.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143642714157312692006-03-29T09:31:00.000-05:002006-03-29T09:31:00.000-05:00First, thanks for taking the time to help us Sguil...First, thanks for taking the time to help us Sguil newbies get this software installed with minimal effort. It was a definite help for me.<BR/><BR/>I recently used your script to help install Sguil on a brand new FreeBSD box. Due to its SATA chipset, I had to use the FreeBSD 6.1BETA4 release. One thing I think you left out of your script/instructions is the creation of the Sguil user.<BR/><BR/>I found one of your earlier posts regarding the Sguil instructions that helped me get the Sguil user created.<BR/>http://taosecurity.blogspot.com/2005/12/rough-sguil-installation-script-my_28.html<BR/><BR/>Also, unless I missed something, how do you enable Snort to start after a system reboot?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143211005373652572006-03-24T09:36:00.000-05:002006-03-24T09:36:00.000-05:00The only difference for FreeBSD 6 is the PACKAGESI...The only difference for FreeBSD 6 is the PACKAGESITE environment variable. Comment out the one for freebsd-5-stable and uncomment the one for freebsd-6-stable. <BR/><BR/>If used the scripts on both platforms and they seem to work fine.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143182322020090532006-03-24T01:38:00.000-05:002006-03-24T01:38:00.000-05:00Thanks for the scripts Richard, I intend on having...Thanks for the scripts Richard, I intend on having a look at them over the weekend. You mentioned in the post that the scripts can be modified for FreeBSD 6. Do you have any pointers in relation to accomplishing this?Anonymousnoreply@blogger.com