Snort mailing list archives
Re: Sguil 8 and Barnyard2 beta
From: firnsy <firnsy () securixlive com>
Date: Sun, 10 Jul 2011 23:08:07 +1000
On 10/07/11 21:36, James Lay wrote:
Hey all,
G'day James,
So….been trying to get sguil to fly…and here's what I see below:
Trying ... Hmmm ... This doesn't sound good.
Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/opt/etc/snort/barnyard2.conf" Log directory = /var/log/barnyard2 sguil: sensor name = gateway sguil: agent port = 7736 sguil: Connected to localhost on 7736. 2011-07-10 11:31:58 pid(19350) Sensor agent connect from 127.0.0.1:40978 sock15 2011-07-10 11:31:58 pid(19350) Validating sensor access: 127.0.0.1 : 2011-07-10 11:31:58 pid(19350) Valid sensor agent: 127.0.0.1 ERROR: sguil: Expected SidCidResponse and got 'SGUIL-0.8.0 OPENSSL ENABLED Fatal Error, Quitting.. 2011-07-10 11:31:58 pid(19350) Sensor Data Rcvd: SidCidRequest gateway 2011-07-10 11:31:58 pid(19350) Ignoring cmd from unregistered agent: SidCidRequest gateway 2011-07-10 11:31:58 pid(19350) Sensor Data Rcvd: 2011-07-10 11:31:58 pid(19350) Ignoring cmd from unregistered agent: 2011-07-10 11:31:58 pid(19350) Socket sock15 closed
Upon initial inspection, it is clearly a protocol issue and the plugin will die Fatally. I'm guessing you've supplied some of the syslog messages from the server side. If so, the "Ignoring cmd from unregistered agent" is likely the root cause. The plugin has issued "SidCidRequest" and the server has ignored it due to being unregistered. I have not yet played with Sguil 0.8.0 but that's what I would be researching first. On the other hand if the agent has been registered then it could be a bug. I can guarantee the plugin works with 0.7.0. Regards, firnsy ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Sguil 8 and Barnyard2 beta James Lay (Jul 10)
- Re: Sguil 8 and Barnyard2 beta firnsy (Jul 10)
- Re: Sguil 8 and Barnyard2 beta Bamm Visscher (Jul 10)
- Re: Sguil 8 and Barnyard2 beta James Lay (Jul 10)