Snort mailing list archives

Re: Sguil 8 and Barnyard2 beta

From: firnsy <firnsy () securixlive com>
Date: Sun, 10 Jul 2011 23:08:07 +1000

On 10/07/11 21:36, James Lay wrote:

Hey all,


G'day James,

So….been trying to get sguil to fly…and here's what I see below:


Trying ... Hmmm ... This doesn't sound good.

Running in Continuous mode

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/opt/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
sguil: sensor name = gateway
sguil: agent port = 7736
sguil: Connected to localhost on 7736.
2011-07-10 11:31:58 pid(19350) Sensor agent connect from 127.0.0.1:40978
sock15
2011-07-10 11:31:58 pid(19350) Validating sensor access: 127.0.0.1 :
2011-07-10 11:31:58 pid(19350) Valid sensor agent: 127.0.0.1
ERROR: sguil: Expected SidCidResponse and got 'SGUIL-0.8.0 OPENSSL ENABLED

Fatal Error, Quitting..
2011-07-10 11:31:58 pid(19350) Sensor Data Rcvd: SidCidRequest gateway
2011-07-10 11:31:58 pid(19350) Ignoring cmd from unregistered agent:
SidCidRequest gateway
2011-07-10 11:31:58 pid(19350) Sensor Data Rcvd:
2011-07-10 11:31:58 pid(19350) Ignoring cmd from unregistered agent:
2011-07-10 11:31:58 pid(19350) Socket sock15 closed


Upon initial inspection, it is clearly a protocol issue and the plugin 
will die Fatally.

I'm guessing you've supplied some of the syslog messages from the server 
side. If so, the "Ignoring cmd from unregistered agent" is likely the 
root cause.

The plugin has issued "SidCidRequest" and the server has ignored it due 
to being unregistered.

I have not yet played with Sguil 0.8.0 but that's what I would be 
researching first. On the other hand if the agent has been registered 
then it could be a bug.

I can guarantee the plugin works with 0.7.0.

Regards,
firnsy

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread:

Sguil 8 and Barnyard2 beta James Lay (Jul 10)
- Re: Sguil 8 and Barnyard2 beta firnsy (Jul 10)
- Re: Sguil 8 and Barnyard2 beta Bamm Visscher (Jul 10)
  - Re: Sguil 8 and Barnyard2 beta James Lay (Jul 10)