It does not…curious:

 

2014-01-13 23:47:32 pid(19949)  Loading access list: /opt/etc/snort/sguild/sguild.access

2014-01-13 23:47:32 pid(19949)  Sensor access list set to ALLOW ANY.

2014-01-13 23:47:32 pid(19949)  Client access list set to ALLOW ANY.

2014-01-13 23:47:32 pid(19949)  Email Configuration:

2014-01-13 23:47:32 pid(19949)    Config file: /etc/sguild/sguild.email

2014-01-13 23:47:32 pid(19949)    Enabled: No

2014-01-13 23:47:32 pid(19949)  Connecting to localhost on 3306 as sguil

2014-01-13 23:47:32 pid(19949)  MySQL Version: version 5.5.34-0.12.04.1

2014-01-13 23:47:32 pid(19949)  SguilDB Version: 0.14

2014-01-13 23:47:32 pid(19949)  Creating event MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating tcphdr MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating udphdr MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating icmphdr MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating data MERGE table.

2014-01-13 23:47:32 pid(19951)  Loaderd Forked

2014-01-13 23:47:32 pid(19952)  Queryd Forked

2014-01-13 23:47:32 pid(19949)  Retrieving DB info...

2014-01-13 23:47:32 pid(19949)    SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=4

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=3

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=1

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=2

2014-01-13 23:47:32 pid(19949)  Querying DB for archived events...

2014-01-13 23:47:32 pid(19949)  Querying DB for escalated events...

2014-01-13 23:47:32 pid(19949)  Retrieving DB info...

2014-01-13 23:47:32 pid(19949)    Getting a list of tables.

2014-01-13 23:47:32 pid(19949)    ...Getting info on autocat.

2014-01-13 23:47:32 pid(19949)    ...Getting info on data.

2014-01-13 23:47:32 pid(19949)    ...Getting info on event.

2014-01-13 23:47:32 pid(19949)    ...Getting info on filters.

2014-01-13 23:47:32 pid(19949)    ...Getting info on history.

2014-01-13 23:47:32 pid(19949)    ...Getting info on icmphdr.

2014-01-13 23:47:32 pid(19949)    ...Getting info on ip2c.

2014-01-13 23:47:32 pid(19949)    ...Getting info on mappings.

2014-01-13 23:47:32 pid(19949)    ...Getting info on nessus.

2014-01-13 23:47:32 pid(19949)    ...Getting info on nessus_data.

2014-01-13 23:47:32 pid(19949)    ...Getting info on pads.

2014-01-13 23:47:32 pid(19949)    ...Getting info on portscan.

2014-01-13 23:47:32 pid(19949)    ...Getting info on sensor.

2014-01-13 23:47:32 pid(19949)    ...Getting info on status.

2014-01-13 23:47:32 pid(19949)    ...Getting info on tcphdr.

2014-01-13 23:47:32 pid(19949)    ...Getting info on udphdr.

2014-01-13 23:47:32 pid(19949)    ...Getting info on user_info.

2014-01-13 23:47:32 pid(19949)    ...Getting info on version.

2014-01-13 23:47:32 pid(19949)  Sguild Initialized.

 

Thanks Bamm.

 

James

 

From: Bamm Visscher [mailto:bamm.visscher@gmail.com]
Sent: Monday, January 13, 2014 4:06 PM
To: Sguil
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

When you start sguild, it should say that it is loading the autocat file, do you see that?

 

On Mon, Jan 13, 2014 at 5:33 PM, Lay, James <james.lay@wincofoods.com> wrote:

Hi Bamm,

 

From the sguild file:

# $Id: sguild,v 1.194 2013/09/05 00:38:45 bamm Exp $ #

 

and

 

########################## GLOBALS ##################################

 

set VERSION "SGUIL-0.8.0"

set AGENT_VERSION "SGUIL-0.8.0"

# DB Version

set DB_VERSION "0.14"

# Counter for tracking xscript transactions

set NEXT_TRANS_ID 0

 

 

 

I copied the sguild-0.8.0.tar.gz from my old IDS machine to my new one.  That tarball was from the sourceforge site.  I created a new database on the new machine and copied over the configuration information to the new machine.  Since then autocat doesn’t seem to function, and I continue to see “2014-01-13 15:05:22 pid(12156)  ERROR: Number of updates mismatched number of events.  Number of EVENTS:  1  Number of UPDATES: 0 Update List: 1.923” when trying to categorize some alerts (usually a couple days old).  Everything else seems to be working fine though.  Current sguild.conf:

 

set SGUILD_LIB_PATH /opt/etc/snort/sguild/lib

set DEBUG 1

set DAEMON 0

set SYSLOGFACILITY daemon

set SENSOR_AGGREGATION_ON 1

set SERVERPORT 7734

set SENSORPORT 7736

set RULESDIR /opt/etc/snort/rules

set TMPDATADIR /tmp

 

set DBNAME xxxxxx

set DBPASS xxxxxxx

set DBHOST localhost

set DBPORT 3306

set DBUSER sguil

 

set LOCAL_LOG_DIR /opt/var/log/sguild_data/archive

set TMP_LOAD_DIR /opt/var/log/sguild_data/load

 

set TCPFLOW "/usr/bin/tcpflow"

set P0F 1

set P0F_PATH "/usr/sbin/p0f"

 

Startup line here:

 

/opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access

 

Thanks for looking.

 

James

 

From: Bamm Visscher [mailto:bamm.visscher@gmail.com]
Sent: Monday, January 13, 2014 3:17 PM
To: Sguil


Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

Hey James,

 

What version of Sguil are you running and where/how did you download it?

 

Bamm

 

On Mon, Jan 13, 2014 at 10:54 AM, Lay, James <james.lay@wincofoods.com> wrote:

Thanks Doug...looks like I'll have to give that a go.


James

-----Original Message-----
From: Doug Burks [mailto:doug.burks@gmail.com]

Sent: Monday, January 13, 2014 8:41 AM
To: sguil-users@lists.sourceforge.net
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

I know that autocat works fine on Security Onion, so you might spin
that up in a VM and compare it side-by-side with your Sguil
installation.

On Mon, Jan 13, 2014 at 10:38 AM, Lay, James <james.lay@wincofoods.com>
wrote:
> Same results with adding a symlink...is there something else I can
try?
> Currently running in debug, and I'm not seeing any autocat happening.
>
> Thank you.
>
> James
>
> -----Original Message-----
> From: Lay, James [mailto:james.lay@wincofoods.com]
> Sent: Friday, January 03, 2014 2:39 PM
> To: sguil-users@lists.sourceforge.net
> Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning
>
> I will give that a go...thank you.
>
> James
>
> -----Original Message-----
> From: Doug Burks [mailto:doug.burks@gmail.com]
> Sent: Friday, January 03, 2014 12:13 PM
> To: sguil-users@lists.sourceforge.net
> Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning
>
> Hi James,
>
> I seem to remember an issue previously of Sguild expecting config
> files to be in /etc/sguild/.  Have you tried making /etc/sguild/ a
> symlink to /opt/etc/snort/sguild/?
>
> On Fri, Jan 3, 2014 at 2:06 PM, Lay, James <james.lay@wincofoods.com>
> wrote:
>> Hey all...topic says it.  So I have my sguild starting with:
>>
>>
>>
>> -a /opt/etc/snort/sguild/autocat.conf
>>
>>
>>
>> That file contains:
>>
>> none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%CINS||16
>>
>>
>>
>> From my .fast file:
>>
>> 12:00:32  [1:2403332:645] ET CINS Active Threat Intelligence Poor
> Reputation
>> IP TCP group 17 [**] [Classification: Misc Attack] [Priority: 2]
{TCP}
>> 125.64.92.105:6000 -> x.x.x.x:1433
>>
>>
>>
>> Yet the sguil client shows this alert.  I also don't see anything in
> the
>> Auto Cats Standard Query.  Any way to troubleshoot why it's not
seeing
>> these?  Thank you.
>>
>>
>>
>> James
>>
>>
>>
>
------------------------------------------------------------------------
> ------
>> Rapidly troubleshoot problems before they affect your business. Most
> IT
>> organizations don't have a clear picture of how application
> performance
>> affects their revenue. With AppDynamics, you get 100% visibility into
> your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics
>> Pro!
>>
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clk
> trk
>> _______________________________________________
>> Sguil-users mailing list
>> Sguil-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>
>
>
>
> --
> Doug Burks
>
>
------------------------------------------------------------------------
> ------
> Rapidly troubleshoot problems before they affect your business. Most
IT
> organizations don't have a clear picture of how application
performance
> affects their revenue. With AppDynamics, you get 100% visibility into
> your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics Pro!
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clk
> trk
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
------------------------------------------------------------------------
> ------
> Rapidly troubleshoot problems before they affect your business. Most
IT
> organizations don't have a clear picture of how application
performance
> affects their revenue. With AppDynamics, you get 100% visibility into
> your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics Pro!
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clk
> trk
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
------------------------------------------------------------------------
------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
ktrk
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users



--
Doug Burks

------------------------------------------------------------------------
------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
ktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



 

--
sguil - The Analyst Console for NSM
http://sguil.sf.net


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



 

--
sguil - The Analyst Console for NSM
http://sguil.sf.net