Thanks Bamm.


Well…I dunno here.  Using the stock 0.8.0 and starting with:


/opt/bin/sguil/sguild-0.8.0 -c /etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /etc/snort/sguild/sguild.queries -A /etc/snort/sguild/sguild.access


2014-01-16 22:21:45 pid(6050)  Loading access list: /opt/etc/snort/sguild/sguild.access

2014-01-16 22:21:45 pid(6050)  Sensor access list set to ALLOW ANY.

2014-01-16 22:21:45 pid(6050)  Client access list set to ALLOW ANY.

invalid command name "LoadAutoCatFile"

    while executing

"LoadAutoCatFile $AUTOCAT_FILE"

    invoked from within

"if { [file exists $AUTOCAT_FILE] } {

  LoadAutoCatFile $AUTOCAT_FILE


    (file "/opt/bin/sguil/sguild.0.8.0" line 500)


I get the same thing if I try with /etc/sguild/autocat.conf, or /etc/snort/sguild/autocat.conf AND if I don’t specify one at all.  At this point I’m wondering if my tcl might be wonky.  I used the exact same version on the older machine.  So here’s what I compiled:








All the above were compiled with:


./configure --disable-threads


I’ll try loading up that security onion in a vm and see what I can see on that end as well.  Thanks for any more help…sorry this is a pain.



From: Bamm Visscher []
Sent: Thursday, January 16, 2014 2:42 PM
To: Sguil
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning


You should be able to do: 


mysql> USE sguildb;

mysql> UPDATE version SET version='0.13';


On Thu, Jan 16, 2014 at 4:25 PM, Lay, James <> wrote:

Hi Bamm,


Honestly now I’m not sure L  I got a new machine, so I pretty much copied all the files across to the new machine.  This was working fine on the old machine, so I was thinking this would work.  I am suspecting that I must have downloaded a newer sguild to fix the issue when passing “-a /opt/etc/snort/sguild/autocat.conf”, but that must have been 3 years ago.  If nothing else, I’ll wait until the end of the month (for a clear end of month report), blow out the database, use the stock sguild from the tarball (my snort_agent.tcl is the same as from the tarball already).  I’ve symlinked /opt/etc/snort/sguild to /etc/snort/sguild and I’ll change my startup line to reflect that.  Unless there’s some magic I can do to downgrade the current database.  Thanks Bamm.






sguil - The Analyst Console for NSM