Thanks Bamm.

 

Well…I dunno here.  Using the stock 0.8.0 and starting with:

 

/opt/bin/sguil/sguild-0.8.0 -c /etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /etc/snort/sguild/sguild.queries -A /etc/snort/sguild/sguild.access

 

2014-01-16 22:21:45 pid(6050)  Loading access list: /opt/etc/snort/sguild/sguild.access

2014-01-16 22:21:45 pid(6050)  Sensor access list set to ALLOW ANY.

2014-01-16 22:21:45 pid(6050)  Client access list set to ALLOW ANY.

invalid command name "LoadAutoCatFile"

    while executing

"LoadAutoCatFile $AUTOCAT_FILE"

    invoked from within

"if { [file exists $AUTOCAT_FILE] } {

  LoadAutoCatFile $AUTOCAT_FILE

}"

    (file "/opt/bin/sguil/sguild.0.8.0" line 500)

 

I get the same thing if I try with /etc/sguild/autocat.conf, or /etc/snort/sguild/autocat.conf AND if I don’t specify one at all.  At this point I’m wondering if my tcl might be wonky.  I used the exact same version on the older machine.  So here’s what I compiled:

 

mysqltcl-3.05

tcl8.5.10

tcllib-1.13

tclx8.4

tls1.6

 

All the above were compiled with:

 

./configure --disable-threads

 

I’ll try loading up that security onion in a vm and see what I can see on that end as well.  Thanks for any more help…sorry this is a pain.

 

James

From: Bamm Visscher [mailto:bamm.visscher@gmail.com]
Sent: Thursday, January 16, 2014 2:42 PM
To: Sguil
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

You should be able to do: 

 

mysql> USE sguildb;

mysql> UPDATE version SET version='0.13';

 

On Thu, Jan 16, 2014 at 4:25 PM, Lay, James <james.lay@wincofoods.com> wrote:

Hi Bamm,

 

Honestly now I’m not sure L  I got a new machine, so I pretty much copied all the files across to the new machine.  This was working fine on the old machine, so I was thinking this would work.  I am suspecting that I must have downloaded a newer sguild to fix the issue when passing “-a /opt/etc/snort/sguild/autocat.conf”, but that must have been 3 years ago.  If nothing else, I’ll wait until the end of the month (for a clear end of month report), blow out the database, use the stock sguild from the tarball (my snort_agent.tcl is the same as from the tarball already).  I’ve symlinked /opt/etc/snort/sguild to /etc/snort/sguild and I’ll change my startup line to reflect that.  Unless there’s some magic I can do to downgrade the current database.  Thanks Bamm.

 

James

 

 


 

--
sguil - The Analyst Console for NSM
http://sguil.sf.net