Re: [Sguil-users] Errors with pcap_agent.tcl (Solved)
Status: Beta
Brought to you by:
bamm
From: carlopmart <car...@gm...> - 2011-03-27 20:05:14
|
On 03/27/2011 08:15 PM, carlopmart wrote: > On 03/26/2011 11:02 PM, carlopmart wrote: >> Hi all, >> >> I am trying to do a new sguil 0.7.0 sensor installation under a CentOS >> 5.5 host. All works ok, expect pcap_agent.tcl script. Every time that I >> try to start, returns me this error: >> >> root@lorinand bin]# Error: could not read "": no such file or directory >> could not read "": no such file or directory >> while executing >> "file stat $logFile fileStat" >> (procedure "CheckLastPcapFile" line 25) >> invoked from within >> "CheckLastPcapFile 1" >> (procedure "AgentInfo" line 6) >> invoked from within >> "AgentInfo [lindex $data 1] [lindex $data 2] [lindex $data 3] [lindex >> $data 4] " >> ("AgentInfo" arm line 1) >> invoked from within >> "switch -exact -- $sguildCmd { >> >> PONG { if {$DEBUG} {puts "PONG received"} } >> PING { SendToSgui..." >> (procedure "SguildCmdRcvd" line 22) >> invoked from within >> "SguildCmdRcvd sock3" >> >> My pcap_agent.conf file is: >> >> # $Id: pcap_agent.conf,v 1.2 2007/03/08 05:44:04 bamm Exp $ # >> >> # >> # Configuration file for sensor_agent.tcl - http://sguil.sf.net >> # >> >> # DEBUG is VERY chatty. Use it only when needed. >> # 1=on 0=off >> set DEBUG 0 >> >> # Run in background >> # 1=yes 0=no >> set DAEMON 0 >> >> # Name of sguild server >> set SERVER_HOST 172.17.47.27 >> # Port sguild listens on for sensor connects >> set SERVER_PORT 9675 >> # Local hostname - that means this machines name >> # Note: Sensors monitoring multiple interfaces need to use a unique >> 'hostname' >> # for each interface. Make sure this name is the same in the respective >> # log_packets.sh >> set HOSTNAME idsprod >> # The net id is used to correlate data from different agents. This >> number should match >> # the number of the pcap_agent. >> set NET_GROUP idsprod >> >> # The root of your log dir for data like pcap, portscans, sessions, etc >> set LOG_DIR /nsm/sensor_data >> >> # Where raw/pcap files are being logged to and will be read from. >> # (see -l in log_packets.sh) >> set RAW_LOG_DIR ${LOG_DIR}/${HOSTNAME}/dailylogs >> >> # Path to tcpdump. Used for parsing pcap files. >> set TCPDUMP "/usr/sbin/tcpdump" >> >> # If you do VLAN tagging then set this to 1 so the right filter is >> passed to tcpdump. >> set VLAN 0 >> >> # Directory to store the temp pcap files >> set TMP_DIR "/tmp" >> >> # sensor agent reports current disk use up to sguild >> # Useful for keep tabs on how big the partion you are >> # logging pcap data to is getting. >> set WATCH_DIR ${LOG_DIR}/${HOSTNAME} >> >> # >> # Delay in milliseconds for doing different functions. >> set FILE_CHECK_IN_MSECS 300000 >> >> # Disk space >> set DISK_CHECK_DELAY_IN_MSECS 1800000 >> >> # Keep a heartbeat going w/PING PONG. >> # 0 to disable else time in milliseconds. >> set PING_DELAY 300000 >> >> # Custom PidFile >> set PID_FILE "/var/run/pcap_agent-idsprod.pid" >> >> # Custom TLS_PATH >> set TLS_PATH /data/soft/tcltls/sensor/lib/tls1.6/libtls1.6.so >> >> Where is the problem?? >> >> Thanks. > > Please, any help?? > Finally, I have found the problem. I am using daemonlogger instead of use snort with -b flag for packet capture. On daemonlogger I have configured output filename with snort-idsprod.log name: that's was the error, because pcap_agent.tcl script searches for snort.log.* filename. Can this option be customizable on next sguil release?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com |