Re: [Sguil-users] Errors with pcap_agent.tcl (Solved)
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Errors with pcap_agent.tcl (Solved)
|
From: carlopmart <car...@gm...> - 2011-03-27 20:05:14
|
On 03/27/2011 08:15 PM, carlopmart wrote:
> On 03/26/2011 11:02 PM, carlopmart wrote:
>> Hi all,
>>
>> I am trying to do a new sguil 0.7.0 sensor installation under a CentOS
>> 5.5 host. All works ok, expect pcap_agent.tcl script. Every time that I
>> try to start, returns me this error:
>>
>> root@lorinand bin]# Error: could not read "": no such file or directory
>> could not read "": no such file or directory
>> while executing
>> "file stat $logFile fileStat"
>> (procedure "CheckLastPcapFile" line 25)
>> invoked from within
>> "CheckLastPcapFile 1"
>> (procedure "AgentInfo" line 6)
>> invoked from within
>> "AgentInfo [lindex $data 1] [lindex $data 2] [lindex $data 3] [lindex
>> $data 4] "
>> ("AgentInfo" arm line 1)
>> invoked from within
>> "switch -exact -- $sguildCmd {
>>
>> PONG { if {$DEBUG} {puts "PONG received"} }
>> PING { SendToSgui..."
>> (procedure "SguildCmdRcvd" line 22)
>> invoked from within
>> "SguildCmdRcvd sock3"
>>
>> My pcap_agent.conf file is:
>>
>> # $Id: pcap_agent.conf,v 1.2 2007/03/08 05:44:04 bamm Exp $ #
>>
>> #
>> # Configuration file for sensor_agent.tcl - http://sguil.sf.net
>> #
>>
>> # DEBUG is VERY chatty. Use it only when needed.
>> # 1=on 0=off
>> set DEBUG 0
>>
>> # Run in background
>> # 1=yes 0=no
>> set DAEMON 0
>>
>> # Name of sguild server
>> set SERVER_HOST 172.17.47.27
>> # Port sguild listens on for sensor connects
>> set SERVER_PORT 9675
>> # Local hostname - that means this machines name
>> # Note: Sensors monitoring multiple interfaces need to use a unique
>> 'hostname'
>> # for each interface. Make sure this name is the same in the respective
>> # log_packets.sh
>> set HOSTNAME idsprod
>> # The net id is used to correlate data from different agents. This
>> number should match
>> # the number of the pcap_agent.
>> set NET_GROUP idsprod
>>
>> # The root of your log dir for data like pcap, portscans, sessions, etc
>> set LOG_DIR /nsm/sensor_data
>>
>> # Where raw/pcap files are being logged to and will be read from.
>> # (see -l in log_packets.sh)
>> set RAW_LOG_DIR ${LOG_DIR}/${HOSTNAME}/dailylogs
>>
>> # Path to tcpdump. Used for parsing pcap files.
>> set TCPDUMP "/usr/sbin/tcpdump"
>>
>> # If you do VLAN tagging then set this to 1 so the right filter is
>> passed to tcpdump.
>> set VLAN 0
>>
>> # Directory to store the temp pcap files
>> set TMP_DIR "/tmp"
>>
>> # sensor agent reports current disk use up to sguild
>> # Useful for keep tabs on how big the partion you are
>> # logging pcap data to is getting.
>> set WATCH_DIR ${LOG_DIR}/${HOSTNAME}
>>
>> #
>> # Delay in milliseconds for doing different functions.
>> set FILE_CHECK_IN_MSECS 300000
>>
>> # Disk space
>> set DISK_CHECK_DELAY_IN_MSECS 1800000
>>
>> # Keep a heartbeat going w/PING PONG.
>> # 0 to disable else time in milliseconds.
>> set PING_DELAY 300000
>>
>> # Custom PidFile
>> set PID_FILE "/var/run/pcap_agent-idsprod.pid"
>>
>> # Custom TLS_PATH
>> set TLS_PATH /data/soft/tcltls/sensor/lib/tls1.6/libtls1.6.so
>>
>> Where is the problem??
>>
>> Thanks.
>
> Please, any help??
>
Finally, I have found the problem. I am using daemonlogger instead of
use snort with -b flag for packet capture. On daemonlogger I have
configured output filename with snort-idsprod.log name: that's was the
error, because pcap_agent.tcl script searches for snort.log.* filename.
Can this option be customizable on next sguil release??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
|