Hi Bamm,

 

Honestly now I’m not sure L  I got a new machine, so I pretty much copied all the files across to the new machine.  This was working fine on the old machine, so I was thinking this would work.  I am suspecting that I must have downloaded a newer sguild to fix the issue when passing “-a /opt/etc/snort/sguild/autocat.conf”, but that must have been 3 years ago.  If nothing else, I’ll wait until the end of the month (for a clear end of month report), blow out the database, use the stock sguild from the tarball (my snort_agent.tcl is the same as from the tarball already).  I’ve symlinked /opt/etc/snort/sguild to /etc/snort/sguild and I’ll change my startup line to reflect that.  Unless there’s some magic I can do to downgrade the current database.  Thanks Bamm.

 

James

 

From: Bamm Visscher [mailto:bamm.visscher@gmail.com]
Sent: Thursday, January 16, 2014 2:14 PM
To: Sguil
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

So is this an old install that you updated inadvertently or a new install?

 

On Wed, Jan 15, 2014 at 11:10 AM, Lay, James <james.lay@wincofoods.com> wrote:

In attempting to use the stock sguild from the 0.8.0 tarball from the sourceforge site I get:

 

sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access

 

2014-01-15 16:07:27 pid(2852)  Loading access list: /opt/etc/snort/sguild/sguild.access

2014-01-15 16:07:28 pid(2852)  Sensor access list set to ALLOW ANY.

2014-01-15 16:07:28 pid(2852)  Client access list set to ALLOW ANY.

invalid command name "LoadAutoCatFile"

    while executing

"LoadAutoCatFile $AUTOCAT_FILE"

    invoked from within

"if { [file exists $AUTOCAT_FILE] } {

  LoadAutoCatFile $AUTOCAT_FILE

}"

    (file "/opt/bin/sguil/sguild" line 500)

 

Changing that to:

 

-a /etc/snort/sguild/autocat.conf

 

Now gets me:

 

2014-01-15 16:09:15 ERROR: Incompatable DB schema. Required Version: 0.13  Installed Version: 0.14 Check the server/sql_scripts directory of  the src that came with sguild for scripts to help you upgrade

SGUILD: Exiting...

 

Am I out of luck?  Thank you.

 

James

From: Lay, James [mailto:james.lay@wincofoods.com]
Sent: Tuesday, January 14, 2014 10:55 AM
To: sguil-users@lists.sourceforge.net


Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

Argh.  I don’t see AutoCat in the File menu…something tells me I should snag a fresh sguil from the site?  Thanks for the help Bamm.

 

James

 

From: Bamm Visscher [mailto:bamm.visscher@gmail.com]
Sent: Tuesday, January 14, 2014 10:27 AM
To: Sguil
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

It looks like you have the developmental version of Sguil, not a release version. In it Autocat has been moved to the DB. Do you have an "AutoCat" option under the File menu in your client?

 

Bamm

 

On Tue, Jan 14, 2014 at 10:20 AM, Lay, James <james.lay@wincofoods.com> wrote:

Here’s what I got:

 

[08:19:20 ids:/opt/bin/sguil$ grep AUTOCAT sguild

    autocat { set AUTOCAT_FILE $arg; set state flag }

#if { ![info exists AUTOCAT_FILE] } {

#     set AUTOCAT_FILE "/etc/sguild/autocat.conf"

#     set AUTOCAT_FILE "./autocat.conf"

#if { [file exists $AUTOCAT_FILE] } {

#  LoadAutoCatFile $AUTOCAT_FILE

 

Thanks Bamm.

 

James

 

From: Bamm Visscher [mailto:bamm.visscher@gmail.com]
Sent: Tuesday, January 14, 2014 5:40 AM


To: Sguil
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

 

Are you sure you are not using cvs head or git?

 

Try grepping for AUTOCAT out of sguild.

 

On Mon, Jan 13, 2014 at 6:50 PM, Lay, James <james.lay@wincofoods.com> wrote:

It does not…curious:

 

2014-01-13 23:47:32 pid(19949)  Loading access list: /opt/etc/snort/sguild/sguild.access

2014-01-13 23:47:32 pid(19949)  Sensor access list set to ALLOW ANY.

2014-01-13 23:47:32 pid(19949)  Client access list set to ALLOW ANY.

2014-01-13 23:47:32 pid(19949)  Email Configuration:

2014-01-13 23:47:32 pid(19949)    Config file: /etc/sguild/sguild.email

2014-01-13 23:47:32 pid(19949)    Enabled: No

2014-01-13 23:47:32 pid(19949)  Connecting to localhost on 3306 as sguil

2014-01-13 23:47:32 pid(19949)  MySQL Version: version 5.5.34-0.12.04.1

2014-01-13 23:47:32 pid(19949)  SguilDB Version: 0.14

2014-01-13 23:47:32 pid(19949)  Creating event MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating tcphdr MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating udphdr MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating icmphdr MERGE table.

2014-01-13 23:47:32 pid(19949)  Creating data MERGE table.

2014-01-13 23:47:32 pid(19951)  Loaderd Forked

2014-01-13 23:47:32 pid(19952)  Queryd Forked

2014-01-13 23:47:32 pid(19949)  Retrieving DB info...

2014-01-13 23:47:32 pid(19949)    SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=4

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=3

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=1

2014-01-13 23:47:32 pid(19949)    SELECT MAX(timestamp) FROM event WHERE sid=2

2014-01-13 23:47:32 pid(19949)  Querying DB for archived events...

2014-01-13 23:47:32 pid(19949)  Querying DB for escalated events...

2014-01-13 23:47:32 pid(19949)  Retrieving DB info...

2014-01-13 23:47:32 pid(19949)    Getting a list of tables.

2014-01-13 23:47:32 pid(19949)    ...Getting info on autocat.

2014-01-13 23:47:32 pid(19949)    ...Getting info on data.

2014-01-13 23:47:32 pid(19949)    ...Getting info on event.

2014-01-13 23:47:32 pid(19949)    ...Getting info on filters.

2014-01-13 23:47:32 pid(19949)    ...Getting info on history.

2014-01-13 23:47:32 pid(19949)    ...Getting info on icmphdr.

2014-01-13 23:47:32 pid(19949)    ...Getting info on ip2c.

2014-01-13 23:47:32 pid(19949)    ...Getting info on mappings.

2014-01-13 23:47:32 pid(19949)    ...Getting info on nessus.

2014-01-13 23:47:32 pid(19949)    ...Getting info on nessus_data.

2014-01-13 23:47:32 pid(19949)    ...Getting info on pads.

2014-01-13 23:47:32 pid(19949)    ...Getting info on portscan.

2014-01-13 23:47:32 pid(19949)    ...Getting info on sensor.

2014-01-13 23:47:32 pid(19949)    ...Getting info on status.

2014-01-13 23:47:32 pid(19949)    ...Getting info on tcphdr.

2014-01-13 23:47:32 pid(19949)    ...Getting info on udphdr.

2014-01-13 23:47:32 pid(19949)    ...Getting info on user_info.

2014-01-13 23:47:32 pid(19949)    ...Getting info on version.

2014-01-13 23:47:32 pid(19949)  Sguild Initialized.

 

Thanks Bamm.

 

James

 

--
sguil - The Analyst Console for NSM
http://sguil.sf.net


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



 

--
sguil - The Analyst Console for NSM
http://sguil.sf.net


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



 

--
sguil - The Analyst Console for NSM
http://sguil.sf.net