Hey James,

What version of Sguil are you running and where/how did you download it?

Bamm


On Mon, Jan 13, 2014 at 10:54 AM, Lay, James <james.lay@wincofoods.com> wrote:
Thanks Doug...looks like I'll have to give that a go.

James

-----Original Message-----
From: Doug Burks [mailto:doug.burks@gmail.com]
Sent: Monday, January 13, 2014 8:41 AM
To: sguil-users@lists.sourceforge.net
Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning

I know that autocat works fine on Security Onion, so you might spin
that up in a VM and compare it side-by-side with your Sguil
installation.

On Mon, Jan 13, 2014 at 10:38 AM, Lay, James <james.lay@wincofoods.com>
wrote:
> Same results with adding a symlink...is there something else I can
try?
> Currently running in debug, and I'm not seeing any autocat happening.
>
> Thank you.
>
> James
>
> -----Original Message-----
> From: Lay, James [mailto:james.lay@wincofoods.com]
> Sent: Friday, January 03, 2014 2:39 PM
> To: sguil-users@lists.sourceforge.net
> Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning
>
> I will give that a go...thank you.
>
> James
>
> -----Original Message-----
> From: Doug Burks [mailto:doug.burks@gmail.com]
> Sent: Friday, January 03, 2014 12:13 PM
> To: sguil-users@lists.sourceforge.net
> Subject: Re: [Sguil-users] Autocat doesn't appear to be functioning
>
> Hi James,
>
> I seem to remember an issue previously of Sguild expecting config
> files to be in /etc/sguild/.  Have you tried making /etc/sguild/ a
> symlink to /opt/etc/snort/sguild/?
>
> On Fri, Jan 3, 2014 at 2:06 PM, Lay, James <james.lay@wincofoods.com>
> wrote:
>> Hey all...topic says it.  So I have my sguild starting with:
>>
>>
>>
>> -a /opt/etc/snort/sguild/autocat.conf
>>
>>
>>
>> That file contains:
>>
>> none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%CINS||16
>>
>>
>>
>> From my .fast file:
>>
>> 12:00:32  [1:2403332:645] ET CINS Active Threat Intelligence Poor
> Reputation
>> IP TCP group 17 [**] [Classification: Misc Attack] [Priority: 2]
{TCP}
>> 125.64.92.105:6000 -> x.x.x.x:1433
>>
>>
>>
>> Yet the sguil client shows this alert.  I also don't see anything in
> the
>> Auto Cats Standard Query.  Any way to troubleshoot why it's not
seeing
>> these?  Thank you.
>>
>>
>>
>> James
>>
>>
>>
>
------------------------------------------------------------------------
> ------
>> Rapidly troubleshoot problems before they affect your business. Most
> IT
>> organizations don't have a clear picture of how application
> performance
>> affects their revenue. With AppDynamics, you get 100% visibility into
> your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics
>> Pro!
>>
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clk
> trk
>> _______________________________________________
>> Sguil-users mailing list
>> Sguil-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>
>
>
>
> --
> Doug Burks
>
>
------------------------------------------------------------------------
> ------
> Rapidly troubleshoot problems before they affect your business. Most
IT
> organizations don't have a clear picture of how application
performance
> affects their revenue. With AppDynamics, you get 100% visibility into
> your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics Pro!
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clk
> trk
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
------------------------------------------------------------------------
> ------
> Rapidly troubleshoot problems before they affect your business. Most
IT
> organizations don't have a clear picture of how application
performance
> affects their revenue. With AppDynamics, you get 100% visibility into
> your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics Pro!
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clk
> trk
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
------------------------------------------------------------------------
------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
ktrk
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users



--
Doug Burks

------------------------------------------------------------------------
------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
ktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users



--
sguil - The Analyst Console for NSM
http://sguil.sf.net