Re: [Sguil-devel] Understanding the process

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Sancp flow goes like this:

1) Sancp app detects a flow and starts logging session stats in mem
2) Sancp 'terminates' flow. (either via flags or timeout)
3) Sancp flushes closed flows to disk (/snort_data/sensorName/sancp/)
4) Sensor_agent watches /snort_data/sensorName/sancp/ for new stats files.
* This next step depends on what version of sguil you're using but
we'll assume 0.5.3 (CVS is slightly different)
5) Sensor_agent copies stat file to sguild
6) Sguild saves the file to the TMPDATADIR (as defined in sguild.conf)
7) Sguild prepends the sid to each line in the stats file and saves
new file with a .tmp ending.
8) Sguild deletes old file.
9) Sguild tells loaderd (one of the forked sguild procs) to LOAD the
new file into the DB
10) Loaderd loads new file into DB.
11) Loaderd deletes stats file from TMPDATADIR
12) Repeat.

*NOTE: sguild does NOT wait for loaderd to finish the last load before
it accepts more stats files from sensor_agent. If loaderd isn't
loading files into the DB fast enough, a back log of stats files can
accumulate in TMPDATADIR.

Bammkkkk

On Mon, 07 Mar 2005 14:45:56 -0600, Paul Schmehl <pa...@ut...> wrote:
> I've been trying to get a grasp on the process flow for sguil.  I'm doing
> this because I'm having problems with sancp stats files.  They aren't
> putting entered into the database, and they aren't being removed from the
> sensor.
> 
>                       -->sguild
> My setup is sensor --|
>                       -->sguildb
> 
> As I understand it, the sancp stats files are grabbed from the sensor by
> sguild.  I assume this is because you didn't want to add code to
> sensor_agent.tcl to feed the stats file directly to the db when you already
> had the code in sguild, right?
> 
> What's strange is, no matter how many times I restart sguild and/or sancp,
> the events aren't being transferred to the sguild box, so they never make
> it to the db.  When I first set the whole thing up, it worked, so I know
> there's a way to do it, but I'm having trouble, looking through the code,
> figuring out how it all works.
> 
> I'm also having problems with the sguild box /tmp dir filling up with
> stats.*.* and stats.*.*.tmp files (though not recently, obviously).  So, I
> looked for a place in the code where I could change the /tmp path to
> something more sizeable.  Couldn't find it.
> 
> So, can you explain the flow, strictly for sancp?  What does what?  How are
> the files deleted on the sensor?  Why are they written to /tmp on the
> server?  Etc., etc.
> 
> Paul Schmehl (pa...@ut...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Sguil-devel mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-devel
> 

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net