Re: [Sguil-devel] FreeBSD port
Status: Beta
Brought to you by:
bamm
From: Paul S. <pa...@ut...> - 2008-05-12 16:11:48
|
--On Monday, May 12, 2008 14:01:30 +0100 "Dafydd, Sion" <sid...@uw...> wrote: > Hi Paul, > > Great work on the updated ports! just a couple of bug reports: > > The pkg-install.in and pkg-deinstall.in files are missing from > sguil-server port. > The example_agent.sh.in, pads_agent.sh.in, pcap_agent.sh.in, > sancp_agent.sh.in and snort_agent.sh.in files are missing from > sguil-sensor port. > Not sure about any missing files in sguil-client as not used it yet. > Hmmmm.....I think I and the port committer were not on the same page. I see what the problem is, but I'll have to submit port revisions for all the missing files, so it may take a little while to get this fixed. Obviously the committer didn't check to see if the port would build, because it would have failed to build without those files. But I should have noticed that they were missing as well. Mea culpa. > It appears they were included as part of the multipart patch set you > submitted but were not in the combined patch as can be seen on > http://www.freebsd.org/cgi/query-pr.cgi?pr=122647 and > http://www.freebsd.org/cgi/query-pr.cgi?pr=122646. After manually > downloading the files sguil-[server|sensor] compiled and installed. > > I've got sguil-server setup and working with the updated ports, I'm now > trying to get a sensor setup. The only problem I'm running into is when > trying to start a sancp agent (haven't tried the other agents yet). I've > put the following in my rc.conf file: > > >## SANCP > sancp_enable="YES" > sancp_flags="-D -d /nsm/any_servers/sancp -u sguil -g sguil" > sancp_interface="bge1" > sancp_conf="/usr/local/etc/sguil-sensor/sancp-ANY_SERVERS.conf" >## SANCP_AGENT > sancp_agent_enable="YES" > sancp_agent_conf="/usr/local/etc/sguil-sensor/sancp_agent-ANY_SERVERS.co > nf" > > > The agent refuses to run and outputs the following message: > > > Starting sancp_agent. > Couldn't determine where the sensor_agent.tcl config file is > Looked for /usr/local/etc/sguil-sensor/sensor_agent.conf and > ./sensor_agent.conf. > Usage: /usr/local/bin/sguil-sensor/sancp_agent.tcl [-D] [-c] [-o] > <filename> > -c <filename>: PATH to config (sancp.conf) file. > -D Runs /usr/local/bin/sguil-sensor/sancp_agent.tcl in daemon mode. > That's odd. There *is* no sensor_agent.tcl file any more, much less a config file for it. I see what the problem is. The source file (sancp_agent.tcl is still looking for sensor_agent.tcl. I should have caught that and edited it to look for sancp_agent.tcl. When I alter the files for FreeBSD, I globally change the paths to /usr/local/foo, but I didn't look to see what conf file the agent was looking for. I can correct that in the port, but it really should be corrected in the source code. Here's a patch that will fix the problem. Bamm, you probably should apply this to the source code. --- sancp_agent.tcl.orig 2008-05-12 11:04:22.000000000 -0500 +++ sancp_agent.tcl 2008-05-12 11:04:58.000000000 -0500 @@ -14,7 +14,7 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # -# Config options moved to sensor_agent.conf. +# Config options moved to sancp_agent.conf. # # Don't touch these @@ -412,7 +412,7 @@ id process group set if {[fork]} {exit 0} set PID [id process] - if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } + if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sancp_agent.pid" } set PID_DIR [file dirname $PID_FILE] if { ![file exists $PID_DIR] || ![file isdirectory $PID_DIR] || ![file writable $PID_DIR] } { @@ -480,16 +480,16 @@ } } # Parse the config file here -# Default location is /etc/sensor_agent.conf or pwd +# Default location is /etc/sancp_agent.conf or pwd if { ![info exists CONF_FILE] } { # No conf file specified check the defaults - if { [file exists /etc/sensor_agent.conf] } { - set CONF_FILE /etc/sensor_agent.conf - } elseif { [file exists ./sensor_agent.conf] } { - set CONF_FILE ./sensor_agent.conf + if { [file exists /etc/sancp_agent.conf] } { + set CONF_FILE /etc/sancp_agent.conf + } elseif { [file exists ./sancp_agent.conf] } { + set CONF_FILE ./sancp_agent.conf } else { - puts "Couldn't determine where the sensor_agent.tcl config file is" - puts "Looked for /etc/sensor_agent.conf and ./sensor_agent.conf." + puts "Couldn't determine where the sancp_agent.tcl config file is" + puts "Looked for /etc/sancp_agent.conf and ./sancp_agent.conf." DisplayUsage $argv0 } } BTW, the same problem exists in both pcap_agent and pads_agent and in many of the docs. You can quickly fix all the agent.tcl files with the following vi command: :% s/sensor_agent/new_agent/g (where new agent is pads_agent or pcap_agent or sancp_agent, etc.) /home/pauls/sguil-sensor/work]# grep -r sensor_agent * sguil-0.7.0/sensor/example_agent.tcl: puts " -D Runs sensor_agent in daemon mode." sguil-0.7.0/sensor/example_agent.tcl: if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } sguil-0.7.0/sensor/example_agent.conf:# Configuration file for sensor_agent.tcl - http://sguil.sf.net sguil-0.7.0/sensor/barnyard_mods/op_sguil.c: /* Connect to sensor_agent */ sguil-0.7.0/sensor/barnyard_mods/op_sguil.c: LogMessage("Waiting for sid and cid from sensor_agent.\n"); sguil-0.7.0/sensor/barnyard_mods/op_sguil.c: /* Send msg to sensor_agent */ sguil-0.7.0/sensor/barnyard_mods/op_sguil.c:/* Request sensor ID (sid) and next cid from sensor_agent */ sguil-0.7.0/sensor/barnyard_mods/op_sguil.c: LogMessage("Lost connection to sensor_agent.\n"); sguil-0.7.0/sensor/barnyard_mods/op_sguil.c: /* Reconnect to sensor_agent */ sguil-0.7.0/sensor/barnyard_mods/op_sguil.c: /* Reconnect to sensor_agent */ sguil-0.7.0/sensor/init/sensoragent:# Init file for sensor_agent.tcl sguil-0.7.0/sensor/init/sensoragent:prog="sensor_agent.tcl" sguil-0.7.0/sensor/init/sensoragent:CONF=/etc/sensor_agent.conf sguil-0.7.0/sensor/init/sensoragent: echo "sensor_agent.tcl already running" sguil-0.7.0/sensor/init/sensoragent: echo "can't find sensor_agent.tcl or sensor_agent.conf" sguil-0.7.0/sensor/init/sensoragent: echo "sensor_agent.tcl doesn't appear to be running" sguil-0.7.0/sensor/init/sensoragent: echo "sensor_agent.tcl is running" sguil-0.7.0/sensor/init/sensoragent: echo "sensor_agent.tcl stopped" sguil-0.7.0/sensor/pcap_agent.conf:# Configuration file for sensor_agent.tcl - http://sguil.sf.net sguil-0.7.0/sensor/sancp_agent.conf:# Configuration file for sensor_agent.tcl - http://sguil.sf.net sguil-0.7.0/sensor/pads_agent.tcl: puts " -D Runs sensor_agent in daemon mode." sguil-0.7.0/sensor/pads_agent.tcl: if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } sguil-0.7.0/sensor/pads_agent.tcl: puts "Couldn't determine where the sensor_agent.tcl config file is" sguil-0.7.0/sensor/snort_agent.conf:# Configuration file for sensor_agent.tcl - http://sguil.sf.net sguil-0.7.0/sensor/snort_agent.conf:# Port sensor_agent lisens on for barnyard connects sguil-0.7.0/sensor/sancp_agent.tcl.orig:# Config options moved to sensor_agent.conf. sguil-0.7.0/sensor/sancp_agent.tcl.orig: if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } sguil-0.7.0/sensor/sancp_agent.tcl.orig:# Default location is /etc/sensor_agent.conf or pwd sguil-0.7.0/sensor/sancp_agent.tcl.orig: if { [file exists /etc/sensor_agent.conf] } { sguil-0.7.0/sensor/sancp_agent.tcl.orig: set CONF_FILE /etc/sensor_agent.conf sguil-0.7.0/sensor/sancp_agent.tcl.orig: } elseif { [file exists ./sensor_agent.conf] } { sguil-0.7.0/sensor/sancp_agent.tcl.orig: set CONF_FILE ./sensor_agent.conf sguil-0.7.0/sensor/sancp_agent.tcl.orig: puts "Couldn't determine where the sensor_agent.tcl config file is" sguil-0.7.0/sensor/sancp_agent.tcl.orig: puts "Looked for /etc/sensor_agent.conf and ./sensor_agent.conf." sguil-0.7.0/sensor/patch-sancp_agent.tcl:-# Config options moved to sensor_agent.conf. sguil-0.7.0/sensor/patch-sancp_agent.tcl:- if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } sguil-0.7.0/sensor/patch-sancp_agent.tcl:-# Default location is /etc/sensor_agent.conf or pwd sguil-0.7.0/sensor/patch-sancp_agent.tcl:- if { [file exists /etc/sensor_agent.conf] } { sguil-0.7.0/sensor/patch-sancp_agent.tcl:- set CONF_FILE /etc/sensor_agent.conf sguil-0.7.0/sensor/patch-sancp_agent.tcl:- } elseif { [file exists ./sensor_agent.conf] } { sguil-0.7.0/sensor/patch-sancp_agent.tcl:- set CONF_FILE ./sensor_agent.conf sguil-0.7.0/sensor/patch-sancp_agent.tcl:- puts "Couldn't determine where the sensor_agent.tcl config file is" sguil-0.7.0/sensor/patch-sancp_agent.tcl:- puts "Looked for /etc/sensor_agent.conf and ./sensor_agent.conf." sguil-0.7.0/doc/OPENSSL.README:sensor_agent.tcl sguil-0.7.0/doc/OPENSSL.README: /path/to/sensor_agent.tcl -o [-O /path/to/libtls.#.so] sguil-0.7.0/doc/UPGRADE:sensor_agent script with the individual agents as described sguil-0.7.0/doc/CHANGES: * OpenSSL/TLS support between sensor_agent and sguild. sguil-0.7.0/doc/CHANGES: sensor_agent.tcl sguil-0.7.0/doc/CHANGES: * OpenSSL/TLS support between sensor_agent and sguild. sguil-0.7.0/doc/CHANGES: sensor_agent.tcl sguil-0.7.0/doc/CHANGES: * All comms tunneled through sensor_agent.tcl. -bamm sguil-0.7.0/doc/CHANGES: sensor_agent via localhost. -bamm sguil-0.7.0/doc/CHANGES: * Checks sensor health via sensor_agent -bamm sguil-0.7.0/doc/CHANGES: sensor_agent.tcl sguil-0.7.0/doc/CHANGES: and sensor_agent reading from those directories. -bamm sguil-0.7.0/doc/CHANGES: requests/gets pcap files via sensor_agent.tcl. If you are sguil-0.7.0/doc/CHANGES: sensor_agent.tcl sguil-0.7.0/doc/CHANGES: * Now uses sensor_agent.conf for configuration options. - bamm sguil-0.7.0/doc/CHANGES: (Default location is /etc/sensor_agent.conf) sguil-0.7.0/doc/CHANGES: -c <filename>: PATH to config (sensor_agent.conf) file. sguil-0.7.0/doc/CHANGES: -D Runs sensor_agent in daemon mode. (Requires tclx) sguil-0.7.0/doc/CHANGES: barnyard) to include sguild, xscriptd, sensor_agent.tcl, sguil-0.7.0/doc/FAQ: 5.3 Putting sensor_agent into debug mode sguil-0.7.0/doc/FAQ: (sensor_agent.tcl) for loading the modified outputs into the sguil-0.7.0/doc/FAQ: messages you get. Sguild and the sensor_agent are the most likely places sguil-0.7.0/doc/FAQ: 5.3 Putting sensor_agent into debug mode sguil-0.7.0/doc/FAQ: sensor_agent conf file on the machine that runs the sensor you are sguil-0.7.0/doc/FAQ: debugging. This is usually /etc/sensor_agent.conf, but this may be sguil-0.7.0/doc/FAQ: read "set DEBUG 1" and restart sensor_agent. sguil-0.7.0/doc/FAQ: the configuration as well. This will prevent the sensor_agent process sguil-0.7.0/doc/FAQ: debugging. If sensor_agent runs in daemon mode and debugging is turned sguil-0.7.0/doc/INSTALL: sguild as data comes in from sensor_agent. sguil-0.7.0/doc/INSTALL: sensor_agent.tcl instances without munging data together. -- Paul Schmehl (pa...@ut...) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ |