Re: [Sguil-users] Sguil-users Digest, Vol 26, Issue 1
Status: Beta
Brought to you by:
bamm
From: Ray E. <rel...@th...> - 2008-07-02 13:14:27
|
0.7.0 Ray Ellington Network Security Administrator American Board of Family Medicine (859) 269-5626 ext. 289 Message: 4 Date: Thu, 26 Jun 2008 16:53:24 -0400 From: Ray Ellington <rel...@th...> Subject: [Sguil-users] SANCP Agent Dying To: "sgu...@li..." <sgu...@li...> Message-ID: <8A3...@fm...> Content-Type: text/plain; charset="us-ascii" I'm running two of the latest SANCP agents and every so often one of them dies with the following: Error: can't read "tmpFileNames": no such variable can't read "tmpFileNames": no such variable while executing "return $tmpFileNames" (procedure "ParseSsnSancpFiles" line 42) invoked from within "ParseSsnSancpFiles $fileName" (procedure "CheckForSancpFiles" line 21) invoked from within "CheckForSancpFiles" ("after" script) SANCP continues to run but the agent dies. Any clues? Thanks, Ray Ellington Network Security Administrator American Board of Family Medicine (859) 269-5626 ext. 289 -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 5 Date: Thu, 26 Jun 2008 15:00:43 -0600 From: "Bamm Visscher" <bam...@gm...> Subject: Re: [Sguil-users] SANCP Agent Dying To: sgu...@li... Message-ID: <274...@ma...> Content-Type: text/plain; charset=ISO-8859-1 0.7.0 or 0.6.1? On Thu, Jun 26, 2008 at 2:53 PM, Ray Ellington <rel...@th...> wrote: > I'm running two of the latest SANCP agents and every so often one of them > dies with the following: > > > > Error: can't read "tmpFileNames": no such variable > > can't read "tmpFileNames": no such variable > > while executing > > "return $tmpFileNames" > > (procedure "ParseSsnSancpFiles" line 42) > > invoked from within > > "ParseSsnSancpFiles $fileName" > > (procedure "CheckForSancpFiles" line 21) > > invoked from within > > "CheckForSancpFiles" > > ("after" script) > > > > SANCP continues to run but the agent dies. Any clues? > > > > Thanks, > > > > Ray Ellington > > Network Security Administrator > > American Board of Family Medicine > > (859) 269-5626 ext. 289 > > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://sguil.sf.net ------------------------------ Message: 6 Date: Sun, 29 Jun 2008 03:14:14 -0700 From: Barry Gould <mai...@pe...> Subject: [Sguil-users] new Snort incompatible with Libnet 1.0.2a? To: sgu...@li... Message-ID: <200...@ma...> Content-Type: text/plain; charset="us-ascii"; format=flowed Hi, I'm following the instructions from http://nsmwiki.org/Sguil_on_RedHat_HOWTO I'm wondering if the latest Snort is still compatible with libnet 1.0.2a... My server is running RHEL 4, 64bit (x86-64). I got libnet 1.0.2a installed, but when I try to configure the current release of snort (2.8.2.1) with ./configure --prefix=/usr/local/snort-2.8.2.1-largefile --with-libpcap-includes=/usr/local/libpcap/include --with-libpcap-libraries=/usr/local/libpcap/lib --with-libnet-includes=/usr/local/libnet/include --with-libnet-libraries=/usr/local/libnet/lib --enable-flexresp --enable-dynamicplugin CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" it says >checking for dlsym in -ldl... yes >./configure: line 25930: libnet-config: command not found >./configure: line 25931: libnet-config: command not found >./configure: line 25941: libnet-config: command not found >./configure: line 25946: libnet-config: command not found >checking libnet.h usability... no >checking libnet.h presence... no >checking for libnet.h... no > > ERROR! Libnet header not found, go get it from libnet.h is in /usr/local/libnet-1.0.2a/include/libnet.h, and I have a symlink for /usr/local/libnet -> /usr/local/libnet-1.0.2a libnet-config only exists in the libnet source directory; 'make install' didn't copy it anywhere. Should I copy it somewhere? If the current Snort is incompatible, and a newer libnet is incompatible with Sguil (as the howto indicates), then what is the latest snort that can be used, and what are the prospects for keeping it up-to-date if any more snort vulnerabilities are announced? BTW, I also tried the RPMs from http://synfulpacket.net/sguilcvs, but they didn't install. I'm guessing that's because a. I'm running 64bit or b. they're not really compatible with RHEL4 (they say they're for Centos 4 and 5, and I tried the Centos 4 ones) As far as ease-of-install and upgrades, Would I be better off using RHEL5 or Centos5 as opposed to RHEL4? What about 32-bit vs 64-bit? Thank you, Barry ------------------------------ Message: 7 Date: Tue, 1 Jul 2008 21:12:02 -0700 (PDT) From: "Barry Gould" <mai...@pe...> Subject: Re: [Sguil-users] new Snort incompatible with Libnet 1.0.2a? To: sgu...@li... Message-ID: <166...@ma...> Content-Type: text/plain;charset=iso-8859-1 Apparently the install of libnet did not copy libnet-config into the installation directory. Copying that manually helped. Also, I'd like to point out that compiling Snort with the -j 4 make flag caused me further grief which is unusual... might be helpful to explicitly mention not to do that in the howto. Barry > Hi, I'm following the instructions from > http://nsmwiki.org/Sguil_on_RedHat_HOWTO > > I'm wondering if the latest Snort is still compatible with libnet > 1.0.2a... > > My server is running RHEL 4, 64bit (x86-64). > > I got libnet 1.0.2a installed, but when I try to configure the > current release of snort (2.8.2.1) with > > ./configure --prefix=/usr/local/snort-2.8.2.1-largefile > --with-libpcap-includes=/usr/local/libpcap/include > --with-libpcap-libraries=/usr/local/libpcap/lib > --with-libnet-includes=/usr/local/libnet/include > --with-libnet-libraries=/usr/local/libnet/lib --enable-flexresp > --enable-dynamicplugin CFLAGS="-D_LARGEFILE_SOURCE > -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" > > it says > >>checking for dlsym in -ldl... yes >>./configure: line 25930: libnet-config: command not found >>./configure: line 25931: libnet-config: command not found >>./configure: line 25941: libnet-config: command not found >>./configure: line 25946: libnet-config: command not found >>checking libnet.h usability... no >>checking libnet.h presence... no >>checking for libnet.h... no >> >> ERROR! Libnet header not found, go get it from > > libnet.h is in /usr/local/libnet-1.0.2a/include/libnet.h, and I have > a symlink for /usr/local/libnet -> /usr/local/libnet-1.0.2a > > libnet-config only exists in the libnet source directory; 'make > install' didn't copy it anywhere. Should I copy it somewhere? > > If the current Snort is incompatible, and a newer libnet is > incompatible with Sguil (as the howto indicates), then what is the > latest snort that can be used, and what are the prospects for keeping > it up-to-date if any more snort vulnerabilities are announced? > > > BTW, I also tried the RPMs from http://synfulpacket.net/sguilcvs, but > they didn't install. I'm guessing that's because > a. I'm running 64bit > or > b. they're not really compatible with RHEL4 (they say they're for > Centos 4 and 5, and I tried the Centos 4 ones) > > As far as ease-of-install and upgrades, > Would I be better off using RHEL5 or Centos5 as opposed to RHEL4? > What about 32-bit vs 64-bit? > > Thank you, > Barry > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > ------------------------------ ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ------------------------------ _______________________________________________ Sguil-users mailing list Sgu...@li... https://lists.sourceforge.net/lists/listinfo/sguil-users End of Sguil-users Digest, Vol 26, Issue 1 ****************************************** |