Re: [Sguil-users] Sguil-users Digest, Vol 26, Issue 1
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil-users Digest, Vol 26, Issue 1
|
From: Ray E. <rel...@th...> - 2008-07-02 13:14:27
|
0.7.0
Ray Ellington
Network Security Administrator
American Board of Family Medicine
(859) 269-5626 ext. 289
Message: 4
Date: Thu, 26 Jun 2008 16:53:24 -0400
From: Ray Ellington <rel...@th...>
Subject: [Sguil-users] SANCP Agent Dying
To: "sgu...@li..."
<sgu...@li...>
Message-ID:
<8A3...@fm...>
Content-Type: text/plain; charset="us-ascii"
I'm running two of the latest SANCP agents and every so often one of them dies with the following:
Error: can't read "tmpFileNames": no such variable
can't read "tmpFileNames": no such variable
while executing
"return $tmpFileNames"
(procedure "ParseSsnSancpFiles" line 42)
invoked from within
"ParseSsnSancpFiles $fileName"
(procedure "CheckForSancpFiles" line 21)
invoked from within
"CheckForSancpFiles"
("after" script)
SANCP continues to run but the agent dies. Any clues?
Thanks,
Ray Ellington
Network Security Administrator
American Board of Family Medicine
(859) 269-5626 ext. 289
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 5
Date: Thu, 26 Jun 2008 15:00:43 -0600
From: "Bamm Visscher" <bam...@gm...>
Subject: Re: [Sguil-users] SANCP Agent Dying
To: sgu...@li...
Message-ID:
<274...@ma...>
Content-Type: text/plain; charset=ISO-8859-1
0.7.0 or 0.6.1?
On Thu, Jun 26, 2008 at 2:53 PM, Ray Ellington <rel...@th...> wrote:
> I'm running two of the latest SANCP agents and every so often one of them
> dies with the following:
>
>
>
> Error: can't read "tmpFileNames": no such variable
>
> can't read "tmpFileNames": no such variable
>
> while executing
>
> "return $tmpFileNames"
>
> (procedure "ParseSsnSancpFiles" line 42)
>
> invoked from within
>
> "ParseSsnSancpFiles $fileName"
>
> (procedure "CheckForSancpFiles" line 21)
>
> invoked from within
>
> "CheckForSancpFiles"
>
> ("after" script)
>
>
>
> SANCP continues to run but the agent dies. Any clues?
>
>
>
> Thanks,
>
>
>
> Ray Ellington
>
> Network Security Administrator
>
> American Board of Family Medicine
>
> (859) 269-5626 ext. 289
>
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
------------------------------
Message: 6
Date: Sun, 29 Jun 2008 03:14:14 -0700
From: Barry Gould <mai...@pe...>
Subject: [Sguil-users] new Snort incompatible with Libnet 1.0.2a?
To: sgu...@li...
Message-ID: <200...@ma...>
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi, I'm following the instructions from
http://nsmwiki.org/Sguil_on_RedHat_HOWTO
I'm wondering if the latest Snort is still compatible with libnet 1.0.2a...
My server is running RHEL 4, 64bit (x86-64).
I got libnet 1.0.2a installed, but when I try to configure the
current release of snort (2.8.2.1) with
./configure --prefix=/usr/local/snort-2.8.2.1-largefile
--with-libpcap-includes=/usr/local/libpcap/include
--with-libpcap-libraries=/usr/local/libpcap/lib
--with-libnet-includes=/usr/local/libnet/include
--with-libnet-libraries=/usr/local/libnet/lib --enable-flexresp
--enable-dynamicplugin CFLAGS="-D_LARGEFILE_SOURCE
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
it says
>checking for dlsym in -ldl... yes
>./configure: line 25930: libnet-config: command not found
>./configure: line 25931: libnet-config: command not found
>./configure: line 25941: libnet-config: command not found
>./configure: line 25946: libnet-config: command not found
>checking libnet.h usability... no
>checking libnet.h presence... no
>checking for libnet.h... no
>
> ERROR! Libnet header not found, go get it from
libnet.h is in /usr/local/libnet-1.0.2a/include/libnet.h, and I have
a symlink for /usr/local/libnet -> /usr/local/libnet-1.0.2a
libnet-config only exists in the libnet source directory; 'make
install' didn't copy it anywhere. Should I copy it somewhere?
If the current Snort is incompatible, and a newer libnet is
incompatible with Sguil (as the howto indicates), then what is the
latest snort that can be used, and what are the prospects for keeping
it up-to-date if any more snort vulnerabilities are announced?
BTW, I also tried the RPMs from http://synfulpacket.net/sguilcvs, but
they didn't install. I'm guessing that's because
a. I'm running 64bit
or
b. they're not really compatible with RHEL4 (they say they're for
Centos 4 and 5, and I tried the Centos 4 ones)
As far as ease-of-install and upgrades,
Would I be better off using RHEL5 or Centos5 as opposed to RHEL4?
What about 32-bit vs 64-bit?
Thank you,
Barry
------------------------------
Message: 7
Date: Tue, 1 Jul 2008 21:12:02 -0700 (PDT)
From: "Barry Gould" <mai...@pe...>
Subject: Re: [Sguil-users] new Snort incompatible with Libnet 1.0.2a?
To: sgu...@li...
Message-ID:
<166...@ma...>
Content-Type: text/plain;charset=iso-8859-1
Apparently the install of libnet did not copy libnet-config into the
installation directory.
Copying that manually helped.
Also, I'd like to point out that compiling Snort with the -j 4 make flag
caused me further grief which is unusual... might be helpful to explicitly
mention not to do that in the howto.
Barry
> Hi, I'm following the instructions from
> http://nsmwiki.org/Sguil_on_RedHat_HOWTO
>
> I'm wondering if the latest Snort is still compatible with libnet
> 1.0.2a...
>
> My server is running RHEL 4, 64bit (x86-64).
>
> I got libnet 1.0.2a installed, but when I try to configure the
> current release of snort (2.8.2.1) with
>
> ./configure --prefix=/usr/local/snort-2.8.2.1-largefile
> --with-libpcap-includes=/usr/local/libpcap/include
> --with-libpcap-libraries=/usr/local/libpcap/lib
> --with-libnet-includes=/usr/local/libnet/include
> --with-libnet-libraries=/usr/local/libnet/lib --enable-flexresp
> --enable-dynamicplugin CFLAGS="-D_LARGEFILE_SOURCE
> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
>
> it says
>
>>checking for dlsym in -ldl... yes
>>./configure: line 25930: libnet-config: command not found
>>./configure: line 25931: libnet-config: command not found
>>./configure: line 25941: libnet-config: command not found
>>./configure: line 25946: libnet-config: command not found
>>checking libnet.h usability... no
>>checking libnet.h presence... no
>>checking for libnet.h... no
>>
>> ERROR! Libnet header not found, go get it from
>
> libnet.h is in /usr/local/libnet-1.0.2a/include/libnet.h, and I have
> a symlink for /usr/local/libnet -> /usr/local/libnet-1.0.2a
>
> libnet-config only exists in the libnet source directory; 'make
> install' didn't copy it anywhere. Should I copy it somewhere?
>
> If the current Snort is incompatible, and a newer libnet is
> incompatible with Sguil (as the howto indicates), then what is the
> latest snort that can be used, and what are the prospects for keeping
> it up-to-date if any more snort vulnerabilities are announced?
>
>
> BTW, I also tried the RPMs from http://synfulpacket.net/sguilcvs, but
> they didn't install. I'm guessing that's because
> a. I'm running 64bit
> or
> b. they're not really compatible with RHEL4 (they say they're for
> Centos 4 and 5, and I tried the Centos 4 ones)
>
> As far as ease-of-install and upgrades,
> Would I be better off using RHEL5 or Centos5 as opposed to RHEL4?
> What about 32-bit vs 64-bit?
>
> Thank you,
> Barry
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
------------------------------
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
------------------------------
_______________________________________________
Sguil-users mailing list
Sgu...@li...
https://lists.sourceforge.net/lists/listinfo/sguil-users
End of Sguil-users Digest, Vol 26, Issue 1
******************************************
|