Re: [Sguil-users] [Q] Using sguil to read a capture file
Status: Beta
Brought to you by:
bamm
From: Stef <st...@gm...> - 2004-12-08 23:31:08
|
Thx for the reply - see inline: On Wed, 8 Dec 2004 16:43:04 -0600, SRH-Lists <gi...@33...> wrote: > > > > > I have installed sguil 0.5.3, barnyard 0.2.0, and snort 2.2 on a Linux > > machine (let's not even go to how I dealt with Itcl and Iwidgets on > > Mandrake ;)), with the sole purpose of analyzing trace files > > previously recorded (I am NOT using this to monitor real-time > > traffic). I have [religiously] followed Richard's instructions (of > > course - with some minor twists for Linux), with everything on > > "localhost" (sensor, sguild, sguil.tk, etc.). > > > 1. Warning messages of all sorts - e.g. "ambigous col: ..." - not that > > big of a deal - goes right through ("Skip messages") > > Curious for more detail here. OK - at the start of the sguil.tk client, as well as any other action taken afterwards (e.g. attempting to open a menu/query window), I get a window titled: "Application Error", with a message: "Error: ambigous option "-col":must be -column, -columnspan, -in, -ipadx, -ipady, -padx, -pady, -row, -rowspan, or -sticky" and three options: "OK", "Skip Message" (which I always do), and "Details", with the latter pointing to the error created "while executing grid configure $itk_component($tag) ..." I guess this may be related to iwidgets/itcl (?!?), but I have no knowledge in this area ;( > > 2. I cannot use any queries. No matter what I try, I get empty data - > > "query returned 0 rows" - this is really bugging me > > There is a defualt date in the queries, is that date too current for > your capture? Very good point - yes - and I have tried changing it to the date of the capture, but still no go. I am looking into the "canned" queries offered, now, to see if I can run them as SQL statements from a mysql "shell", for further info/debugging. > > > 3. I am using bleedingsnort rules, alongside regular ones. In the > > "Event message" columd I do NOT get the description, but rather the > > snort alert number, and, when trying to "show rule", I get "Unable to > > find matching rule in /nsm/rules/localhost, even though the rules are > > there (as snort wouldn't have been able to process them, either - I > > point snort.conf to the same place) > > You need to add the bleeding sids to your sid-msg.map Another very good point - I guess you are saying that the bleeding-sid-msg.map is not being read, even though it is placed in the same location as sid-msg.map? I will try your suggestion right away. Thx a bunch. Stef |