Re: [Sguil-users] Problem with running processes on separate boxes using 0.6.0rc3
Status: Beta
Brought to you by:
bamm
From: Richard B. <tao...@gm...> - 2005-11-18 22:10:05
|
On 11/18/05, Brian A. Hughes <hug...@is...> wrote: > Thanks Richard, > > BTW nice book (The TAO of Network Security Monitoring) :-) This get's > me a bit closer. It has stopped complaining now, but it also does not > seem to be writing anyghing to the database. The only tables that have > any content are sensor, status, user_info, and version. My first > thought is that in the new scheme of things that sguild has problems, > but it looks OK: > [sguil@SGUIL-Server server]$ ./sguild -c sguild.conf -u sguild.users -O > /usr/local/lib/libtls1.50.so -C /usr/local/etc/snort > KEY is /usr/local/etc/snort/sguild.key > pid(13462) Loading access list: ./sguild.access > pid(13462) Sensor access list set to ALLOW ANY. > pid(13462) Client access list set to ALLOW ANY. > pid(13462) Email Configuration: > pid(13462) Config file: ./sguild.email > pid(13462) Enabled: No > pid(13463) Loaderd Forked > pid(13464) Queryd Forked > pid(13462) Retrieving DB info... > pid(13462) Warning: Event table appears to be empty. > pid(13462) If this is a new DB, then you can safely ignore this warning. > pid(13462) Retrieving DB info... > pid(13462) Sguild Initialized. > pid(13462) Connect from xxx.yyy.zzz.30:51819 sock13 > pid(13462) Validating sensor access: xxx.yyy.zzz.30 : > pid(13462) ALLOWED > pid(13462) Client Connect: xxx.yyy.zzz.70 32943 sock14 > pid(13462) Validating client access: xxx.yyy.zzz.70 > pid(13462) Valid client access: xxx.yyy.zzz.70 > pid(13462) sock14 added to clientList > > So that appears to be working correctly. Everything else seems to start > normally too, but nothing makes it to the database and of course in turn > nothing makes it to the SQUIL client. Any suggestions on where to look? > > Thanks & Best Regards, > Brian > Hi Brian, Ok, dumb questions: 1. Are you seeing any traffic that would cause Snort to alert? 2. Is Snort working properly? By the way, what OS are you using? I plan to have my FreeBSD guide done for 0.6.0 soon, along with a VM for VMware Player. Richard PS: If you liked Tao, check out Real Digital Forensics, and Extrusion Detection (http://www.taosecurity.com/books.html). |