Re: [Sguil-users] Sguil - Barnyard weird behaviour
Status: Beta
Brought to you by:
bamm
From: Bamm V. <bam...@gm...> - 2006-04-30 15:30:15
|
Looks like there is a bug in how status info is received. I know I've had to make a few changes. Bammkkkk On 4/30/06, CS Lee <ge...@gm...> wrote: > I'm currently trying on sguil in cvs src where PADS are in, however i can= 't > find anything related when I fetch from cvs src tree, Scottder has sent m= e a > tarball and I tried it. At first I run sguil-0.6.1 and everything seems t= o > be fine. Till I change to use the latest sguil source. I found this > weirdness that hard to tell. It is normal in CLI but in the sguil analyst > console, > > Barnyard indication light is red while it is connected to sensor_agent. I > define the port for barnyard to connect to sensor through port 7740 > > I check on Barnyard without bringing it to background, I get > > Barnyard Version 0.2.0 (Build 32) > Opened spool file > '/nsm/snort_data/dissector/snort.log.1146395173' > Connected to localhost on 7740. > > I run sensor in debug mode and it shows > > barnyard connected: sock9 127.0.0.1 48837 > Sending sguild (sock3) SystemMessage {Barnyard connected via sensor > localhost.} > Sending sguild (sock3) BarnyardInit dissector 1 > Sending sguild (sock3) PING > Sensor Data Rcvd: PONG > PONG received > > Checking for PS files in > /nsm/snort_data/dissector/portscans. > Checking for PS files in > /nsm/snort_data/dissector/portscans. > Checking for PS files in > /nsm/snort_data/dissector/portscans. > > I have no problem at all with sguil-0.6.1 but only having this problem w= hen > using CVS or the tarball that sent by Scottder just now. > > The netstat shows positive result > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address (state= ) > tcp 0 0 127.0.0.1.7740 127.0.0.1.48837 > ESTABLISHED > tcp 0 0 127.0.0.1.48837 127.0.0.1.7740 > ESTABLISHED > tcp 0 0 192.168.0.55.22 192.168.0.250.1420 > ESTABLISHED > tcp 0 52 192.168.0.55.22 192.168.0.250.1414 > ESTABLISHED > tcp 0 0 127.0.0.1.7740 *.* LISTE= N > > > -- > Best Regards, > > CS Lee<geek00L[at]gmail.com> -- sguil - The Analyst Console for NSM http://sguil.sf.net |