[Snort-users] Acid and HSC

Richard Bejtlich taosecurity at ...11827...
Wed Nov 10 11:10:04 EST 2004

sam wun wrote:

> I have no luck install Sguil in FreeBSD. The compilation is overly complicated, 
> especially in the TCL/TK related stuff.

Hi Sam,

I agree that a complete Sguil installation can be complicated.  We are
working on ways to make this easier.  We've worked to make Linux
simpler to install.  My Sguil installation guide is developed on
FreeBSD and was just updated for FreeBSD 5.3 REL and the upcoming
Sguil 0.5.3. [0]

The FreeBSD ports tree makes installing software simple, except when
the ports have conflicting dependencies.  For example, the Sguil
server (sguild) requires MySQLTcl along with MySQL client libraries. 
Unfortunately, the MySQLTcl port as currently implemented lists
mysql323-client as a required library. [1]  If you're trying to
install sguild on a server with the MySQL 4.x libraries, there's no
sense letting the FreeBSD port system install MySQL 3.23.

Another problem involves Incrtcl and Iwidgets, needed by the Sguil
client, sguil.tk [2].  The best way to obtain these extensions for
UNIX requires checking them out via CVS, since neither have cut a
packaged UNIX release for several years. [3]  ActiveState's Tcl
package offers much of the required code to run the Sguil client,
perhaps perversely making Windows the easiest way to use the Sguil
client. [4]  The e-fense crowd offer a live CD called Helix with a
Sguil client, too.  [5]

When you install Sguil you are not just implementing a way to see the
contents of the Snort alert file in a GUI.  Sguil is developing into
an enterprise-grade network security monitoring (NSM) suite.  It may
not be as robust as some offerings.  Sguil is still in pre-1.0 status
and is developed by a group numbering in the single digits.  Still,
Sguil is not a Web-based alerts browser.  It is a collection system
for, and an interface to, intrusion data in alert, session, and full
content form.

For more information on Sguil and NSM, I recommend checking out the
ever-increasing excerpts from my book on NSM. [6]  (My publishers seem
to leak a new chapter onto the Web every few months!)



[0] http://sguil.sourceforge.net/index.php?page=documentation
[1] http://www.freshports.org/databases/mysqltcl/
[2] http://incrtcl.sourceforge.net/
[3] http://sourceforge.net/project/showfiles.php?group_id=13244
[4] http://www.activestate.com/Products/ActiveTcl/
[5] http://www.e-fense.com/helix/
[6] http://www.taosecurity.com/books.html

More information about the Snort-users mailing list