[Snort-users] Sguil 8 and Barnyard2 beta

firnsy firnsy at ...14568...
Sun Jul 10 09:08:07 EDT 2011


On 10/07/11 21:36, James Lay wrote:
> Hey all,
>

G'day James,

> So….been trying to get sguil to fly…and here's what I see below:
>

Trying ... Hmmm ... This doesn't sound good.

> Running in Continuous mode
>
> --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/opt/etc/snort/barnyard2.conf"
> Log directory = /var/log/barnyard2
> sguil: sensor name = gateway
> sguil: agent port = 7736
> sguil: Connected to localhost on 7736.
> 2011-07-10 11:31:58 pid(19350) Sensor agent connect from 127.0.0.1:40978
> sock15
> 2011-07-10 11:31:58 pid(19350) Validating sensor access: 127.0.0.1 :
> 2011-07-10 11:31:58 pid(19350) Valid sensor agent: 127.0.0.1
> ERROR: sguil: Expected SidCidResponse and got 'SGUIL-0.8.0 OPENSSL ENABLED
>
> Fatal Error, Quitting..
> 2011-07-10 11:31:58 pid(19350) Sensor Data Rcvd: SidCidRequest gateway
> 2011-07-10 11:31:58 pid(19350) Ignoring cmd from unregistered agent:
> SidCidRequest gateway
> 2011-07-10 11:31:58 pid(19350) Sensor Data Rcvd:
> 2011-07-10 11:31:58 pid(19350) Ignoring cmd from unregistered agent:
> 2011-07-10 11:31:58 pid(19350) Socket sock15 closed
>

Upon initial inspection, it is clearly a protocol issue and the plugin 
will die Fatally.

I'm guessing you've supplied some of the syslog messages from the server 
side. If so, the "Ignoring cmd from unregistered agent" is likely the 
root cause.

The plugin has issued "SidCidRequest" and the server has ignored it due 
to being unregistered.

I have not yet played with Sguil 0.8.0 but that's what I would be 
researching first. On the other hand if the agent has been registered 
then it could be a bug.

I can guarantee the plugin works with 0.7.0.

Regards,
firnsy




More information about the Snort-users mailing list