[Snort-users] Sguil 8 and Barnyard2 beta

Bamm Visscher bamm.visscher at ...11827...
Sun Jul 10 09:26:02 EDT 2011


Hi James,

Barnyard shouldn't be configured to connect directly to sguild,
instead, it connects to the snort_agent (port 7735 by default). Check
your snort_agent.conf and see what you have BY_PORT configured to.

So should be barnyard2 -> snort_agent:7735 -> sguild:7736

Bamm



On Sun, Jul 10, 2011 at 7:36 AM, James Lay <jlay at ...13475...> wrote:
> Hey all,
> So….been trying to get sguil to fly…and here's what I see below:
> Running in Continuous mode
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/opt/etc/snort/barnyard2.conf"
> Log directory = /var/log/barnyard2
> sguil:  sensor name = gateway
> sguil:  agent port =  7736
> sguil:  Connected to localhost on 7736.
> 2011-07-10 11:31:58 pid(19350)  Sensor agent connect from 127.0.0.1:40978
> sock15
> 2011-07-10 11:31:58 pid(19350)  Validating sensor access: 127.0.0.1 :
> 2011-07-10 11:31:58 pid(19350)  Valid sensor agent: 127.0.0.1
> ERROR: sguil: Expected SidCidResponse and got 'SGUIL-0.8.0 OPENSSL ENABLED
> '
> Fatal Error, Quitting..
> 2011-07-10 11:31:58 pid(19350)  Sensor Data Rcvd: SidCidRequest gateway
> 2011-07-10 11:31:58 pid(19350)  Ignoring cmd from unregistered agent:
> SidCidRequest gateway
> 2011-07-10 11:31:58 pid(19350)  Sensor Data Rcvd:
> 2011-07-10 11:31:58 pid(19350)  Ignoring cmd from unregistered agent:
> 2011-07-10 11:31:58 pid(19350)  Socket sock15 closed
> Scouring the net found me nothing with this.  Any hints on what I can do to
> fix this?  Got to admit….sguil is one of the most frustration apps I've
> tried to get working…
> James
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list