[Snort-users] Sguil 8 and Barnyard2 beta

James Lay jlay at ...13475...
Sun Jul 10 10:36:35 EDT 2011


Thanks Bamm and Firnsy....been going step by step and installing and
configuring the sensors comes last after starting barnyard2. I'll try with
the sensors then try again.  I think I have another question on this
setup, but I'll start a new thread after getting this one fixed up.
Thanks again.

James

On 7/10/11 7:26 AM, "Bamm Visscher" <bamm.visscher at ...11827...> wrote:

>Hi James,
>
>Barnyard shouldn't be configured to connect directly to sguild,
>instead, it connects to the snort_agent (port 7735 by default). Check
>your snort_agent.conf and see what you have BY_PORT configured to.
>
>So should be barnyard2 -> snort_agent:7735 -> sguild:7736
>
>Bamm
>
>
>
>On Sun, Jul 10, 2011 at 7:36 AM, James Lay <jlay at ...13475...>
>wrote:
>> Hey all,
>> SoŠ.been trying to get sguil to flyŠand here's what I see below:
>> Running in Continuous mode
>>         --== Initializing Barnyard2 ==--
>> Initializing Input Plugins!
>> Initializing Output Plugins!
>> Parsing config file "/opt/etc/snort/barnyard2.conf"
>> Log directory = /var/log/barnyard2
>> sguil:  sensor name = gateway
>> sguil:  agent port =  7736
>> sguil:  Connected to localhost on 7736.
>> 2011-07-10 11:31:58 pid(19350)  Sensor agent connect from
>>127.0.0.1:40978
>> sock15
>> 2011-07-10 11:31:58 pid(19350)  Validating sensor access: 127.0.0.1 :
>> 2011-07-10 11:31:58 pid(19350)  Valid sensor agent: 127.0.0.1
>> ERROR: sguil: Expected SidCidResponse and got 'SGUIL-0.8.0 OPENSSL
>>ENABLED
>> '
>> Fatal Error, Quitting..
>> 2011-07-10 11:31:58 pid(19350)  Sensor Data Rcvd: SidCidRequest gateway
>> 2011-07-10 11:31:58 pid(19350)  Ignoring cmd from unregistered agent:
>> SidCidRequest gateway
>> 2011-07-10 11:31:58 pid(19350)  Sensor Data Rcvd:
>> 2011-07-10 11:31:58 pid(19350)  Ignoring cmd from unregistered agent:
>> 2011-07-10 11:31:58 pid(19350)  Socket sock15 closed
>> Scouring the net found me nothing with this.  Any hints on what I can
>>do to
>> fix this?  Got to admitŠ.sguil is one of the most frustration apps I've
>> tried to get workingŠ
>> James
>> 
>>-------------------------------------------------------------------------
>>-----
>> All of the data generated in your IT infrastructure is seriously
>>valuable.
>> Why? It contains a definitive record of application performance,
>>security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>
>
>
>-- 
>sguil - The Analyst Console for NSM
>http://sguil.sf.net
>
>--------------------------------------------------------------------------
>----
>All of the data generated in your IT infrastructure is seriously valuable.
>Why? It contains a definitive record of application performance, security
>threats, fraudulent activity, and more. Splunk takes this data and makes
>sense of it. IT sense. And common sense.
>http://p.sf.net/sfu/splunk-d2d-c2
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list