Friday, January 20, 2006

Adding Sguil startup on B00T

I have just added sguil components startup on boot in /etc/rc.local so that you won't need to run that 6 scripts in ~ anymore. However I have only put it into my documentation instead of syncing it to the VMware Image since uploading is slow over here for around 100MB file. I blog it here instead of anyone interested. Just open the /etc/rc.local file, and append the lines below at the end of the file.

if [ -x /usr/local/bin/sancp ]; then
echo -n " sancp"; /usr/local/bin/sancp -d /nsm/snort_data/pcn1/sancp -i pcn1 -u sguil -g sguil -c /etc/sguil/sancp.conf > /var/log/sancp.log -D

if [ -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -u sguil -g sguil -c /etc/sguil/snortrules-pcn1/snort.conf -l /nsm/snort_data/pcn1 -m 122 -A none -i pcn1 -D

if [ -x /usr/local/bin/tclsh ]; then
echo -n " sguild"; /usr/local/stow/sguil-0.6.0p1/server/sguild -c /etc/sguild/sguild.conf -u /etc/sguild/sguild.users -A /etc/sguild/sguild.access -D

if [ -x /usr/local/bin/tclsh ]; then
echo -n " sensor_agent"; /usr/local/stow/sguil-0.6.0p1/sensor/sensor_agent.tcl -c /etc/sguil/sensor_agent-pcn1.conf -D

if [ -x /usr/local/bin/barnyard ]; then
echo -n " barnyard"; /usr/local/bin/barnyard -c /etc/sguil/barnyard-pcn1.conf -d /nsm/snort_data/pcn1 -g /nsm/sguild_data/rules/pcn1/ -s /nsm/sguild_data/rules/pcn1/ -f snort.log -w /nsm/snort_data/pcn1/waldo.file -D

You will have to edit line number 3 of /usr/local/stow/sguil-0.6.0p1/server/sguild and /usr/local/stow/sguil-0.6.0p1/sensor/sensor_agent.tcl. Just change it from

exec tclsh "%0" "%@"


exec /usr/local/bin/tclsh "%0" "%@"

Now all the sguil components will startup properly in order and directly you can connect to the sguil server using the client after reboot.

Cheers ( :])

No comments: