Thursday, January 19, 2006

Sguil On OpenBSD Current tested

I have tested Sguil-0.6.0p1 on OpenBSD current, everything seems go smoothly and the crash of mysqltcl gone. Thanks to the Mysql 5 ports which has really made deployment of sguil on OpenBSD easier. However one thing I notice would be tcpdump can't be run as normal user and requires root privilege, even after I have changed the owner of the tcpdump to other user, I still can't run it as that particular user, it can only be run as root. To workaround on this and not to change the binary owner in /usr/sbin, I decide to install tcpdump-3.8.3 instead of using native tcpdump in OpenBSD. After all it works and I can run tcpdump as any users now to at least able to read and write the pcap file.

Anyway here's little correction updates for the OpenBSD Sguil Vmware Image, for anyone who try it.

- Barnyard pointing to wrong directory for sid-msg.map and gen-msg.map, this causes the snort rules not displaying in the sguil client analyst console when check on show rules, it supposes pointing to /nsm/sguild_data/rules/pcn1 instead of /usr/local/snortrules-pcn1 since /usr/local/snortrules-pcn1 is for sensor and /nsm/sguild_data/rules/pcn1 is for sguild to show's the rules.

- Tcpflow is not installed, so it causes session data can't be generated. If you have internet connections, installing it is just a glance.

shell>PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/
shell>export PKG_PATH
shell>pkg_add ${PKG_PATH}tcpflow-0.21.tgz

Please do feedback if you find anything wrong or not working in the VMware Image, enjoy :]

I have heard about the Anonymous Live CD that using OpenBSD - Kaos, do you think it would be cool to have Sguil Live CD that using OpenBSD which allows you to mount /nsm to hard drive maybe?

No comments: