Wednesday, October 03, 2007

Sguil: Minor DB Issue

I remember I have this problem previously and it forces me to create the sguil sensor name without "-" instead to resolve it. And I haven't taken note of this but today when I read this information at Knoppix-NSM faq, they have clear answer so I think it's good to take note of it, from the link -

http://www.securixlive.com/knoppix-nsm/faq.php

Sensor is running but no data in sguil console?

If you have used the - (minus/dash) character in your sensor name than this could be the cause. When a new sensor is created new tables, based on the sensor name, are also created for storring data. MySQL does not allow you access to tables that has the - character in the name. Change the sensor name and this should fix the problem.

It's minor issue, seriously. But it can crack your head to figure it out sometimes.

Peace ;]

5 comments:

Anonymous said...

Speaking of Sguil, I find the transcripts created with tcpflow very helpful. However in some cases collecting full content isn't practical, but collecting transcripts would be. Is there software similar to tcpflow that would be able to log just transcripts from clear text sessions even if they weren't on standard ports?

C.S.Lee said...

hi,

If you want to do it in real time, just to reveal the clear text sessions even if they weren't on standard ports without collecting full content data, you can use bro-nids.

http://bro-ids.org

But for offline analysis, without full content data you can't produce that. If you check out the HeX liveCD, there's section called NBF-Toolkit(Network Based Forensics Toolkit) where it contains all the tools that allowing you to generate transcript like data.

Cheers ;]

Anonymous said...

Hopefully someday someone will write a program that can save just transcripts for offline analysis. In the mean time, I'll check out bro-nids. Thanks for pointing me in the right direction!

C.S.Lee said...

Hi anonymous,

Bro-nids is actually what you want, by default it doesn't save full content data unless you configure it to do so but you have accessed to the application data which similar to transcript as long as you call its protocol analysis scripts when running bro.

Anonymous said...

Sounds cool, thanks geek00l!