samsamwun
December 7th, 2004, 04:36
Hi group,

I just finished install sguil0.5.2 with snort in FreeBSD 5.3.
Apart from Barnyard, other programs seems to be started successfully, but I couldn't get snort alert log to the sguildb database particularlly in the data and event tables. The sessions table has data being pushed in, but not tables data and event.

Here is some snapshots of various programs running in the server:
# ps -auxww | grep snort
root 779 0.0 0.4 1476 900 p0 S+ 4:13PM 0:00.00 grep snort
sguil 688 0.0 13.9 36736 34976 p1- S 4:06PM 0:00.78 snort -u sguil -g sguil -c /usr/local/etc/snort/snort.conf -U -l /nsm -m 122 -A none -i tun0
sguil 689 0.0 0.9 2780 2364 p1- S 4:06PM 0:00.06 /usr/local/bin/sancp -d /nsm/sancp -i tun0 -u sguil -g sguil -c /usr/local/etc/snort/sancp.conf
sguil 695 0.0 1.7 6892 4320 p1- S 4:06PM 0:00.16 /usr/local/bin/snort -u sguil -g sguil -m 122 -l /nsm/at/dailylogs/2004-12-07 -b -i tun0

# ps -auxww | grep sguild
root 852 0.0 0.1 348 232 p0 R+ 4:27PM 0:00.00 grep sguild
root 682 0.0 1.6 4516 3904 p1- I 4:06PM 0:00.38 tclsh ./sguild -c sguild.conf -u sguild.users -O /usr/local/lib/libtls.so.1 -C /usr/local/etc/sguild (tclsh8.4)
root 684 0.0 1.4 4264 3452 p1- I 4:06PM 0:00.03 tclsh ./sguild -c sguild.conf -u sguild.users -O /usr/local/lib/libtls.so.1 -C /usr/local/etc/sguild (tclsh8.4)
root 685 0.0 1.4 4260 3440 p1- I 4:06PM 0:00.00 tclsh ./sguild -c sguild.conf -u sguild.users -O /usr/local/lib/libtls.so.1 -C /usr/local/etc/sguild (tclsh8.4)

# ps -auxww | grep mysql
root 854 0.0 0.1 348 232 p0 R+ 4:28PM 0:00.00 grep mysql
mysql 532 0.0 0.5 1652 1256 con- I 4:05PM 0:00.01 /bin/sh /usr/local/bin/mysqld_safe --user=mysql --datadir=/var/db/mysql --pid-file=/var/db/mysql/at.authtec.com.pid
mysql 565 0.0 10.4 58436 26132 con- S 4:05PM 0:01.02 /usr/local/libexec/mysqld --basedir=/usr/local --datadir=/var/db/mysql --pid-file=/var/db/mysql/at.authtec.com.pid

The failure of Barnyard has the following error:
# barnyard -c barnyard.conf -d /nsm -g gen-msg.map -s sid-msg.map -f snort.log
-w -wald ^Ho.file
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/nsm/snort.log.1102256375'
OpSguil_Start
ERROR: Connecton closed by client
ERROR! Didn't receive confirmation. Trying to reconnect.
Connected to at.
ERROR: Unable to read data.
ERROR! Didn't receive confirmation. Trying to reconnect.
Connected to at.
...

How can I fix this error?

Thanks
Sam

bamm
December 7th, 2004, 15:18
Looks like barnyard is unable to connect to sguild. Can you paste your BY config for me?

Bammkkkk

samsamwun
December 7th, 2004, 20:07
Looks like barnyard is unable to connect to sguild. Can you paste your BY config for me?

Bammkkkk

Hi, the config file of Baryard is shown as below:
config hostname: at #"at" is the name of the Baryard server.
config interface: tun0
config filter: not port 22
output alert_fast
output log_dump
output sguil: mysql, sensor_id 0, database sguildb, server at,\
user sguil, password mypasswd, sguild_host at, sguild_port 7736

sguild.conf:
set DAEMON 0
set SERVERPORT 7734
set SENSORPORT 7736
set RULESDIR /nsm/rules
set TMPDATADIR /tmp
set DBNAME sguildb
set DBPASS "mypasswd"
set DBHOST localhost
set DBPORT 3306
set DBUSER sguil
set P0F 1
set P0F_PATH "/usr/local/bin/p0f"
set EMAIL_EVENTS 0
set SMTP_SERVER localhost
set EMAIL_RCPT_TO "root@localhost"
set EMAIL_FROM "root@localhost"
set EMAIL_SUBJECT "RT Event"
set EMAIL_MSG "\[%t\] ALERT from %sn: %msg. %sip:%sp -> %dip:%dp"
set EMAIL_CLASSES "successful-admin trojan-activity attempted-admin attempted-user"
set EMAIL_DISABLE_SIDS "0"
set EMAIL_ENABLE_SIDS "1000003"

Thanks
Sam

samsamwun
December 7th, 2004, 21:00
I installed sguild-0.5.3 today. Sguild started without error, but Barnyard still failed. The error is:

# mysql -u root -p -e "GRANT INSERT, SELECT, UPDATE on sguildb.* to sguil@localhost"
Enter password:
ERROR 1045: Access denied for user: 'root@localhost' (Using password: YES)
# mysql -u root -p -e "GRANT INSERT, SELECT, UPDATE on sguildb.* to sguil@localhost"
Enter password:
# mysql -u root -p -e "GRANT INSERT, SELECT, UPDATE on sguildb.* to sguil@authtec.comNo clients to send info msg to.
Enter password:
# mysql -u root -p -e "FLUSH PRIVILEGES"
Enter password:
# barnyard -c barnyard.conf -d /nsm -g gen-msg.map -s sid-msg.map -f snort.log -w -waldo.file &
[2] 5510
# Barnyard Version 0.2.0 (Build 32)
Opened spool file '/nsm/snort.log.1102256375'
OpSguil_Start
Connect from 192.168.4.254:62359 sock11
Validating sensor access: 192.168.4.254 :
ALLOWED
Sensor Data Rcvd: RTEvent |||system-info|at||Barnyard started.||||||||
SYSTEM INFO: {} {} system-info at {} {Barnyard started.} {} {} {} {} {} {} {} {}
No clients to send info msg to.
Failed to connect to database sguil:mypasswd@at/sguildb: Access denied for user: 'sguil@authtec.com' (Using password: YES)
Fatal Error, Quitting..
Exiting
Sensor Data Rcvd:
Sensor Cmd Unkown (sock11):
Socket sock11 closed

I remembered I have set password to the sguil user.

Sam.