byron
June 17th, 2005, 11:49
Knowing that there are some Sguil experts here in these forums I'll take a shot.

I'm developing a fairly large Snort implementation primarily on Soekris net4801s, which incidentally are already built and deployed to remote locations, and a few larger and more robust boxes at corporate HQ. The Soekris boxen run a very stripped version of OpenBSD 3.6. To get to the point, I'd like to use Squil for monitoring. However, it is my understanding that Sguil's agent piece requires Tcl which of course is not included in the stripped OpenBSD Soekris builds, nor is the chief architect really interested in pushing Tcl out. Not to mention my concerns about the Soekris hardware's ability to run all the required processes for Sguil without dropping too many packets. Can Sguil still run, albeit handicapped, without the agent piece running on the sensors? If it were possible what functionality would be lost, session data and passive OS fingerprinting? Would it be possible to run the Sguil client to monitor all sensors even if only a couple of them (the more robust HQ boxes) actually ran the Sguil agents?

If it were not possible to monitor these remote sensors with Sguil what would you use to monitor/manage such small footprint boxes without the ability to run things like Perl, Tcl or hell even Cron? I'm afraid that I'll be forced to write a bunch of custom shell scripts to accomplish most of this.

byron
^who hates re-inventing the wheel

elmore
June 17th, 2005, 18:35
^who hates re-inventing the wheel

But come on dood, that's the fun part! ;)


BTW, I'm the guy Byron refers to in the above post. We really do need some input from you sguil guru's in the crowd!

Kernel_Killer
June 17th, 2005, 18:43
Have you thought of just running snort and barnyard, then have a seperate database server for all the sensors to drop into? At least then you'll have all the logs until bardyard spits them into the DB, and not have to worry about putting too much load on the 4801.

byron
June 17th, 2005, 20:25
Well yes I already have a screaming mysql server (no pun intended) in place that barnyard will be dumping all of the logs and alerts into from the various sensors. That was an early requirement for the project, and if I'm not mistaken doesn't Sguil require a database server? In fact while performance tuning Snort on the 4801s barnyard was one of the single largest conrtibuting factors to decreasing packet loss to an acceptable level. I highly reccomend barnyard for anyone looking to squeeze a little more performance out of their sensors. Also if your looking to run Snort on low end hardware I'd also advise looking into the lowmem option in snort.conf.