Re: Sguil 8 and Barnyard2 beta

[James Lay <jlay () slave-tothe-box net>]

Thanks Bamm and Firnsy....been going step by step and installing and
configuring the sensors comes last after starting barnyard2. I'll try with
the sensors then try again.  I think I have another question on this
setup, but I'll start a new thread after getting this one fixed up.
Thanks again.

James

On 7/10/11 7:26 AM, "Bamm Visscher" <bamm.visscher () gmail com> wrote:

> Hi James,
>
> Barnyard shouldn't be configured to connect directly to sguild,
> instead, it connects to the snort_agent (port 7735 by default). Check
> your snort_agent.conf and see what you have BY_PORT configured to.
>
> So should be barnyard2 -> snort_agent:7735 -> sguild:7736
>
> Bamm
>
>
>
> On Sun, Jul 10, 2011 at 7:36 AM, James Lay <jlay () slave-tothe-box net>
> wrote:
> > Hey all,
> > SoŠ.been trying to get sguil to flyŠand here's what I see below:
> > Running in Continuous mode
> >         --== Initializing Barnyard2 ==--
> > Initializing Input Plugins!
> > Initializing Output Plugins!
> > Parsing config file "/opt/etc/snort/barnyard2.conf"
> > Log directory = /var/log/barnyard2
> > sguil:  sensor name = gateway
> > sguil:  agent port =  7736
> > sguil:  Connected to localhost on 7736.
> > 2011-07-10 11:31:58 pid(19350)  Sensor agent connect from
> > 127.0.0.1:40978
> > sock15
> > 2011-07-10 11:31:58 pid(19350)  Validating sensor access: 127.0.0.1 :
> > 2011-07-10 11:31:58 pid(19350)  Valid sensor agent: 127.0.0.1
> > ERROR: sguil: Expected SidCidResponse and got 'SGUIL-0.8.0 OPENSSL
> > ENABLED
> > '
> > Fatal Error, Quitting..
> > 2011-07-10 11:31:58 pid(19350)  Sensor Data Rcvd: SidCidRequest gateway
> > 2011-07-10 11:31:58 pid(19350)  Ignoring cmd from unregistered agent:
> > SidCidRequest gateway
> > 2011-07-10 11:31:58 pid(19350)  Sensor Data Rcvd:
> > 2011-07-10 11:31:58 pid(19350)  Ignoring cmd from unregistered agent:
> > 2011-07-10 11:31:58 pid(19350)  Socket sock15 closed
> > Scouring the net found me nothing with this.  Any hints on what I can
> > do to
> > fix this?  Got to admitŠ.sguil is one of the most frustration apps I've
> > tried to get workingŠ
> > James
> >
> > -------------------------------------------------------------------------
> > -----
> > All of the data generated in your IT infrastructure is seriously
> > valuable.
> > Why? It contains a definitive record of application performance,
> > security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2d-c2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please see http://www.snort.org/docs for documentation
>
>
>
> -- 
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>
> --------------------------------------------------------------------------
> ----
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation



------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation