Debian, OpenSourceSoftware, Security, Ubuntu

Sguil 0.7.0, Snort, Barnyard & Sancp on Debian/Ubuntu…

I have used the last three weeks to play a bit with what I see as the funniest open-source NSM (Network Security Monitoring) set-up there is. Snort is the “de facto standard” for IDS, and the only console/frontend/dashbord that really put the bits and pieces of NSM together, is Sguil.

I first got introduced to sguil 0.6.1 about two years ago. I did not get any real hands on experience, but I knew from back then, that it was more or less the ultimate open-source set-up for a NSM set-up.

After having The ‘Tao of Networking Security Monitoring’ laying around me for about two and a half year, I managed to read it during Xmas and it gave me an insight into sguil. So when I started to look at sguil, I had access to .deb’s for sguil 0.6.1, but since sguil 0.7.0 is in Alpha and seems to be stable, I decided to go for that.
UPDATE: Sguil 0.7.0 was released 26 of March 2008.

I could write down the things I did, but if you are geeky enough, you can install my .deb’s and get a feel of what went down 🙂

I tried to make the .deb’s (sguil-*,sancp,barnyard) in the way that they fit well together. Barnyard is patched so it has the ‘sguil output’ and x86_64 patch etc. Also everything is aimed to work together and is using /nsm_data/ as the “/snort_data/” dir. There is also a user ‘nsm’ to run the whole thing together.

* Do a test install somewhere, and actual see that things fit like it should
* Get pads to work/ repack it for sguil
* Better startup script for the
* cron jobs for the sguil-sensor

Check out my .deb’s here if you want:

Feedback is more than welcome!


2008-03-30: Did a clean install of my .deb's on my test system. New is that TLS is required:
# openssl req -new -x509 -nodes -out /etc/sguild/certs/sguild.pem -keyout /etc/sguild/certs/sguild.pem -days 365
# ln -s /etc/sguild/certs/sguild.pem /etc/sguild/certs/sguild.key
2008-03-28: Checked out version 0.7.0 from cvs with the latest bug-fixes. Repacked .debs
2008-03-26: Sguil Version 0.7.0 has been released! (Bamm Visscher announced)
2008-02-10: Fixed barnyard issues.
2008-02-08: First errors found in barnyard package : init-script points to wrong $CONFIG variable and sguil output plugin has for some reason not been compiled in. Will look at this soon!


12 thoughts on “Sguil 0.7.0, Snort, Barnyard & Sancp on Debian/Ubuntu…

  1. treebug:
    I tried and failed, tried and failed…
    I read the Sguil_on_RedHat_HOWTO, I read documentation that comes along with sguil.

    My .debs are not magic… they just try to set up things, in such a way that i works out of the box,. I belive you have to edit /etc/defaults/sancp to add the sancp.conf from /etc/sguil-sensor/sancp.conf, but thats more or less it… You also have to add the mysql user and import the initial database. If you want to, I could post details on how to install my debs ?


  2. asd says:

    Could you provide a step by step manual for these packages? Do I need to install dependencies prior to these debs? Manually create users and configure stuff in /etc/init.d?



  3. Hi,

    dpkg -i should give you dependencies. Install the dependencies, and then install the packaged. (“apt-get -f” could also be used).

    First I want to add that, my test installation is like this:
    Sensor: holds barnyard, sancp and sguil-sensor.
    Server: holds mysql and sguil-server.
    Workstation: holds sguil-client.

    You have to configure snort… How you want to do that, is a chapter of its own. You should configure:
    output log_unified: filename snort.log, limit 128
    preprocessor perfmonitor: time 300 file /nsm_data/equador/snort.stats pktcnt 10000

    at least!

    Then you should configure /usr/sbin/ to fit your hostname and interface (and anything else if you like).

    /etc/defaults/sancp should be configured to use the sancp.conf
    from sguil, and you might change your interface to fit you needs…
    SANCP_CONFIG=”-c /etc/sguil-sensor/sancp.conf”
    SANCP_INTERFACE=”-i eth0″

    Then /usr/share/doc/sguil-doc/doc/INSTALL.gz should be your next stop. Read it, and do the Step 1, mysql installation 🙂

    Go through the /etc/sguil-sensor/*_agent.conf files. Change SERVER_HOST and HOSTNAME etc.

    To start the things, this should be it:
    /etc/init.d/sguil-server start
    /etc/init.d/sguil-sensor-snort start
    /etc/init.d/sguil-sensor-pcap start
    /etc/init.d/sguil-sensor-pads start
    /etc/init.d/sguil-sensor-sancp start
    /etc/init.d/sancp start
    /etc/init.d/barnyard start
    /etc/init.d/snort start start

    assuming that mysql is running on sguil-server.

    My .debs are for testing at the moment, I would love feedback on how to make things more smooth. If you have any problems, I will try to help 🙂 There is also doc all around the web, which you could read to get a better idea about what squil is, and how it works. #snort-gui is also a resource for information.

    When sguil 0.7.0 is more release ready, I will repack my .debs and hopefully it will all just work out of the box 🙂



  4. asd says:

    Would it be possible to pack these packages independent of the architecture? I am running an i38 system. I’m trying to set up an entire Sguil system in 3 VMware images to play around…


  5. KoKKeL says:

    Nice description for the snort program, did u manage to get the repacked debs working out of the box as u called it 😀


  6. Yes,
    My packages work well for me 🙂 I have made some updates, which will be in my next release, and I will also update so that the bug fixes from sguil-cvs will be added. I have some thought on how to improve my .debs, but right now, I don’t have too much spare time to play. Beside, its summer 🙂 Need to enjoy the sun when I can too 🙂
    As you can see under, I also repacked snort 2.8.2, which I plan to install on my sensors too. I will have a look at how to set up a debian archive, so it will be easier to install, and update.



  7. mad says:

    Say I wanna put up an all-in-one sensor/database/console (best with BASE and OINKMASTER) on a Debian installtion:

    is there a particular order installing your .deb packages?

    Or if you could, provide a step-by-step writeup?



  8. Take a look at
    for a step by step install howto (Posted it when I saw mad’s post).

    Its work in progress, but I hope it will be helpful.

    When it comes to BASE and oinkmaster, I belive that BASE needs the snort-mysql package in debian, which I belive is not compatible with the snort-common package which the sguil installation is based upon.
    You can compile and local install snort to support mysql and unified logging, but by doing this, snort performance might drop too much…

    Oinkmaster should be no problem 🙂



  9. Vince says:

    Hi Edward,

    Just wanted to say thanks for putting together the debian packages. They’ve been quite a help to me and I wanted to let you know that with just a few tweaks I’ve got everything up and running on a Debian Lenny system with the help of your packages. About the only showstopper I ran into was that since you built the .debs from the CVS version, if I wanted to run a client on any other type of machine, I just needed to make sure and install the from CVS and not the latest stable. It’s a little frustrating since the version numbers reported by the program don’t chance (0.7.0) even though they are different. Also running into a small problem with pads running in deamon mode with the startup script, but it runs fine when started from the command line. Anyways, thank you for your work on the packages.


  10. Hi Vince!

    Thanks for the comments, I appreciate it 🙂
    If you have any suggestion to make the .debs better, feedback is welcome! Also, any comments on whats makes the the daemon mode buggy with PADS in Lenny, is also appreciated.

    Thank you for your response 🙂



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s