I have used the last three weeks to play a bit with what I see as the funniest open-source NSM (Network Security Monitoring) set-up there is. Snort is the “de facto standard” for IDS, and the only console/frontend/dashbord that really put the bits and pieces of NSM together, is Sguil.
I first got introduced to sguil 0.6.1 about two years ago. I did not get any real hands on experience, but I knew from back then, that it was more or less the ultimate open-source set-up for a NSM set-up.
After having The ‘Tao of Networking Security Monitoring’ laying around me for about two and a half year, I managed to read it during Xmas and it gave me an insight into sguil. So when I started to look at sguil, I had access to .deb’s for sguil 0.6.1, but since sguil 0.7.0 is in Alpha and seems to be stable, I decided to go for that.
UPDATE: Sguil 0.7.0 was released 26 of March 2008.
I could write down the things I did, but if you are geeky enough, you can install my .deb’s and get a feel of what went down 🙂
I tried to make the .deb’s (sguil-*,sancp,barnyard) in the way that they fit well together. Barnyard is patched so it has the ‘sguil output’ and x86_64 patch etc. Also everything is aimed to work together and is using /nsm_data/ as the “/snort_data/” dir. There is also a user ‘nsm’ to run the whole thing together.
* Do a test install somewhere, and actual see that things fit like it should
* Get pads to work/ repack it for sguil
* Better startup script for the log_packet.sh
* cron jobs for the sguil-sensor
Check out my .deb’s here if you want: http://debs.gamelinux.org/
Feedback is more than welcome!
2008-03-30: Did a clean install of my .deb's on my test system. New is that TLS is required:
# openssl req -new -x509 -nodes -out /etc/sguild/certs/sguild.pem -keyout /etc/sguild/certs/sguild.pem -days 365
# ln -s /etc/sguild/certs/sguild.pem /etc/sguild/certs/sguild.key
2008-03-28: Checked out version 0.7.0 from cvs with the latest bug-fixes. Repacked .debs
2008-03-26: Sguil Version 0.7.0 has been released! (Bamm Visscher announced)
2008-02-10: Fixed barnyard issues.
2008-02-08: First errors found in barnyard package : init-script points to wrong $CONFIG variable and sguil output plugin has for some reason not been compiled in. Will look at this soon!