My Sguil debs howto

Ubuntu Lucid Lynx (10.04 LTS) my sguil dot debs howto
I make my dot debs with my main goal to have them work for Ubuntu Lucid Lynx (10.04 LTS). If they do work on other debian based systems, thats great! I have nothing against working towards getting them to work on as many debian systems as possible, but my main goal now is Ubuntu Lucid (LTS). (My focus will be on the latest Ubuntu LTS)

To use my Ubuntu Launchpad PPA, add the following in /etc/apt/sources.list:
deb lucid main
deb-src lucid main

To add my key to you Ubuntu installation:
apt-key adv --keyserver --recv-keys 4B04D050
# Then apt-get update
apt-get update

Sguil Client:
Preferably not to be installed on the sensors or server.
apt-get install sguil-client

Sguil Sensor:
apt-get install sguil-sensor
Edit all your /etc/sguil-sensor/XXXX_agent.conf files and minimum change:
# Name of sguild server

Also, I pack cxtracker and not sancp default, so you need to start cxtracker and not sancp.
Configure the right interface and path to store cxtracker/sancp data in /etc/defaults/cxtracker.
I will not try to educate you in snort, my time is to sparse for that, but try dpkg-reconfigure snort
and have a look in /etc/snort/snort.debian.conf

In your snort.conf file you should have this for barnyard, statistics and portscan-logfile to work properly:
output log_unified: filename snort.log, limit 128
preprocessor perfmonitor: time 300 file /nsm_data/*sensor hostname*/snort.stats pktcnt 10000
preprocessor sfportscan: proto { all }
memcap { 30000000 }
logfile { /nsm_data/*sensor hostname*/portscans }
sense_level { low }

You also need to edit /usr/sbin/ and change the INTERFACE variable to your interface you want to collect packets from. For pcap_agent.tcl to work on modern Ubuntu systems, you need to edit apparmor permissions, add:

/nsm_data/*sensor hostname*/dailylogs/.*/** r,


Your pads config file should look something like this (Edit for you needs!!):
#daemon 1
pid_file /var/run/
interface eth1
output fifo: /nsm_data/*sensor hostname*/pads.fifo

SERVICES="snort pads barnyard sancp sguil-sensor-sancp sguil-sensor-snort sguil-sensor-pcap sguil-sensor-pads"
/etc/init.d/$SERVICES start
/usr/sbin/ start

Sguil Server:
apt-get install sguil-server
gunzip /usr/share/doc/sguil-server/sql_scripts/create_sguildb.sql.gz
openssl req -new -x509 -nodes -out /etc/sguild/certs/sguild.pem -keyout /etc/sguild/certs/sguild.key -days 3650

Then go into mysql and execute:

mysql> CREATE DATABASE sguildb;
mysql> GRANT USAGE ON *.* TO 'sguil'@'localhost' IDENTIFIED BY 'yourl33tpasswd';
mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON sguildb.* TO 'sguil'@'localhost';
mysql> GRANT FILE ON *.* TO 'sguil'@'localhost';
mysql> u sguildb
mysql> SOURCE /usr/share/doc/sguil-server/sql_scripts/create_sguildb.sql

# vim /etc/sguild/sguild.conf
# DataBase Info
set DBNAME sguildb
set DBPASS "yourl33tpasswd
set DBHOST localhost
set DBPORT 3306
set DBUSER sguil

Append the rules to apparmor:
# vim /etc/apparmor.d/usr.sbin.mysqld
/sguild_data/load/ r,
/sguild_data/load/* r,
/sguild_data/load/** r,
and restart apparmor:
/etc/init.d/apparmor restart

Get a hold of your snort-rules and place them in: /sguild_data/rules/default/
# ln -s /sguild_data/rules/default/ /sguild_data/rules/*YOURsensorXhostname*

Start your sguild-server
/etc/init.d/sguil-server start

Add a user for yourself:
sguild -adduser Monkey1
make a good passwd.

fire up sguil-client from your favorite desktop (ubuntu) and get connected!

# dpkg-reconfigure tzdata
Current default timezone: ‘Etc/GMT’


10 thoughts on “My Sguil debs howto

  1. Pingback: Ubuntu repo for sguil- Work Together For The Benefit Of All ManKind…

  2. sazh says:

    Go an error on ubuntu 10.04 when trying to start sguil-server:
    * Starting sguil-server
    ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
    SGUILD: Exiting…

    Problem was tcl8.4, go with tcl8.3 instead:

    aptitude remove tcl8.4 && aptitude install tcl8.3


  3. salawank says:

    Hi there,

    Thanks for great post 🙂

    I managed to install on top of ubuntu 11.10 using your debs + some tweaking and workaround.

    One thing I want to mention is that I’m having difficulties while importing the db’s tables. not sure whether it is within the original .deb installation / sql file or mysql version. But i’ve posted here if others experienced also



  4. Ryan T. says:

    Thanks for the how to, however I am unable to get the key using the method described above I am getting an error after the check saying:

    gbg: no writable keyring could be found: eof
    gbg: error reading ‘ [stream] ‘ : general error
    gbg: total number processed: 0

    Have you changed or updated the key? I’ve tried the command 4 different times double checking it against your code each time and have gotten the same error each time. Any assistance would be greatly appreciated.


  5. Ryan T. says:

    Thanks but it’s talking about doing it one way and it appears your talking about doing it another. I tried:

    sudo add-apt-repository ppa://

    And what I get is error reading: HTTP Error 401: Unauthorized

    I’ve tried adding lucid main on the end as well as lucid_main on the end neither way works. I’ve also tried putting it at the beginning but no dice.


  6. Hi.. !!

    I just need to install sguil client on my newly installed ubuntu desktop.. its version 13.. something…

    I can add the PPA
    I can add the key..
    The client install goes well it seems

    but when i try to execute sguil I get an error:

    casper@CJ-LAP07:/usr/bin$ sudo ./
    sudo: unable to execute ./ No such file or directory


    bash: /usr/bin/ /usr/bin/tclsh8.4: bad interpreter: Ingen sådan fil eller filkatalog

    What am i missing??



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s