First Sguil VM AvailableI am happy to announce t...First Sguil VM Available
I am happy to announce the availability of the first public
Sguil sensor, server, and database in
VM format. It's about 91 MB and can be downloaded
here. I built it using the
script described
earlier.
So how do you use this? First, you need to have something like the free
VMware Player for Windows or Linux. You can also use
VMware Workstation or another variant if you like. When you download sguil0-6-0p1_freebsd6-0_1024mb.zip and expand it, you will find a directory like this:
FreeBSD.nvram
FreeBSD.vmsd
FreeBSD.vmx
FreeBSD-000001-cl1.vmdk
By opening the FreeBSD.vmx file in VMware Player, you should be able to start the VM.
Here are some important details.
- The root password is r00t.
- The user analyst is a member of the wheel group, so it can su to root. The analyst password is analyst.
- The user sguil is not a member of the wheel group, so it can not directly su to root. The sguil password is sguil.
- The host's management IP is 192.168.2.121. It is assigned the lnc0 interface and it is bridged via VMware.
- The netmask is 255.255.255.0 and the default gateway is 192.168.2.1.
- The default nameserver is 192.168.2.1.
- Interface lnc1 is also bridged. It is not assigned an IP because it is used for sniffing.
You will probably want to change these parameters manually to meet your own network needs. For example, as root and logged in to the terminal:
ifconfig lnc0 down
ifconfig lnc0 inet 192.168.3.3 netmask 255.255.255.0 up
route add default 192.168.3.3
echo "nameserver 192.168.3.254" > /etc/resolv.conf
Make similar changes to the values in /etc/rc.conf if you want the new network scheme to survive a reboot.
You'll probably also want to change /etc/hosts to reflect your new IPs.
Account passwords, for example, should be changed if you want to hook up this VM in any place outside a lab.
Once the VM boots, I recommend logging in to two terminals. In one terminal, log in as user sguil. Execute the three scripts in sguil's home directory, namely the following, in this order:
sguild_start.sh
sensor_agent_start.sh
barnyard_start.sh
This will start the Sguil server, sensor, and Barnyard.
In the second terminal, log in as root. Start the following scripts:
sancp_start.sh
snort_start.sh
/usr/local/bin/log_packets.sh restart
This will start SANCP, Snort, and log_packets.sh, which uses a second instance of Snort to log full content data.
Once all the components are running, you need to connect to the Sguil server using a Sguil client. I did not install the Sguil client on the VM in order to save space (and to simplify this first round of work).
The easiest way to get a Sguil client running is to download and install the free standard
ActiveTcl distribution for Windows. (Yes, Windows has the easiest client install, thanks to ActiveTcl. Linux might be as easy, but I don't have a Linux desktop to test.)
Once ActiveTcl is installed, download the
Sguil client for Windows. It is a .zip that you need to extract. Once you do, change into the sguil-0.6.0p1/client directory. You'll see sguil.conf. Make the following edits:
# set ETHEREAL_PATH /usr/sbin/ethereal
# win32 example
set ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"
# Where to save the temporary raw data files on the client system
# You need to remember to delete these yourself.
# set ETHEREAL_STORE_DIR /tmp
# win32 example
set ETHEREAL_STORE_DIR "c:/tmp"
# Favorite browser for looking at sig info on snort.org
# set BROWSER_PATH /usr/bin/mozilla
# win32 example (IE)
set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe
Next, edit the sguil.tk file to make one change as shown next:
set VERSION "SGUIL-0.6.0"
Now create a c:\tmp directory, and make sure you have
Ethereal installed if you want to look at full content data in Ethereal.
You're ready to try the client.
Start Sguil by double-clicking on the sguil.tk icon in the Windows explorer. Initially Windows will not know how to run .tk files. Associate this file and other .tk files with the C:\Tcl\bin\wish84.exe program.
The Sguil host is the IP address of the Sguil server. In my VM that is 192.168.2.21. If you leave the demo.sguil.net address, you will connect to Bamm's demo server.
The default port of 7734 is the right port. For the Sguil user and password, the VM uses user sguil, password sguil.
Do not enable OpenSSL encryption. The VM is not built to include that. Select the sensor shown (gruden in the VM), and then click Start Sguil. You should next see the client.
If you have any questions, please post them here. Better yet, visit us at irc.freenode.net in channel #snort-gui.
William Gurstelle, a frequent contributor to 
Harry Eng, a former minister and elementary school teacher, makes these "impossible bottles" that are filled with objects that have been carefully squeezed through the necks of the bottles and arranged with tweezers and surgical haemostats.