Kamis, 08 Juli 2004

Sguil Development Issues

Lots has been happening in the Sguil world this past week. Bamm released Sguil 0.5.0 last week. The major development was the merging of xscriptd functionality into sguild. That's one less component to worry about.

I also made some changes to the instructions for building IncrTcl in my Sguil installation guide, thanks to Mark Bergstrom. My guide still applies to Sguil 0.5.0, although the advice on xscriptd now belongs in the sguild configuration section. I'll produce a new guide for Sguil 0.5.1 when it arrives, as I hope to incorporate Snort 2.2.0 as well.

After nearly four years of asking Bamm for feature requests in various apps he's written, I finally committed my own change to Sguil. I committed a change to sguil.tk and qrylib.tcl to support querying for events by source or destination port. Unfortunately I made a mistake merging my changes into the version I checked into CVS, and Bamm made a correction to sguil.tk shortly after my commit! I duplicated a line by mistake.

Nevertheless, I thought it might be interesting to share the commands I used to check out and then check in the Sguil code for those who don't use CVS.

First I checked out the latest Sguil distro. I made a directory to separate that code from my home directory, and then set an environment variable telling CVS to use SSH for transport:



drury:/home/analyst$ cd sguil_devel



drury:/home/analyst/sguil_devel$ export CVS_RSH=ssh




Next I checked out the Sguil code:


drury:/home/analyst/sguil_devel$ cvs -d:ext:taosecurity@cvs.sf.net:/cvsroot/sguil

checkout sguil



taosecurity@cvs.sf.net's password:



cvs checkout: Updating sguil



U sguil/README



cvs checkout: Updating sguil/client



U sguil/client/sguil.conf



U sguil/client/sguil.tk



cvs checkout: Updating sguil/client/lib



U sguil/client/lib/dkffont.tcl



U sguil/client/lib/email17.tcl



...truncated...


Next I made the changes I needed to the Sguil code, and committed them. Note I did this from the 'sguil' directory:


drury:/home/analyst/sguil_devel/sguil$ cvs commit



cvs commit: Examining .



cvs commit: Examining client



cvs commit: Examining client/lib



...edited...

cvs commit: Examining web/data



cvs commit: Examining web/lib



taosecurity@cvs.sf.net's password:




After entering my password, I was dropped into a vi session. There I was asked to create my log entry for the changes I made. When done CVS checked in the files I modified:


Checking in client/sguil.tk;



/cvsroot/sguil/sguil/client/sguil.tk,v <-- sguil.tk



new revision: 1.121; previous revision: 1.120



done



Mailing sguil-cvs@lists.sf.net...



Generating notification message...



Generating notification message... done.



Checking in client/lib/qrylib.tcl;



/cvsroot/sguil/sguil/client/lib/qrylib.tcl,v <-- qrylib.tcl



new revision: 1.19; previous revision: 1.18



done



Mailing sguil-cvs@lists.sf.net...



Generating notification message...



Generating notification message... done.




In the #snort-gui IRC channel on irc.freenode.net, this message appeared:


taosecurity * sguil/client (2 files in 2 dirs):

Added ability to query events for source or destination ports.


CIA-7 is a reference to the CIA Open Source Notification System, an IRC bot. You can see that message saved here. We also use Infobot and Pastebot to keep track of various pieces of information in the #snort-gui channel.

0 komentar:

Posting Komentar