| 1 |
It does emerge-- have not tried running it yet -- configuration worklist |
| 2 |
first |
| 3 |
|
| 4 |
http://www.disciplina.net/howto/HOWTO-sguil.html is helpful, but i |
| 5 |
needed some extra stuff, whole magilla to emerge below: |
| 6 |
|
| 7 |
add to /etc/portage/package.keywords: |
| 8 |
|
| 9 |
net-analyzer/sguil-server ~x86 |
| 10 |
net-analyzer/sguil-client ~x86 |
| 11 |
net-analyzer/sguil-sensor ~x86 |
| 12 |
net-analyzer/oinkmaster ~x86 |
| 13 |
net-analyzer/snort ~x86 |
| 14 |
net-analyzer/sancp ~x86 |
| 15 |
net-analyzer/barnyard ~x86 |
| 16 |
net-analyzer/tcpflow ~x86 (could be ~amd64 , I switched to ~x86 |
| 17 |
in initial response to |
| 18 |
sguil-sensor/snort error) |
| 19 |
dev-tcltk/mysqltcl ~x86 (could be ~amd64 , I switched to ~x86 |
| 20 |
in initial response to |
| 21 |
sguil-sensor/snort error) |
| 22 |
|
| 23 |
add sguil to use flags in /etc/make.conf |
| 24 |
|
| 25 |
emerge snort |
| 26 |
(emerge of sguil-sensor errored at line 41 of function package_setup |
| 27 |
with a msg "use flag sguil must be set for snort" until I emerged snort |
| 28 |
first and separately, apparent error in dependency call.) |
| 29 |
|
| 30 |
emerge sguil-client sguil-server sguil-sensor |
| 31 |
|
| 32 |
******** |
| 33 |
|
| 34 |
Comments suggesting action from the emerges: |
| 35 |
* To use a database as a backend for snort you will have to |
| 36 |
* import the correct tables to the database. |
| 37 |
* You will have to setup a database called snort first. |
| 38 |
* |
| 39 |
* MySQL: zcat /usr/share/doc/snort-2.4.3-r1/schemas/create_mysql.gz | |
| 40 |
mysql -p snort |
| 41 |
* |
| 42 |
* Also, read the following Gentoo forums article: |
| 43 |
* http://forums.gentoo.org/viewtopic-t-399801.html |
| 44 |
* |
| 45 |
* Only a basic set of rules was installed. |
| 46 |
* Please add your other sets of rules to /etc/snort/rules. |
| 47 |
* For more information on rules, visit http://www.snort.org/. |
| 48 |
|
| 49 |
amd64 ~ # emerge sguil-client sguil-server sguil-sensor |
| 50 |
* |
| 51 |
* You can customize your configuration by modifying /etc/sguil/sguil.conf |
| 52 |
* |
| 53 |
>>> net-analyzer/sguil-server-0.6.0_p1 merged. |
| 54 |
* |
| 55 |
* Please customize the sguild configuration files in /etc/sguild before |
| 56 |
* trying to run the daemon. Additionally you will need to setup the |
| 57 |
* mysql database. See /usr/share/doc/sguil-server-0.6.0_p1/INSTALL.gz for |
| 58 |
information. |
| 59 |
* Please note that it is STRONGLY recommended to mount a separate |
| 60 |
* filesystem at /var/lib/sguil for both space and performance reasons |
| 61 |
* as a large amount of data will be kept in the directory structure |
| 62 |
* underneath that top directory. |
| 63 |
* |
| 64 |
* You should create the sguild db as per the instructions in |
| 65 |
* /usr/share/doc/sguil-server-0.6.0_p1/INSTALL.gz and use the appropriate |
| 66 |
* database setup script located in the same directory. |
| 67 |
* |
| 68 |
>>> net-analyzer/sguil-server-0.6.0_p1 merged. |
| 69 |
* |
| 70 |
* You should check /etc/sguil/sensor_agent.conf and |
| 71 |
* /etc/init.d/logpackets and ensure that they are accurate |
| 72 |
* for your environment. They should work providing that you |
| 73 |
* are running the sensor on the same machine as the server. |
| 74 |
* This ebuild assumes that you are running a single sensor |
| 75 |
* environment, if this is not the case then you must make sure |
| 76 |
* to modify /etc/sguil/sensor_agent.conf and change the HOSTNAME variable. |
| 77 |
* You should crontab the /etc/init.d/log_packets script to restart |
| 78 |
* each hour. |
| 79 |
* |
| 80 |
>>> net-analyzer/sguil-sensor-0.6.0_p1 merged. |
| 81 |
|
| 82 |
-- |
| 83 |
gentoo-amd64@g.o mailing list |
Archives