Snort with Sguil
This page provides information, updates and
files to setup install the Snort with Sguil IDS
sensor using the ISO provided below.
Snort with Sguil
Current version is 7.2 (March 2012)
The Shadow ISO can be directly downloaded from 64-bit version and 64-bit MD5 or 32-bit version and 32-bit MD5.
The built documentation is available here ISO 32-bit Documentation and ISO 64-bit Documentation
What’s new in version 7.2?
After a year, I have posted an update ISO of Snort with Sguil. Here is a summary of the updates/changes:
- Added CERT NetSA SiLK tools
- Added the following tools: prads, cxtrack, nftracker and passivedns
- Added a new script to test top 25 worst Snort sensor rules in /usr/local/snort called performance_test_eth1
- Added Sguil httpry_agent
- Upgraded Wireshark/tshark 1.6.5
- Upgraded Sguil to 0.8.0
- Upgraded softflowd to version 0.9.9 (Use it with ManageEngine)
- Upgraded Snort to version 18.104.22.168 and DAQ to 0.6.2
- Upgraded various packages to latest version
I recommend using the Sguil client package located on the CD in the /files/sguil-0.8.0 directory because it contains some modifications to use httpry to retrieve web links under the Alert ID tab.
The menu now looks like this:
Note: Minor updates for this version will be available right here on this page.
Snort with Sguil
Download this custom update script that allows the sensor to download all available updates directly from this site.
Download the script to the sensor and then execute the script as root to download all the updates to the sensor.
After the Custom update script is downloaded, gunzip it and execute it (gunzip custupdate.sh.gz and ./custupdate.sh)
to check the repository for updates. The updates are downloaded in /tmp/slackupdate.
32-bit version custupdate.sh
64-bit version cust64update.sh
Current updates (Latest 20 May 2013)
Snort DAQ 2.0.0 (20 May 2013)
Snort 22.214.171.124 (20 May 2013
PF_Ring 5.5.2 (20 May 2013)
Wireshark 1.8.7 (20 May 2013)
Libpcap 1.3.0 (5 Dec 2012)
Note: To use PF_Ring, you need to download and install PF_Ring 32-bit or PF_Ring 64-bit and the update rc.snort startup script to enable that function.
Snort Update instructions
To upgraded Snort, using the Snort and Barnyard scripts, stop both services (/etc/rc.d/rc.snort stop and /etc/rc.d/rc.barnyard stop.
Upgrade DAQ and Snort packages using upgradepkg package name.
After Snort has been upgraded, you will see a set of instructions that indicate that all the important configuration files and directories for both Snort and Barnyard were backed up
and can be restored either manually or using the provided script located in the /usr/local/snort directory (/usr/local/snort/restore_files.sh) as indicated by the Snort upgrade package.
Execute the script to restore you files and directories.
/usr/local/snort/restore_files.sh and this script will be deleted after the execution is completed.
Now test your Snort configuration to make sure everything is still in place:
- cd /usr/local/snort
- ./check_snort_eth1 → This test should be successful
- /etc/rc.d/rc.snort → This restart Snort
- /etc/rc.d/rc./barnyard → This restart Barnyard
One last thing, if you are using oinkmaster to manage your rules, don’t forget to update the oinkmaster.conf file to reflect the latest Register User Release ruleset that matches your Snort version.
Note: You might also want to check because there will be a snort.conf_new left in the etc directory. This default configuration may contain some new features that are not currently in your restored configuration file.