Sguil 0.7.0 on Ubuntu 9.10 ~ SecurityCertified

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10.

It was really easy with the exception of one issue I had to troubleshoot, explained below.

First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10.


richard@janney:~$ dpkg --list | grep -i tcl
ii  tcl8.4                               8.4.19-3                                   
Tcl (the Tool Command Language) v8.4 - run-t
ii  tk8.4                                8.4.19-3                                   
Tk toolkit for Tcl and X11, v8.4 - run-time 
richard@janney:~$ sudo apt-get install tclx8.4 tcllib 
 iwidgets4 tcl-tlsReading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  itcl3 itk3
Suggested packages:
  itcl3-doc itk3-doc iwidgets4-doc tclx8.4-doc
The following NEW packages will be installed:
  itcl3 itk3 iwidgets4 tcl-tls tcllib tclx8.4
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,127kB of archives.
After this operation, 18.1MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com karmic/universe itcl3 3.2.1-5 [99.4kB]
...truncated...

Next install wireshark via apt-get. I don't show that here.

The server I want to connect to is running Sguil 0.7.0, not the version currently in CVS. If you try connecting from a CVS client to a 0.7.0 server, the client will report an error like


error writing "sock6": connection reset by peer

On the server side you will see Sguil die on error:


pid(37598)  Client Connect: 192.168.2.194 39901 sock15
pid(37598)  Validating client access: 192.168.2.194
pid(37598)  Valid client access: 192.168.2.194
pid(37598)  Sending sock15: SGUIL-0.7.0 OPENSSL ENABLED
pid(37598)  Client Command Received: VersionInfo {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598)  ERROR: Client connect denied - mismatched versions
pid(37598)  CLIENT VERSION: {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598)  SERVER VERSION: SGUIL-0.7.0 OPENSSL ENABLED
Error: can not find channel named "sock15"
can not find channel named "sock15"
    while executing
"close $socketID"
    (procedure "ClientVersionCheck" line 11)
    invoked from within
"ClientVersionCheck $socketID $data1 "
    ("VersionInfo" arm line 1)
    invoked from within
"switch -exact $clientCmd {
      DeleteEventID { $clientCmd $socketID $index1 $index2 }
      DeleteEventIDList { $clientCmd $socketID $data1 }
      ..."
    (procedure "ClientCmdRcvd" line 38)
    invoked from within
"ClientCmdRcvd sock15"
SGUILD: killing child procs...
SGUILD: Exiting...

If you diff the sguil.tk from 0.7.0 against sguil.tk from CVS these differences explain what is happening:


richard@janney:~/sguil/client$ diff /home/richard/Downloads/sguil-0.7.0/client/sguil.tk sguil.tk
5c5
< # $Id: sguil.tk,v 1.249 2008/03/25 15:59:34 bamm Exp $ #
---
> # $Id: sguil.tk,v 1.254 2008/09/21 02:59:25 bamm Exp $ #
156,162d155
<     # store $data in $origData because ctoken changes the var it is working on.
<     #set origData $data
<     #set serverCmd [ctoken data " "]
<     #set data1 [string trimleft $data]
<     # data1 has indices 1 on etc etc
<     #set index1 [ctoken data " "]
<     #set data2 [string trimleft $data]
203a197
>       PassChange { $serverCmd [lindex $data 1] [lindex $data 2] }
235c229
<     puts $socketID "VersionInfo $tmpVERSION"
---
>     puts $socketID [list VersionInfo $tmpVERSION]
...truncated...

Finally I like to edit my sguil.conf as shown to account for Wireshark's location and to reduce the number of panes from the default of 3 down to 1.


richard@janney:~/Downloads/sguil-0.7.0/client$ diff sguil.conf.orig sguil.conf
49c49
< set WIRESHARK_PATH /usr/sbin/wireshark
---
> set WIRESHARK_PATH /usr/bin/wireshark
73c73
< set RTPANES 3
---
> set RTPANES 1
78,80c78,80
< set RTPANE_PRIORITY(0) "1"
< set RTPANE_PRIORITY(1) "2 3"
< set RTPANE_PRIORITY(2) "4 5"
---
> set RTPANE_PRIORITY(0) "1 2 3 4 5"
> #set RTPANE_PRIORITY(1) "2 3"
> #set RTPANE_PRIORITY(2) "4 5"

At this point I can use the Sguil client.

Unfortunately I continue to have a problem with DNS resolution. (I reported one a while back.)


can't read "state(reply)": no such element in array
can't read "state(reply)": no such element in array
    while executing
"binary scan $state(reply) SSSSSS mid hdr nQD nAN nNS nAR"
    (procedure "Flags" line 13)
    invoked from within
"Flags $token flags"
    (procedure "dns::name" line 3)
    invoked from within
"dns::name $tok"
    (procedure "GetHostbyAddr" line 47)
    invoked from within
"GetHostbyAddr $srcIP"
    (procedure "ResolveHosts" line 23)
    invoked from within
"ResolveHosts"
    invoked from within
".eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
 cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFrame.dnsButton invoke"
    ("uplevel" body line 1)
    invoked from within
"uplevel #0 [list $w $cmd]"
    (procedure "tk::CheckRadioInvoke" line 3)
    invoked from within
"tk::CheckRadioInvoke .eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
 cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFr..."
    (command bound to event)

I noticed a similar error on the sguil-users mailing list and tried installing libudp-tcl, but I got the same error.

SecurityCertified

Friday, January 22, 2010

Sguil 0.7.0 on Ubuntu 9.10

0 comments:

Post a Comment

Popular Posts

Categories

Blog Archive

About Me