Sguil: renaming a sensor

This might be a no-brainer for some, but today I wanted to rename a sensor in Sguil, and decided to write the steps down.


  1. backup the db
  2. stop sancp on the sensor
  3. stop barnyard on the sensor
  4. stop sensor_agent on the sensor
  5. stop snort on the sensor
  6. stop log_packets on the sensor
  7. stop sguild on the server

Steps on the Sguil server

Update the sensor name in the database.

# mysql -p
mysql> use sguildb;
mysql> UPDATE sensor SET hostname = “newname” WHERE hostname = “oldname”;
Query OK, 1 row affected (0.04 sec)
Rows matched: 1 Changed: 1 Warnings: 0

Rename the directory for the rules display

mv /sguild_data/rules/oldname /sguild_data/rules/newname

Steps on the sensor

Change the hostname in /etc/sensor_agent.conf

set HOSTNAME newname

Change the hostname in /etc/barnyard/barnyard.conf

config hostname: newname

Change the hostname in /usr/sbin/


Change the directory where sancp writes its files, for my Debian system in /etc/default/sancp


Change the Snort prefmonitor stats file location in /etc/snort/snort.conf

preprocessor perfmonitor: time 300 file /snort_data/newname/snort.stats pktcnt 10000

Rename the sensor directory

mv /snort_data/oldname /snort_data/newname


  1. start sguild on the server
  2. start on the sensor
  3. start sancp on the sensor
  4. start snort on the sensor
  5. start sensor_agent on the sensor
  6. start barnyard on the sensor

That should be all!

UPDATE: forgot about sancp, snort stats and

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s