Sguil 0.7 is getting shape quite nicely. One of the most interesting new features is the splitting up of different types of agents and the option to create ‘net groups’. This are groups of agents that Sguil considers part of the same network. You can use this to spread the agents over multiple servers, but still use it from Sguil as if it was one single sensor. For example, this way you can easily create a Snort sensor and a separate full content logging capture server. When you request the full content for a Snort event in Sguil, it will know that it needs to request the packet data from the capture server. This way you can also have multiple Snort agents without the need for capturing the same sancp and full content data over and over again.
David Bianco has written a very nice guide for installing Sguil 0.7 on Redhat Enterprise 4. I used this guide to install the server and sensor on a Debian Etch installation. The main difference is that I used Debian packages where ever possible. These packages could be used:
Important: do not use the tcl8.4 package. It is not compatible with Sguil and will produce the following message:
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
You can get Sguil 0.7 CVS by checking out the latest CVS version:
cvs -d:pserver:firstname.lastname@example.org:/cvsroot/sguil login
cvs -d:pserver:email@example.com:/cvsroot/sguil co sguil
I will update Modsec2sguil soon!