I just uploaded a new version of Modsec2sguil. I’ve been working on it the last weeks to get it updated to Sguil 0.7. The scripts are changed all over the place. This is because in the 0.7 framework, my scripts would no longer be a replacement for Barnyard only talking to the sensor_agent on the localhost, instead now it would become a full agent talking to the Sguil server directly.
This brings some challenges. First the connection can be going over the internet, or another untrusted network, so the agent needs ssl support. Second, since the connection may be unreliable we need to be able to detect and deal with lost connections. Next to this I wanted to be able to run without superuser privileges.
The new version of modsec2sguil supports it all, and more:
- Converted into a real agent for Sguil 0.7 (no more barnyard replacement)
- Agent can drop privileges
- Agent can daemonize
- Pinging the server is supported
- The agent reconnects to the server if the connection is lost
- Agent supports SSL for the connection to the server
- A sguil-compatible configuration file is now used
- A debug mode was added
So if you run Sguil 0.7-CVS and ModSecurity, go check it out at http://www.inliniac.net/modsec2sguil/
Last but not least, the agent contains a SguilAgent.pm Perl library. I hope it enables developers to easily create Perl agents for Sguil. If you need help with that, please let me know!