search

gamelinux / prads

Passive Real-time Asset Detection System
http://gamelinux.github.com/prads/
231 stars 59 forks source link

Problems in sguil with startup options #11

Closed carlopmart closed 12 years ago

carlopmart commented 12 years ago

If you use different startup options for prads, some appears when it is used with sguil. For example:

a) With these startup options, no events are registered in sguil server: "prads -c /data/config/etc/snort/prads.conf -f /nsm/sguil_sensor/ubuids01/prads/prads.fifo -UTtI -XFRMSAK -a 172.25.50.0/27 -i eth4 -Z"

b) With these startup options, events are registered in sguil server: "prads -c /data/config/etc/snort/prads.conf -f /nsm/sguil_sensor/ubuids01/prads/prads.fifo -i eth4"

prads.conf content: daemon=1 asset_log=/nsm/sguil_sensor/ubuids01/prads/prads.log pid_file=/var/run/prads.pid

comotion commented 12 years ago

actually, what do you expect the command line to do?

the parameter "-X" clears all ctf and cof flags, meaning that -UTtl gets cleared away.

try prads -v -UTtI -XFRMSAK and prads -v -XFRMSAK -UTtl

there should be a difference, because the -X clears all default flags and all flags set before that parameter, which might explain why your fifo is empty.

comotion commented 12 years ago

try even: prads -v -f prads.fifo -UTtI -XFRMSAK -Z & cat prads.fifo

you should see stuff coming in thru the pipe.

if that doesn't work it would be helpful if you post your conf .

carlopmart commented 12 years ago

On 11/19/2011 02:46 AM, Kacper Why wrote:

try even: prads -v -f prads.fifo -UTtI -XFRMSAK -Z& cat prads.fifo

you should see stuff coming in thru the pipe.

if that doesn't work it would be helpful if you post your conf .

Reply to this email directly or view it on GitHub: https://github.com/gamelinux/prads/issues/11#issuecomment-2796845

Sorry for my later response Kacper. But It doesn't works. These are the only options I can use to register eventes in sguil:

"prads -c /data/config/etc/snort/prads.conf -f /nsm/sguil_sensor/ubuids01/prads/prads.fifo -a 172.25.50.0/27 -i eth4 -Z"

and prads.conf:

daemon=1 asset_log=/nsm/sguil_sensor/ubuids01/prads/prads.log pid_file=/var/run/prads.pid

CL Martinez carlopmart {at} gmail {d0t} com

comotion commented 12 years ago

I am lost in this issue, sorry. you can set the fifo to use in the conf file now, and prads 0.3.1-rc1 even has support for setting home_nets in the conf file. please reopen this issue if you feel that the problem persists.