Figured it out
The two major installation issues I encountered were in sguil_sensor_install.sh and sguil_server_install.sh. In the sensor install, for some reason after doing a pkg_add -r snort, I didn't have a /usr/local/etc/snort. That meant I couldn't chown -R it to sguil:sguil. It did appear later, which leads me to suspect that perhaps the first time, the package didn't add properly. No idea why, but I suspect either human error (typo) or hardware error (this thing's been acting a bit goofy, and it's physically wobbly unless dropped like an old-school desktop to its rubber feet). With the server install, there was much sqwaking about how mysqltcl wasn't installed, even though I'd just installed it. The solution ended up being to add the "LD_LIBRARY_PATH=/usr/local/lib/mysql; export LD_LIBRARY_PATH" line to /etc/rc.conf, since it didn't seem to be picking it up anywhere else, even though it was added to sguild_start.sh manually. While I hate making global overrides like that, it did seem to be the only thing that worked, considering my limited capacity in FreeBSD.
The other issues had me stuck for a bit, until I finally puzzled them out. The errors were: "riffraff snort[645]: FATAL ERROR: Unable to open rules file: nsm/rules/riffraff/classification.config or /usr/local/etc/nsm/nsm/rules/riffraff/classification.config" and "riffraff snort[652]: FATAL ERROR: Unable to open rules file: nsm/rules/riffraff/reference.config or /usr/local/etc/nsm/nsm/rules/riffraff/reference.config" In /nsm/rules/riffraff/snort.conf, the includes for classification.config and reference.config were set to ../share/snort/classification.config and ../share/snort/reference.config. I changed them to "include $RULE_PATH/classification.config" and "include $RULE_PATH/reference.config".
Seems to be working so far, but...
posted by JD at
8:25 PM
0 Comments:
Post a Comment
<< Home