It does emerge-- have not tried running it yet -- configuration worklist
first
http://www.disciplina.net/howto/HOWTO-sguil.html is helpful, but i
needed some extra stuff, whole magilla to emerge below:
add to /etc/portage/package.keywords:
net-analyzer/sguil-server ~x86
net-analyzer/sguil-client ~x86
net-analyzer/sguil-sensor ~x86
net-analyzer/oinkmaster ~x86
net-analyzer/snort ~x86
net-analyzer/sancp ~x86
net-analyzer/barnyard ~x86
net-analyzer/tcpflow ~x86 (could be ~amd64 , I switched to ~x86
in initial response to
sguil-sensor/snort error)
dev-tcltk/mysqltcl ~x86 (could be ~amd64 , I switched to ~x86
in initial response to
sguil-sensor/snort error)
add sguil to use flags in /etc/make.conf
emerge snort
(emerge of sguil-sensor errored at line 41 of function package_setup
with a msg "use flag sguil must be set for snort" until I emerged snort
first and separately, apparent error in dependency call.)
emerge sguil-client sguil-server sguil-sensor
********
Comments suggesting action from the emerges:
* To use a database as a backend for snort you will have to
* import the correct tables to the database.
* You will have to setup a database called snort first.
*
* MySQL: zcat /usr/share/doc/snort-2.4.3-r1/schemas/create_mysql.gz |
mysql -p snort
*
* Also, read the following Gentoo forums article:
* http://forums.gentoo.org/viewtopic-t-399801.html
*
* Only a basic set of rules was installed.
* Please add your other sets of rules to /etc/snort/rules.
* For more information on rules, visit http://www.snort.org/.
amd64 ~ # emerge sguil-client sguil-server sguil-sensor
*
* You can customize your configuration by modifying /etc/sguil/sguil.conf
*
net-analyzer/sguil-server-0.6.0_p1 merged.
*
* Please customize the sguild configuration files in /etc/sguild before
* trying to run the daemon. Additionally you will need to setup the
* mysql database. See /usr/share/doc/sguil-server-0.6.0_p1/INSTALL.gz for
information.
* Please note that it is STRONGLY recommended to mount a separate
* filesystem at /var/lib/sguil for both space and performance reasons
* as a large amount of data will be kept in the directory structure
* underneath that top directory.
*
* You should create the sguild db as per the instructions in
* /usr/share/doc/sguil-server-0.6.0_p1/INSTALL.gz and use the appropriate
* database setup script located in the same directory.
*
net-analyzer/sguil-server-0.6.0_p1 merged.
*
* You should check /etc/sguil/sensor_agent.conf and
* /etc/init.d/logpackets and ensure that they are accurate
* for your environment. They should work providing that you
* are running the sensor on the same machine as the server.
* This ebuild assumes that you are running a single sensor
* environment, if this is not the case then you must make sure
* to modify /etc/sguil/sensor_agent.conf and change the HOSTNAME variable.
* You should crontab the /etc/init.d/log_packets script to restart
* each hour.
*
net-analyzer/sguil-sensor-0.6.0_p1 merged.
--
[email protected] mailing list
