fileutil::magic::mimetype has been removed from tcllib.
commit : https://core.tcl.tk/tcllib/info/b0158a79513a8ffa
ticket regarding the lack of alternative : http://core.tcl.tk/tcllib/tktview/877cddef7766f1303b93

maybe ::fileutil::magic::filetype could be used instead ?

Error when running reports from Security Onion

SGUIL v0.9.0

domain error: argument not in valid range
domain error: argument not in valid range
    while executing
"expr {int((1.0*$_stepval)/$itk_option(-steps)*100.0)}"
    (object "::.progressShell.progressBar" method "::iwidgets::Feedback::_display" body line 7)
    invoked from within
"::.progressShell.progressBar _display"
    (in namespace inscope "::iwidgets::Feedback" script line 1)
    invoked from within
"namespace inscope ::iwidgets::Feedback {::.progressShell.progressBar _display}"
    (command bound to event)

I'm using Sguil in SecurityOnion and am sending a lot of OSSEC alerts to it. I would like to suggest adding a DB user field and column in the interface. This could be used to create auto cats for certain users identified in OSSEC alerts and also for tracking user history with OSSEC alerts.

Adding the ability to extract the user to the agent that sends the alerts to Sguil is something I can add along with providing the OSSEC decoders.

Unlike #42, this issue does NOT appear to be limited to the first 2 minutes after Sguil starts.

Pivoting to transcript seems to work fine when using the normal transcript option or when choosing the "Transcript (force new)" option on a new alert where I haven't pivoted to pcap previously. However, if I choose the "Transcript (force new)" option for a TCP stream that I've pivoted to before, I get one of two behaviors:

1. The transcript window hangs at "Merging results":
   

OR

1. sguild crashes:

Have you seen this issue before?

Thanks!

Hello,

After updating to MySQL version 5.7.23, Barnyard2 daemon stop to start and return this error message inthe log --> FATAL ERROR: sguil: Expected Confirm 21 and got: Failed to insert 21: mysqlexec/db server: Data too long for column 'class' at row 1#012

Regards,

If submitting excessive amounts of quotation marks into the chat function, it will crash, severing the connections for any user connected to the application.

Sguil Client 0.8.0 x86_64

suricata_agent.tcl line 188

0001-fixed-icmp-value.txt

I try to use the 1.0.0 version with Websocket support and tcl lib 1.6
It work nicely with my chrome browser but I got an issue with firefox 60 and 61.
It can't succeed to get the websocket working.

I got the following logs in the browser console

WebSocket Initialized websocketService.js:43:13
Waiting for websocket to finalize...
controllers.js:173:25
Firefox can’t establish a connection to the server at wss://192.168.245.143/ws. websocketService.js:19:21
Socket received an error! websocketService.js:28:17
Socket has been closed! websocketService.js:33:17
Waiting for websocket to finalize...
controllers.js:173:25

Any idea ? 

Hi,

I wanted to try installing Sguil myself but noticed the wiki where a lot of info seems to be stored is unavailable:
http://nsmwiki.org/Main_Page

B.

Can probably add this to the docs somewhere:
apt-get install -y tcl mysqltcl tcllib tclx tcl-tls

In particular this was failing (In SguildGenericDB.tcl):

172 proc UpdateDBStatus { sensorName date sid cid timestamp uid status } {
173
174 global MAIN_DB_SOCKETID
175
176 set tmpDate [clock format [clock scan $date] -gmt true -format "%Y%m%d"]
177 set tableName "event_${sensorName}_$tmpDate"
178 set updateString
179 "UPDATE $tableName SET status=$status, last_modified='$timestamp', last_uid='$uid' WHERE sid=$sid AND cid=$cid"

Wrapping the update in a catch like in proc UpdateDBStatusList stopped the server from crashing (this should probably be done anyway to avoid this) but still causes the autocat status updates to fail until the clock catches up to UTC and the correct event table is created.

Hi,
I want to install sguil on my system.(web client)
Is this installation guide still right?
https://github.com/bammv/sguil/blob/master/doc/INSTALL
How can I install sguil step-by-step in my system?
Thank you.

The DShield IP lookup is now:

https://www.dshield.org/ipinfo.html?ip=<IP address>

instead of

https://www.dshield.org/ipinfo.php?ip=<IP address>

This can be updated in client/lib/extdata.tcl

Suricata's flow_id is now a 64-bit unsigned integer, which causes an error when using the suricata_agent.tcl script due to the size of the unified_event_id and unified_event_ref columns in the MySQL database.

In my tests, changing those fields from INT to BIGINT fixed the problem although existing database tables would need to be modified or deleted/recreated.

Currently you are only allowed to disable rules. It would be nice to be able to permanently remove rules that were added with incorrect fields or altogether by accident.

Hi,

when creating autocat rule, with a comment containing a ' I recognized sql errors.
So, playing a little bit with it, i.e. I got an autocat rule added with the following in
the comment field:
TESTTEST','X','2019-01-01','1'); -- \

faking the userid to some other user than myself for example. Other fields also seem
to be vulnerable, as well as the general query builder. With my limited testing, I didn't
managed to insert additional sql statements, or at least on security-onion, a union select on mysql.users seems to be prohibited as long as noone messed with GRANT statements
in the database.

Well, only admins should be able to connect to sguild, there should be some trust into
them ;)
Have seen this in 0.9.0, as well as 1.0.0

See: https://github.com/bammv/sguil/blob/master/doc/OPENSSL.README

Looking at that README though, it doesn't look like process outlined is correct.

I am trying to install sguil from source on OpenBSD 5.9 with Tcl 8.5 and managed to install without any problems TclX 8.4 but for the mysqltcl package it simply does not want to work... When I test it from the Tcl shell I get the following error:

% package require mysqltcl
couldn't load file "/usr/local/lib/tcl/mysqltcl-3.052/libmysqltcl3052.so.1.0": Cannot load specified object

an ldd on the library file does not show any missing libraries:

/usr/local/lib/mysqltcl-3.052/libmysqltcl3052.so.1.0:
Start End Type Open Ref GrpRef Name
00001d77173b4000 00001d77177be000 dlib 2 0 0 /usr/local/lib/mysqltcl-3.052/libmysqltcl3052.so.1.0
00001d76af76e000 00001d76afed5000 rlib 0 1 0 /usr/local/lib/libmysqlclient.so.27.0
00001d7704cb0000 00001d77050c2000 rlib 0 1 0 /usr/lib/libpthread.so.20.1
00001d769ee91000 00001d769f2a6000 rlib 0 1 0 /usr/lib/libz.so.5.0
00001d774da5e000 00001d774deb8000 rlib 0 1 0 /usr/lib/libssl.so.38.0
00001d7710a74000 00001d7711043000 rlib 0 2 0 /usr/lib/libcrypto.so.37.0
00001d76b1fda000 00001d76b24f0000 rlib 0 1 0 /usr/lib/libstdc++.so.57.0
00001d7772653000 00001d7772a7b000 rlib 0 2 0 /usr/lib/libm.so.9.0

I used the following configure parameters to compile mysqltcl:

--with-tcl=/usr/local/lib/tcl/tcl8.5/ --with-mysql-include=/usr/local/include/mysql/ --with-mysql-lib=/usr/local/lib/mysql/

Unfortunately sguil requires mysqltcl and without mysqltcl working on OpenBSD it is not possible to use sguil afaik. Any workaround or ideas how I could still use sguil on OpenBSD?

fileutil::magic::mimetype does not exist in newer versions of Tcl, but fileutil::magic::filetype can be used as a drop-in replacement.

http://blog.tcl.tk/17368

After making a change in my local version of Sguil 1.0.0, I was able to run squild on Ubuntu 18.04 LTS with Tcl 8.6. I can submit a pull request if you are interested. Not sure how this would affect installs with older versions of Tcl.

I cannot see the checkboxes which allow you to select the interface you wish to monitor. I have the same problem on both the local Linux Security Onion box I just stood up and a Windows 10 laptop I just tried.

Any advice you can offer to get it working would be appreciated.

Steps for SSL Certificate creation described in (https://github.com/bammv/sguil/blob/master/doc/OPENSSL.README) need to be corrected as below:

No correction for these steps:

1. openssl req -out CA.pem -new -x509
2. openssl genrsa -out sguild.key 1024
3. openssl req -key sguild.key -new -out sguild.req

Correction for last two:
4. echo 01 > CA.srl
5. openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -out sguild.pem

• Without existing CA.srl (or file.srl), step 5 will fail.
• The "-CAserial file.sr1" code section is not needed in step 5, because OpenSSL uses CA.srl for serial by default. Just make sure it has been created before running step 5.

https://code.google.com/p/plumage/ can wrap all the tcl into py.
http://www-01.ibm.com/support/docview.wss?uid=swg24012144 dump tcl/tk to Jython/python.

just figured for plugin API python seams to be the king one could port to python entirely or make it more embedded. anyhow OWASP of Indianapolis is doing a crawling standard API , were trying to anyhow. the point being is various security products could pool data ie burp suite metasploit etc.
just a plugin api would let others extend easier, its not a big deal per say
just being able to pool data to sguil/seim from other utilities could increase the effectiveness overall.

just most of the devs are python centric, just a suggestion...

I more or less am a tinkerer/researcher.

Hi Bamm,

I'm experimenting with your latest code from github and am especially excited about being able to get transcripts for TCP streams that span multiple pcap files (23e40a8)!

However, if I take a fresh database and immediately generate some alerts and then pivot to transcript, I get an error like this:

If I'm reading the code correctly:

• Looks like the error is happening here:
  https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L354
• based on the fact that start_file never got set here:
  https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L341-L346
• $start_secs is the timestamp of the alert minus 120 seconds and I don't have any pcap files with a timestamp less than that:
  

I think this is somewhat of a corner case and should really only happen within the first 2 minutes of starting Sguil. I suppose I could shorten $BACK_SECONDS to something smaller like 60 to decrease the likelihood of a user running into this. But I'm wondering if it might be better to add some code here:
https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L349

to check and see if $start_file is null and, if so, set it to the earliest pcap available.

Any thoughts?

Thanks!

If sguild is running as a non-root user, tcpflow will likely error indicating tcpflow cannot write out ./report.xml. tcpflow by default writes out a report.xml, there is no flag to turn the behavior off. So the idea is to use TMPDATADIR as the output directory.

nonroot-tcpflow-fix.patch.txt