Here is the debug from an example 0.7.0 server
From NSMWiki
[root@server ~]# /usr/src/sguil-0.7.0/server/sguild -c /etc/sguil/server/sguild.conf
pid(22877) Loading access list: /etc/sguild/sguild.access
pid(22877) Sensor access list set to ALLOW ANY.
pid(22877) Client access list set to ALLOW ANY.
pid(22877) Email Configuration:
pid(22877) Config file: /etc/sguild/sguild.email
pid(22877) Enabled: No
pid(22877) Connecting to localhost on 3306 as sguil
pid(22877) MySQL Version: version 5.0.45
This is the version of MySQL server being reported to sguild by mysql.
pid(22877) SguilDB Version: 0.12
pid(22877) Creating event MERGE table.
pid(22877) Creating tcphdr MERGE table.
pid(22877) Creating udphdr MERGE table.
pid(22877) Creating icmphdr MERGE table.
pid(22877) Creating data MERGE table.
pid(22880) Loaderd Forked
pid(22881) Queryd Forked
pid(22877) Retrieving DB info...
pid(22877) SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC
pid(22877) SELECT MAX(timestamp) FROM event WHERE sid=2
pid(22877) Querying DB for archived events...
pid(22877) SELECT event.status, event.priority, event.class, sensor.hostname, event.timestamp, event.sid, event.cid, event.signature, INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto, event.src_port, event.dst_port, event.signature_gen, event.signature_id, event.signature_rev, event.unified_event_id, unified_event_ref FROM event FORCE INDEX (status) JOIN sensor ON event.sid=sensor.sid WHERE event.status=0 ORDER BY event.timestamp ASC
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:06} 2 37 {SNMP public access udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1411 10 26 26
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:06} 2 38 {SNMP request udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1417 9 27 27
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:12} 2 40 {SNMP public access udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1411 10 29 29
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:12} 2 41 {SNMP request udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1417 9 30 30
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:18} 2 42 {SNMP public access udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1411 10 31 31
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:18} 2 43 {SNMP request udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1417 9 32 32
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:24} 2 46 {SNMP request udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1417 9 35 35
pid(22877) Archived Alert: 0 2 attempted-recon firewall {2008-10-17 17:51:24} 2 45 {SNMP public access udp}
10.7.3.17 192.168.0.90 17 1063 161 1 1411 10 34 34
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-30 01:02:13} 2 119 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.53 17 53 65077 1 254 4 1 1
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-30 01:02:13} 2 135 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.53 17 53 65077 1 254 4 1 1
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-30 01:02:14} 2 120 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.53 17 53 50143 1 254 4 2 2
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-30 01:02:14} 2 136 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.53 17 53 50143 1 254 4 2 2
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:30:57} 2 121 {portscan: TCP Portsweep}
67.184.215.50 168.97.36.2 255 {} {} 122 3 0 1 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:30:57} 2 122 {portscan: Open Port}
67.184.215.50 168.97.36.2 255 {} {} 122 27 0 2 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:07} 2 125 {portscan: Open Port}
67.184.215.50 168.97.36.2 255 {} {} 122 27 0 5 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:39} 2 129 {portscan: Open Port}
67.184.215.50 64.233.183.18 255 {} {} 122 27 0 9 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:40} 2 130 {portscan: Open Port}
67.184.215.50 168.97.138.228 255 {} {} 122 27 0 10 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:42} 2 131 {portscan: Open Port}
67.184.215.50 168.97.36.2 255 {} {} 122 27 0 11 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:44} 2 132 {portscan: Open Port}
67.184.215.50 208.73.181.192 255 {} {} 122 27 0 12 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:47} 2 133 {portscan: Open Port}
67.184.215.50 168.97.138.228 255 {} {} 122 27 0 13 1
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 01:31:48} 2 134 {portscan: Open Port}
67.184.215.50 168.97.36.2 255 {} {} 122 27 0 14 1
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-30 20:11:54} 2 137 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.50 17 53 58713 1 254 4 3 3
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 20:59:54} 2 135 {portscan: TCP Portsweep}
67.184.215.50 189.168.118.160 255 {} {} 122 3 0 15 15
pid(22877) Archived Alert: 0 3 unknown firewall {2008-10-30 21:38:50} 2 136 {portscan: TCP Portsweep}
67.184.215.50 66.235.138.3 255 {} {} 122 3 0 16 16
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-30 23:49:58} 2 138 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.53 17 53 65468 1 254 4 4 4
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-31 00:30:04} 2 139 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.50 17 53 59554 1 254 4 5 5
pid(22877) Archived Alert: 0 2 bad-unknown firewall {2008-10-31 01:36:58} 2 140 {DNS SPOOF query response
with TTL of 1 min. and no authority} 208.67.222.222 192.168.0.53 17 53 56884 1 254 4 6 6
pid(22877) Querying DB for escalated events...
pid(22877) SELECT event.status, event.priority, event.class, sensor.hostname, event.timestamp, event.sid, event.cid, event.signature,
INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
event.src_port, event.dst_port, event.signature_gen,
event.signature_id, event.signature_rev
FROM event
FORCE INDEX (status)
JOIN sensor ON event.sid=sensor.sid
WHERE event.sid=sensor.sid AND event.status=2 ORDER BY event.timestamp ASC
pid(22877) Retrieving DB info... pid(22877) Getting a list of tables. pid(22877) ...Getting info on data. pid(22877) ...Getting info on event. pid(22877) ...Getting info on history. pid(22877) ...Getting info on icmphdr. pid(22877) ...Getting info on nessus. pid(22877) ...Getting info on nessus_data. pid(22877) ...Getting info on pads. pid(22877) ...Getting info on portscan. pid(22877) ...Getting info on sensor. pid(22877) ...Getting info on status. pid(22877) ...Getting info on tcphdr. pid(22877) ...Getting info on udphdr. pid(22877) ...Getting info on user_info. pid(22877) ...Getting info on version.
pid(22877) Sguild Initialized.
pid(22877) Sensor agent connect from 192.168.0.216:40447 sock13
pid(22877) Validating sensor access: 192.168.0.216 :
pid(22877) Valid sensor agent: 192.168.0.216
pid(22877) Sensor Data Rcvd: VersionInfo {SGUIL-0.7.0 OPENSSL ENABLED}
pid(22877) Sensor Data Rcvd: RegisterAgent snort firewall firewall
pid(22877) Sent sock13: AgentInfo firewall snort firewall 2 140
pid(22877) Sensor Data Rcvd: PING
pid(22877) Sent sock13: PONG
After a client session was initiated:
pid(22877) Client Connect: 192.168.0.52 45060 sock14
pid(22877) Validating client access: 192.168.0.52
pid(22877) Valid client access: 192.168.0.52
pid(22877) Sending sock14: SGUIL-0.7.0 OPENSSL ENABLED
pid(22877) Client Command Received: VersionInfo SGUIL-0.7.0 OPENSSL ENABLED
pid(22877) Client Command Received: PING
pid(22877) Client Command Received: ValidateUser sguil ********
pid(22877) Sending sock14: UserID 2
pid(22877) No clients to send info msg to.
pid(22877) Client Command Received: SendDBInfo
pid(22877) Sending sock14: TableNameList {data event history icmphdr nessus nessus_data pads portscan sensor status tcphdr udphdr user_info version}
pid(22877) Sending sock14: TableColumns data {{sid long 10} {cid long 10} {data_payload blob 65535}}
pid(22877) Sending sock14: TableColumns event {{sid long 10} {cid long 10} {signature {var string} 255} {signature_gen long 10} {signature_id long 10} {signature_rev long 10} {timestamp {date time} 19} {unified_event_id long 10} {unified_event_ref long 10} {unified_ref_time {date time} 19} {priority long 10} {class {var string} 20} {status short 5} {src_ip long 10} {dst_ip long 10} {src_port long 10} {dst_port long 10} {icmp_type tiny 3} {icmp_code tiny 3} {ip_proto tiny 3} {ip_ver tiny 3} {ip_hlen tiny 3} {ip_tos tiny 3} {ip_len short 5} {ip_id short 5} {ip_flags tiny 3} {ip_off short 5} {ip_ttl tiny 3} {ip_csum short 5} {last_modified {date time} 19} {last_uid long 10} {abuse_queue string 1} {abuse_sent string 1}}
pid(22877) Sending sock14: TableColumns history {{sid long 10} {cid long 10} {uid long 10} {timestamp {date time} 19} {status short 5} {comment {var string} 255}}
pid(22877) Sending sock14: TableColumns icmphdr {{sid long 10} {cid long 10} {icmp_csum short 5} {icmp_id short 5} {icmp_seq short 5}}
pid(22877) Sending sock14: TableColumns nessus {{uid long 11} {rid {var string} 40} {ip {var string} 15} {timestart {date time} 19} {timeend {date time} 19}}
pid(22877) Sending sock14: TableColumns nessus_data {{rid {var string} 40} {port {var string} 40} {nessus_id long 10} {level {var string} 20} {description blob 65535}}
pid(22877) Sending sock14: TableColumns pads {{hostname {var string} 255} {sid long 10} {asset_id long 10} {timestamp {date time} 19} {ip long 10} {service {var string} 40} {port long 10} {ip_proto tiny 3} {application {var string} 255} {hex_payload {var string} 255}}
pid(22877) Sending sock14: TableColumns portscan {{hostname {var string} 255} {timestamp {date time} 19} {src_ip {var string} 16} {src_port long 10} {dst_ip {var string} 16} {dst_port long 10} {data blob 65535}}
pid(22877) Sending sock14: TableColumns sensor {{sid long 10} {hostname {var string} 255} {agent_type {var string} 40} {net_name {var string} 40} {interface {var string} 255} {description blob 65535} {bpf_filter blob 65535} {updated timestamp 19} {active string 1} {ip {var string} 15} {public_key {var string} 255}}
pid(22877) Sending sock14: TableColumns status {{status_id short 5} {description {var string} 255} {long_desc {var string} 255}}
pid(22877) Sending sock14: TableColumns tcphdr {{sid long 10} {cid long 10} {tcp_seq long 10} {tcp_ack long 10} {tcp_off tiny 3} {tcp_res tiny 3} {tcp_flags tiny 3} {tcp_win short 5} {tcp_csum short 5} {tcp_urp short 5}}
pid(22877) Sending sock14: TableColumns udphdr {{sid long 10} {cid long 10} {udp_len short 5} {udp_csum short 5}}
pid(22877) Sending sock14: TableColumns user_info {{uid long 10} {username {var string} 16} {last_login {date time} 19}}
pid(22877) Sending sock14: TableColumns version {{version {var string} 32} {installed {date time} 19}}
pid(22877) Client Command Received: SendSensorList
pid(22877) Client Command Received: MonitorSensors home
pid(22877) sock14 added to clientList
pid(22877) Sending sock14: InsertSystemInfoMsg sguild {User sguil is monitoring sensors: home}
pid(22877) Sending sock14: NewSnortStats Template:2 firewall N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
pid(22877) Client Command Received: SendEscalatedEvents
pid(22877) Client Command Received: SendGlobalQryList
pid(22877) Sending sock14: GlobalQryList Template:Last Modified
pid(22877) Client Command Received: SendReportQryList
pid(22877) Sending sock14: ReportQryList {SENSORLIST||Sensor Information||query||SELECT * from sensor where
%%SENSORS%%||9||CATCOUNT||Counts of Events by Category||query||SELECT status.description, COUNT(event.status)
FROM sensor, status, event WHERE event.sid = sensor.sid and %%SENSORS%% and event.timestamp > %%STARTTIME%%
and event.timestamp < %%ENDTIME%% and event.status=status.status_id GROUP BY
status.description||2||TOPTEN||Top Ten Events||query||SELECT count(event.signature) as Count, event.signature
from event, sensor WHERE event.sid = sensor.sid and %%SENSORS%% and event.timestamp > %%STARTTIME%% and
event.timestamp < %%ENDTIME%% GROUP BY event.signature ORDER BY Count desc LIMIT 10||2||TOPTENSIP||Top Ten
Source IP's||query||SELECT count(event.src_ip) as count, INET_NTOA(event.src_ip) FROM event, sensor WHERE
event.sid = sensor.sid AND %%SENSORS%% AND event.timestamp > %%STARTTIME%% AND event.timestamp < %%ENDTIME%%
GROUP BY event.src_ip order by count desc limit 10||2||TOPTENDIP||Top Ten Dest IP's||query||SELECT
count(event.dst_ip) as count, INET_NTOA(event.dst_ip) FROM event, sensor WHERE event.sid = sensor.sid AND
%%SENSORS%% AND event.timestamp > %%STARTTIME%% AND event.timestamp < %%ENDTIME%% GROUP BY event.dst_ip order
by count desc limit 10||2||TOPTENSPORT||Top Ten Source Ports||query||SELECT count(event.src_port) as count,
event.src_port FROM event, sensor WHERE event.sid = sensor.sid AND %%SENSORS%% AND event.timestamp >
%%STARTTIME%% AND event.timestamp < %%ENDTIME%% GROUP BY event.src_port order by count desc limit
10||2||TOPTENDPORT||Top Ten Dest Ports||query||SELECT count(event.dst_port) as count, event.dst_port FROM
event, sensor WHERE event.sid = sensor.sid AND %%SENSORS%% AND event.timestamp > %%STARTTIME%% AND
event.timestamp < %%ENDTIME%% GROUP BY event.dst_port order by count desc limit 10||2||}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: PING
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: PING
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: PING
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
pid(22877) Client Command Received: SendClientSensorStatusInfo
pid(22877) Sending sock14: SensorStatusUpdate {2 {home firewall snort {2008-10-31 01:36:58} 1}}
