Recently I tried interacting with one of my lab Security Onion sensors running the Suricata IDS. I found the Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that there might be too many uncategorized events in the Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at the system.
First I stopped the NSM applications on the server.
Next I ran a query to look for the top uncategorized events.
Wow, that's a lot of SURICATA STREAM events. I need to categorize them as non-issues to recover the Sguil server.
Let's see what the database thinks now.
That's much better.
Before restarting the NSM services, I edit the autocat.conf file to add the following.
This will auto-categorize any SURICATA STREAM alerts as non-issues. I want to keep adding events to the database for testing purposes, but I don't want to see them in the console.
Now I restart the NSM services.
I check to see if port 7734 TCP is listening.
Now the Sguil server is listening. I can connect with a Sguil client, even the 64 bit Windows .exe that I just found this morning. Check it out at sourceforge.net/projects/sguil/
Tweet
Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)