Sguil 0.9.0 scrolling problems

[sfear...@gmail.com]

Posting here to see if others are having this problem after the upgrade to 0.9.0. I use SO in a virtual machine as the client for connecting to both server and standalone SO setups. Since the 0.9.0 upgrade I've noticed that scrolling through events in Sguil with the keyboard up/down arrow is very problematic.

For instance if I start at the top the event is both highlighted and has a box around it. If I use down arrow to scroll to next event the highlight moves down and the box outline stays on the previous event. This is not the main problem though. Sometimes when I press down arrow the highlight box will arbitrarily skip the next event and instead jump 2 events. The highlighted event seems to be the active event, which I can verify by looking at one of the IP addresses in the main event panel and compare them to the ones in the info panels on lower left.

This is happening on my SO client when running it under both VirtualBox, and VMWare Player. I don't recall seeing this problem prior to the recent upgrade. It's really slowed my ability to handle events down substantially since I now have to rely on the mouse to click events. Unfortunately I have to deal with many events in our environment so that compounds the problem.

Thanks for any info,
Scott F.

[Doug Burks]

Hi Scott,

I think it's due to the"set nIndex" lines in sellib.tcl:
https://github.com/bammv/sguil/blob/33872caca6ce7e815efbda2bae3f87d9245354ae/client/lib/sellib.tcl

proc SelectUp {} {
global CUR_SEL_PANE
set listSize [$CUR_SEL_PANE(name) size]
if { $listSize == 0 } { set ACTIVE_EVENT 0; return }
set selectedIndex [$CUR_SEL_PANE(name) curselection]
# Can't move up
if { $selectedIndex == 0 } { return }
set nIndex [expr $selectedIndex - 1]

<snip>

proc SelectDown {} {
global CUR_SEL_PANE
set listSize [$CUR_SEL_PANE(name) size]
if { $listSize == 0 } { set ACTIVE_EVENT 0; return }
set selectedIndex [$CUR_SEL_PANE(name) curselection]
set nIndex [expr $selectedIndex + 1]

For both of the lines beginning with "set nIndex", if you remove the
-1 and +1 (and restart the Sguil client), it seems to work as
expected.

Perhaps Bamm can tell us if this is a proper fix or not.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[sfear...@gmail.com]

Thanks Doug. That does fix the issue. I'll check back and see if we get further input on it.

Scott F.

[Bamm Visscher]

Looks to be a change to how things work with the latest tablelist libs and may be able to get rid of the KeyUp/KeyDown helper code altogether. I'll do some testing and commit any changes. Thanks for the heads up.

Bamm

sguil - The Analyst Console for NSM
http://www.sguil.net

[Doug Burks]

Published:
http://blog.securityonion.net/2014/12/new-sguil-client-resolves-issue.html

Last day to register for 3-Day Training Class in Augusta GA is 12/11!