Running the Sguil client on Windows
1,362 views
Skip to first unread message
Shane Castle
Jun 29, 2015, 4:44:07 AM6/29/15
to securit...@googlegroups.com
After I wrote this, I realized I needed a disclaimer, so I am putting
this on the top. This solution uses ActiveTcl from ActiveState. THIS
SOFTWARE IS NOT FREE FOR BUSINESS USE. IF YOU USE IT FOR PRODUCTION
SYSTEMS YOU ARE REQUIRED TO BUY A LICENSE. This is one of the reasons
that Doug Burks does not recommend this solution. I am just a lazy
security dilettante working at home and not making any money from it, so
I can use this without any problems with my conscience.
Now back to the original post.
There are occasionally questions about how to run the Sguil client on
windows, that is, how to use Sguil without having to be on the GUI
console of the Security Onion server. The answer that is usually given
and that works best for most installations is to install the Security
Onion packages (or the distributed ISO) on a real or virtual machine and
do not run the Security Onion setup but rather simply use the client
components, connecting via the network to your running NSM. This works
for most users, but for those who simply can't, and want another way,
access to all the web-based components such as Snorby, ELSA, and Squert
is fairly easy. The last stumbling stone is always the Sguil client.
This is a short explanation of how to run the Sguil client under
Windows. My version of Windows is still Win7, but these instructions
should work for anything except XP.
First, you must download the Sguil components and unzip (or untar) them
into a directory somewhere, where exactly is not that important. You get
the Sguil components here:
https://github.com/bammv/sguil/releases/tag/v0.9.0
BTW Thank you Bamm Visscher for all your work on Sguil.
Second, you must install a TCL interpreter on Windows. There are
currently two general versions available, 8.5 and 8.6. Use 8.5. THIS IS
IMPORTANT. The client will not work with 8.6, it seems. The only TCL
that is available for Windows seems to be the one from ActiveState, and
is available here:
https://www.activestate.com/activetcl/downloads
(See disclaimer above.)
Notice there are two versions and two flavors of each of those, 32bit
(x86) and 64bit. (There is also a Mac OSX version for the adventurous.)
Download and install the flavor of Tcl 8.5 that works best on your
Windows (mine is 64bit). Unless you specify differently your TCL will be
installed in "C:\Tcl" and you will get your PATH changed to include the
correct directories.
As installed, ActiveTcl won't run the Sguil client just yet. There is a
utility named "teacup" included with ActiveTcl that will update it so
that it will. Open a command window and run "teacup update". This will
download and install lots of components, some of which are needed by the
Sguil client. It will take a while, probably 10 to 20 minutes, even if
you have a fast Internet connection.
You can probably run the client now but we need to make some changes to
the sguil.conf file included in the client directory first. In the
downloaded Sguil hierarchy there is a client directory, just under
sguil-0.9.0, and it should contain a directory named "lib" and two
files, "sguil.tk" (the client code) and "sguil.conf", the file we need
to modify. Open "sguil.conf" using Notepad. Here are the lines we need
to change, using Notepad:
set WIRESHARK_PATH
set WIRESHARK_STORE_DIR
set BROWSER_PATH
If you have GPG installed:
set GPG_PATH
And, you will need to customize the email settings appropriately if you
want to send email from your Sguil client.
Here are those lines in my sguil.conf:
set WIRESHARK_PATH "c:/progra~1/wireshark/wireshark.exe"
set WIRESHARK_STORE_DIR "c:/tmp"
set BROWSER_PATH "c:/progra~1/mozill~1/firefox.exe"
set GPG_PATH "c:/progra~2/gnu/gnupg/gpg2.exe"
I also made a few other customizations that are purely cosmetic and
convenient for me, such as turning off the external DNS and setting DNS
lookups on by default.
Finally, you need to associate the sguil.tk client with the ActiveTcl
"wish.exe" program. Right-click the sguil.tk file in the directory
listing, select the General tab, and on the "Opens with:" line, click
"Change" and browse to where the Wish application is installed:
"C:\Tcl\bin\wish.exe".
Now simply double-clicking the sguil.tk file should launch the client.
I don't think I left anything out. I know that Doug does not approve of
this solution, and sometimes it won't work owing to various problems
with ActiveTcl. He won't support it, and I don't blame him at all. The
way he advocates should always work.
And finally: this works for me, right now. Tomorrow it may not. Your
mileage may vary. Good luck!
--
Mit besten Grüßen
Shane Castle
this on the top. This solution uses ActiveTcl from ActiveState. THIS
SOFTWARE IS NOT FREE FOR BUSINESS USE. IF YOU USE IT FOR PRODUCTION
SYSTEMS YOU ARE REQUIRED TO BUY A LICENSE. This is one of the reasons
that Doug Burks does not recommend this solution. I am just a lazy
security dilettante working at home and not making any money from it, so
I can use this without any problems with my conscience.
Now back to the original post.
There are occasionally questions about how to run the Sguil client on
windows, that is, how to use Sguil without having to be on the GUI
console of the Security Onion server. The answer that is usually given
and that works best for most installations is to install the Security
Onion packages (or the distributed ISO) on a real or virtual machine and
do not run the Security Onion setup but rather simply use the client
components, connecting via the network to your running NSM. This works
for most users, but for those who simply can't, and want another way,
access to all the web-based components such as Snorby, ELSA, and Squert
is fairly easy. The last stumbling stone is always the Sguil client.
This is a short explanation of how to run the Sguil client under
Windows. My version of Windows is still Win7, but these instructions
should work for anything except XP.
First, you must download the Sguil components and unzip (or untar) them
into a directory somewhere, where exactly is not that important. You get
the Sguil components here:
https://github.com/bammv/sguil/releases/tag/v0.9.0
BTW Thank you Bamm Visscher for all your work on Sguil.
Second, you must install a TCL interpreter on Windows. There are
currently two general versions available, 8.5 and 8.6. Use 8.5. THIS IS
IMPORTANT. The client will not work with 8.6, it seems. The only TCL
that is available for Windows seems to be the one from ActiveState, and
is available here:
https://www.activestate.com/activetcl/downloads
(See disclaimer above.)
Notice there are two versions and two flavors of each of those, 32bit
(x86) and 64bit. (There is also a Mac OSX version for the adventurous.)
Download and install the flavor of Tcl 8.5 that works best on your
Windows (mine is 64bit). Unless you specify differently your TCL will be
installed in "C:\Tcl" and you will get your PATH changed to include the
correct directories.
As installed, ActiveTcl won't run the Sguil client just yet. There is a
utility named "teacup" included with ActiveTcl that will update it so
that it will. Open a command window and run "teacup update". This will
download and install lots of components, some of which are needed by the
Sguil client. It will take a while, probably 10 to 20 minutes, even if
you have a fast Internet connection.
You can probably run the client now but we need to make some changes to
the sguil.conf file included in the client directory first. In the
downloaded Sguil hierarchy there is a client directory, just under
sguil-0.9.0, and it should contain a directory named "lib" and two
files, "sguil.tk" (the client code) and "sguil.conf", the file we need
to modify. Open "sguil.conf" using Notepad. Here are the lines we need
to change, using Notepad:
set WIRESHARK_PATH
set WIRESHARK_STORE_DIR
set BROWSER_PATH
If you have GPG installed:
set GPG_PATH
And, you will need to customize the email settings appropriately if you
want to send email from your Sguil client.
Here are those lines in my sguil.conf:
set WIRESHARK_PATH "c:/progra~1/wireshark/wireshark.exe"
set WIRESHARK_STORE_DIR "c:/tmp"
set BROWSER_PATH "c:/progra~1/mozill~1/firefox.exe"
set GPG_PATH "c:/progra~2/gnu/gnupg/gpg2.exe"
I also made a few other customizations that are purely cosmetic and
convenient for me, such as turning off the external DNS and setting DNS
lookups on by default.
Finally, you need to associate the sguil.tk client with the ActiveTcl
"wish.exe" program. Right-click the sguil.tk file in the directory
listing, select the General tab, and on the "Opens with:" line, click
"Change" and browse to where the Wish application is installed:
"C:\Tcl\bin\wish.exe".
Now simply double-clicking the sguil.tk file should launch the client.
I don't think I left anything out. I know that Doug does not approve of
this solution, and sometimes it won't work owing to various problems
with ActiveTcl. He won't support it, and I don't blame him at all. The
way he advocates should always work.
And finally: this works for me, right now. Tomorrow it may not. Your
mileage may vary. Good luck!
--
Mit besten Grüßen
Shane Castle
Wes Lambert
Jun 1, 2018, 7:54:27 AM6/1/18
to securit...@googlegroups.com
You may want to consider an analyst VM as an alternative:
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages