Modsec2sguil is a Perl script that feeds ModSecurity alerts to Sguil, the Network Security Monitoring (NSM) system. The 0.7 release works as a drop-in replacement for Snort's barnyard. The new 0.8-devX release currently in testing works as a real agent, but it only supports Sguil 0.8.0.
There is some documentation in the tarball. Modsec2sguil is Open Source under the GPLv2 license. It was written by Victor Julien, but also contains some code copyrighted by Ivan Ristic.
For news, please check my blog at www.inliniac.net/blog/
- Update protocol string to reflect Sguil 0.7.0 stable release
- Support ModSecurity 2.5.x, thanks for the addition Ryan Cummings
- Catch errors in syslog so they will be non-fatal.
- Fix broken syslog level.
- Add syslog logging.
- Add option to log all transactions, not just alerts.
- Fix a bug where the agent would exit if the connection to the server was lost.
- Make sure alerts get prio 1-4, non-alerts prio 5.
- Clean up SguilAgent.pm rtgenevent function.
- Fix rule id being part of the event.
- Add option to send all http events to Sguil, even non-alerts.
- Fix missing RUNAS van causing a error message.
- Add an option IGNORE_HTTP_CODES to the config, to optionally no treat certain codes as alerts, and thus not send them to Sguil.
- Fix PINGs sending duplicate \r\n
- Converted into a real agent for Sguil 0.7 (no more barnyard replacement)
- Agent can drop privileges
- Agent can daemonize
- Pinging the server is supported
- The agent reconnects to the server if the connection is lost
- Agent supports SSL for the connection to the server
- A sguil-compatible configuration file is now used
- A debug mode was added
- add support for ModSecurity 2.x alerts.
- fix wrong severity to prio conversion.