Sguil: renaming a sensor

Posted on Sep 8, 2006

This might be a no-brainer for some, but today I wanted to rename a sensor in Sguil, and decided to write the steps down.

Preparation

  1. backup the db
  2. stop sancp on the sensor
  3. stop barnyard on the sensor
  4. stop sensor_agent on the sensor
  5. stop snort on the sensor
  6. stop log_packets on the sensor
  7. stop sguild on the server

Steps on the Sguil server

Update the sensor name in the database.

# mysql -p mysql> use sguildb; mysql> UPDATE sensor SET hostname = “newname” WHERE hostname = “oldname”; Query OK, 1 row affected (0.04 sec) Rows matched: 1 Changed: 1 Warnings: 0

Rename the directory for the rules display

mv /sguild_data/rules/oldname /sguild_data/rules/newname

Steps on the sensor

Change the hostname in /etc/sensor_agent.conf

set HOSTNAME newname

Change the hostname in /etc/barnyard/barnyard.conf

config hostname: newname

Change the hostname in /usr/sbin/log_packets.sh

HOSTNAME=“newname”

Change the directory where sancp writes its files, for my Debian system in /etc/default/sancp

SANCP_ARCHIVE_DIR="/snort_data/newname/sancp"

Change the Snort prefmonitor stats file location in /etc/snort/snort.conf

preprocessor perfmonitor: time 300 file /snort_data/newname/snort.stats pktcnt 10000

Rename the sensor directory

mv /snort_data/oldname /snort_data/newname

Finally

  1. start sguild on the server
  2. start log_packets.sh on the sensor
  3. start sancp on the sensor
  4. start snort on the sensor
  5. start sensor_agent on the sensor
  6. start barnyard on the sensor

That should be all!

UPDATE: forgot about sancp, snort stats and log_packets.sh