Sguil: renaming a sensor
This might be a no-brainer for some, but today I wanted to rename a sensor in Sguil, and decided to write the steps down.
Preparation
- backup the db
- stop sancp on the sensor
- stop barnyard on the sensor
- stop sensor_agent on the sensor
- stop snort on the sensor
- stop log_packets on the sensor
- stop sguild on the server
Steps on the Sguil server
Update the sensor name in the database.
# mysql -p mysql> use sguildb; mysql> UPDATE sensor SET hostname = “newname” WHERE hostname = “oldname”; Query OK, 1 row affected (0.04 sec) Rows matched: 1 Changed: 1 Warnings: 0
Rename the directory for the rules display
mv /sguild_data/rules/oldname /sguild_data/rules/newname
Steps on the sensor
Change the hostname in /etc/sensor_agent.conf
set HOSTNAME newname
Change the hostname in /etc/barnyard/barnyard.conf
config hostname: newname
Change the hostname in /usr/sbin/log_packets.sh
HOSTNAME=“newname”
Change the directory where sancp writes its files, for my Debian system in /etc/default/sancp
SANCP_ARCHIVE_DIR="/snort_data/newname/sancp"
Change the Snort prefmonitor stats file location in /etc/snort/snort.conf
preprocessor perfmonitor: time 300 file /snort_data/newname/snort.stats pktcnt 10000
Rename the sensor directory
mv /snort_data/oldname /snort_data/newname
Finally
- start sguild on the server
- start log_packets.sh on the sensor
- start sancp on the sensor
- start snort on the sensor
- start sensor_agent on the sensor
- start barnyard on the sensor
That should be all!
UPDATE: forgot about sancp, snort stats and log_packets.sh