modsec2sguil
============
Written by Victor Julien <victor@inliniac.net>


What is it?
-----------
It is a set of scripts that enables you to add ModSecurity alerts to
go into the Sguil NSM system. Currently it just works by mimicking
the way barnyard interacts with Sguil.


Install/Usage
-------------

- Sguil Setup - 

Setup a Sguil sensor_agent with a unique sensorname. Disable all
Snort specific options like sessions, sancp, portscans. Start it
and make sure you see it online in the Sguil Client.

- Apache setup -

The following asumes your Apache logs to /var/log/apache2/ and
that ModSecurity concurrent logging will log to /var/log/apache2/audit_log/data/

Step 1. Create the directory /var/log/apache2/audit_log/data/queue

Step 2. Put this in your Apache configuration:

SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/apache2/audit_log/data/
SecAuditLog "|/path/to/modsec_queue.pl /var/log/apache2/audit_log/data/ /var/log/apache2/audit_log/index"
SecAuditLogParts ABCDEFGHZ

Step 3. Restart apache. You should see symbolic links appear in the
queue directoy. Depending on your setup they might appear on simple
webserver visits or you might have to run a tool like nikto to trigger
events.

- Putting it together -

Next, use modsec_by.pl to connect to Sguil. It is run as follows:
modsec_by.pl -n <sensorname> -l /var/log/apache2/audit_log/data/queue/

The script enters an endless loop in which it will continuesly check for new
alert files in the queue dir. Press Ctrl-C to kill it.


Support
-------
Mail me at <victor@inliniac.net> or hop in #snort-gui at
irc.freenode.net. I'm using the nick VictorJ.


Future plans / known limitations
-------------------------------
Better error checking.
Test running as non-root.
More docs.
Sguil doesn't show the rule when 'show rule' is clicked.
Improve the way Sguil displays the payload data. 
Think of a name for this little project ;-)


Special thanks to
-----------------
Ivan Ristic, Technical Director of Thinking Stone for releasing
modsec-auditlog-collector.pl as GPL. And for creating ModSecurity of course!

Bamm Visscher for answering my endless questions. Of course, Sguil rocks,
so thanks for that as well.
