gmane.comp.security.sguil.general

SGUIL Sancp Issue on Agent Status Tab

Rene Borges — 2012-05-22T17:48:05

We're in the process of migrating to SGUIL 0.8.x and we're running into an
issue where Sancp presents a date that has passed under the "Last" column
in the Agent Status tab. Do I have to recompile Sancp in a specific manner
or is there another solution to that issue?
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users

sguil client, most current event in the group visibly,how?

Stefan Sabolowitsch — 2012-05-02T17:15:18

Hi Bamm, all
Bamm i see in the event Group "only" the first Event and not the newest.
Thus it is to be found with difficulty out, which current event became to receive now (Client).
How can i guarantee that the most current events are visible always (Event Group an single Event)? 

Thanks for your time and help.

Stefan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

New interesting problem with tcpflow-1.2.3

Jeremy Hoel — 2012-04-04T20:45:36

So I'm standing up a new sguild server and I was grabbing tcpflow from
http://afflib.org/downloads/tcpflow.tar.gz.  Right now when that comes
down it's version 1.2.3.  It compiles like normal and installs and
runs fine, but the xcript doesn't seem to be able to use it when
pulling down transcripts/pcaps/etc.

I was able to roll back to the 1.1.0 version (tarball from the other
server) and it began to work like normal.

The afflib site lists 1.1.0 as the latest, but 1.2.3 is what comes down.

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

Sguil-0.8.0 client Wireshark TMP dir error

LIONEL PLAZA — 2012-03-21T17:20:21

Hello Everyone,
I'm upgrading from sguil 7 to sguil 8 and so far so good.  I've ran
into snag with the sguil 8 client and wireshark.  The situation is
when I try to pull the pcap data with wireshark,  I get an error
"Permission Denied" to C:\tmp  or it never return any errors.  It's
the strangest thing because the directory is there and worked fine
with the sguil 7 client.  I've even changed the directory to a new
folder and completely opened up the security permissions for that
folder and I still get the same errors.  Using the transcripts options
works fine and I can see the raw packet on the archive folder.

Has anyone else experienced this problem?  If so, how do you fix it.

Thanks
-Leo

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure

What's log_packets.sh for?

Paul Marin — 2012-02-28T20:59:50

Hi guys,

I don't really know what is the function of log_packets.sh in
sguil-sensor. What does this script do exactly? Why do you need to add
it to cron in order to run it periodically?

Thanks in advance,

Kindly

Paul



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Request for pcap already in queue. Pls try again later

Paul Marin — 2012-02-23T21:12:13

Hi Guys...

I tried to export an alert's full session to Wireshark and it never show
it. Then i tried it again and the sguil client showed me the following
message: "Request for pcap already in queue. Pls try again later"

After that i tried to export the full session again several times and i
still got the same message.

How can i fix this? I have already tried restarting the sguil-sensor
agents as well sguild and i am still getting the same message. What else
should i check?

Kindly,

Paul

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

Sguil 0.8 on RHEL 6 setup guide available

Jamie Yu — 2012-02-21T22:58:06

Hi All,

I have published my setup guide here for those who are interested in
building a Snort-Sguil IDS on RedHat/CentOS systems:
http://jamieyu.com/snort-sguil-ids/

If you have questions, please post it back to this mailing list. I think
you'll get much better help here.

Thanks Bamm, for your great work on Sguil!

Regards,
Jamie
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users

SANCP and Sguil

Paul Marin — 2012-02-06T21:59:23

Hi guys,

I am running sancp 1.6.1 and it has been set up to run in conjuction
with sguil 0.8.0. I installed sancp from source and followed the
instructions at http://nsmwiki.org/Sguil_on_RedHat_HOWTO#SANCP

I can see the sancp data being generated and also being saved into the
DB by sancp_agent.

I know that SANCP is used for recording TCP sessions but i don't know
where this data can bee seen through sguil client.

Sincerely, i don't see clearly the role of sancp in sguil since there is
already a transcript function being done by pcap_agent through which you
can have access to the TCP sessions.

I have also noticed that there is a tool called cxtracker that can
replace sancp. Do you guys recommend doing this? What are the advantages?

Thanks in advance for your help,

Kindly,

Paul

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

CC field in client doesn't seem to work well

Jeremy Hoel — 2012-02-03T16:19:15

We did some testing this morning and if you do a Report -> Send Event
Detail via E-mail  and enter some addresses in the CC field, those do
not get sent.

Is there an open bug tracker somewhere to add these, or is this list
the best place.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

icmphdr tables

Jeremy Hoel — 2012-01-31T15:10:50

What's supposed to feed information into this set of tables?  From the
name it's icmp data, but all the sancp stuff goes to the sancp tables.
 Is this supposed to be filled from portscan data?  MIne seem to be
empty.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Need help - pads not working on RHEL 6 64-bit server

Jamie Yu — 2012-01-30T21:34:38

Hi All,

I hope to get some help with pads issue I'm running into. I can't get it
work on RHEL 6 64-bit server. I got Sguil 8 working, all except pads on
sensor.

Download source pads-1.2-sguil-mods.tar.gz from:
http://demo.sguil.net/downloads/ (This website is not opening, I had a copy
downloaded from the same website back in 2008, so I'm using that copy).

Download pads.patch from: http://www.vorant.com/downloads.html

Patch and compile:

patch -p0 < ./pads.patch
./configure --prefix=/usr/local/pads-1.2-squil-mods
make
make install

Create symbolic links:

ln -s /usr/local/pads-1.2-squil-mods /usr/local/pads
ln -s /usr/local/pads/bin/pads /usr/local/bin/

Create /etc/sguil/pads.conf as following:

daemon 1
pid_file /var/run/sguil/pads.pid
interface eth1
network 192.168.1.0/24
output fifo: /nsm/snort_data/mysensor/pads.fifo

Run pads:

/usr/local/bin/pads -c /etc/sguil/pads.conf -u sguil -g sguil

Here's the error info in /var/log/messages (tried twice):

Jan  22 10:49:50 SENSOR pads: WARNING:  pcap_lookupnet (eth1: no IPv4
address assigned)

Jan  22 10:49:50 SENSOR pads: Filter:  (null)

Jan  22 10:49:50 SENSOR pads: Listening on interface eth1

Jan  22 10:49:50 SENSOR kernel: pads[7701]: segfault at 85356d8 ip
00000000004044be sp 00007fff216fc248 error 4 in pads[400000+d000]

Jan  22 11:09:18 SENSOR pads: WARNING:  pcap_lookupnet (eth1: no IPv4
address assigned)

Jan  22 11:09:18 SENSOR pads: Filter:  (null)

Jan  22 11:09:18 SENSOR pads: Listening on interface eth1

Jan  22 11:09:18 SENSOR kernel: pads[7773]: segfault at cb3226d8 ip
0000003c8ec47a67 sp 00007fff715c9680 error 4 in libc-2.12.so
[3c8ec00000+186000]


I have re-compiled again, but still getting segfault error. Any suggestions?

Thanks.

Jamie
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users

[sguil-users] sguil server 64 bit installation

LIONEL PLAZA — 2012-01-27T18:13:41

Hello Everyone,

Gathering information from the net I've developed an script to auto
install all the packages conf files, for sensors running on 32 and 64
bit platforms.  Currently I've deployed over 15 sensors and all are
feeding our existing sguil server just fine.

Unfortunately, our sguil server is having some hardware issues and
needs to be replaced.  I've assigned a colleague of mine with the task
of rebuilding the sguil server as a 64 bit OS.  For starters can this
be implemented as a 64 bit OS?  One of the problems we are running
into is threading being enabled in tcl. I had similar trouble with the
sensors, but found this site that helped me get passed the error.

http://synfulpacket.blogspot.com/2006/10/sguil-and-tclfinalizenotifier-notifier.html

Any assistance would be great.

Thanks
-Leo

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

best practice questions

Jeremy Hoel — 2012-01-18T17:13:16

So the question I have is around how often you start some of the bits of sguil.

1 - If you do sguil-db archiving/dumping after x days. Is anyone doing
this daily, or weekly?
2 - the snort and pcap agents seem to stop updating the Agent Stats
after a period of time (or maybe a number of sguild restarts). So
right now I have those set to restart daily. Anyone else experienced
this?
3 - Transcripts and wireshark dumps seem to work on and off, but when
they break work again after a sguild and pcap agent restart.  So
basically I've restarted the agents at night for this reason too.

IS anyone else having issues like this, or maybe it's the 30+ sensors
I have going to one server?

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Interesting discrepancy

Lay, James — 2012-01-11T15:48:41

So...as I've been looking at the new normalize_javascript and came
across this.  From the .fast file:

08:24:36  [120:9:1] (http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS
1 [**] [Classification: Unknown Traffic] [Priority: 3] {TCP}
209.191.96.100:80 -> bleh:19484

However, from my sguil console I see:

------------------------------------------------------------------------
Count:1 Event#3.15953 2012-01-11 08:24:36
http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 2
209.191.96.100 -> extrableh
IPVer=4 hlen=5 tos=0 dlen=1440 ID=26562 flags=2 offset=0 ttl=57
chksum=38989
Protocol: 6 sport=80 -> dport=19484

Seq=1441839808 Ack=1461174013 Off=5 Res=0 Flags=***A**** Win=6432
urp=22820 chksum=0
Payload:
20 70 72 6F 70 65 72 74 79 3D 22 6F 67 3A 64 65  property="og:de
<snip>

So now I'm curious...is this level exceeds 1, or level exceeds 2?  Where
should I go to try and discover why the fast file and sguil info differ?
Thanks for any insights.

James

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

Transcript problems - No matching log files

Paul Marin — 2012-01-10T18:58:20

Hi guys,

I am running sguil 0.8.0 both server and sensor on Ubuntu Server 10.04
LTS 32-bit. I have installed sguil from source following the INSTALL
file instructions included in the tar ball.

Both sensor and server time are configured to GMT. You can also see the
alerts being sent from the sensor to the server without problems.
However, when you issue the transcript feature of any alert, the client
shows you the following error: "No matching log files".

Let's see the sguild's debug output when a transcript requested is made:

2012-01-10 17:26:34 pid(17313)  Client Command Received: XscriptRequest
sensor-01 1 .sensor-01_11 {2012-01-10 17:25:11} S.S.S.S 80 C.C.C.C 2543 0
2012-01-10 17:26:34 pid(17313)  Sending sensor-01: RawDataRequest 5
sensor-01 2012-01-10 17:25:11 S.S.S.S C.C.C.C 2543 6
C.C.C.C:2543_S.S.S.S:80-6.raw xscript
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Raw data request sent to sensor-01.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5
{Making a list of local log files.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Making a list of local log files.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5
{Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Looking in /nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5
{Making a list of local log files in
/nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {Making a list of local log files in
/nsm_data/sensor-01/dailylogs/2012-01-10.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5 {No
matching log files.}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {No matching log files.}
2012-01-10 17:26:34 pid(17313)  Sensor Data Rcvd: XscriptDebugMsg 5 {}
2012-01-10 17:26:34 pid(17313)  Sending sock18: XscriptDebugMsg
.sensor-01_11 {}

If you list the files inside /nsm_data/sensor-01/dailylogs/2012-01-10
you'll see:

root< at >sensor-01:/nsm_data/sensor-01/dailylogs/2012-01-10# ls -l
total 660320
-rw------- 1 root root 134216351 2012-01-10 17:22 snort.log.1326215636
-rw------- 1 root root 134216934 2012-01-10 17:23 snort.log.1326216162
-rw------- 1 root root 134217178 2012-01-10 17:24 snort.log.1326216201
-rw------- 1 root root 134217536 2012-01-10 17:24 snort.log.1326216246
-rw------- 1 root root 134216849 2012-01-10 17:25 snort.log.1326216290
-rw------- 1 root root   5077741 2012-01-10 17:25 snort.log.1326216333

The date 2012-01-10 17:25:11 converted to unixtime results in: 1326216238

As you can see, there is no file with that date in the directory and i
don't know how sguild does the file search.

I'd really appreciate if you guys could help me out here.

Thanks in advance.

Kindly,

Paul

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Session reconstruction / Sguil

bill evergreen — 2011-12-23T08:35:20

Hello,

I heard that Sguil does support session reconstruction to some extent. Does
it as well the following:


- present the actual text of an email, as well as any attachments, exactly
as it was sent
- collects network traffic and reassembles it as its native session based
format, enabling users to quickly and easily make   business decisions
based on the service it was providing
- display bi-directional instant messaging communications allowing full
session reconstruction as the end user sees it.



Thank you for any feedback!


Bill
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users

extract user downloadds from tracefiles

bill evergreen — 2011-12-23T08:33:43

Hello,

Is there a way to extract downloaded files from tracefiles(pcap) in their
native format with the appropriate file extensins?

Thank you!
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users

Installing sguil 0.8.0 on Windows 7 client

David Lynum — 2011-12-08T20:02:38

Hello,

I'm running Windows 7 Pro, and I'm trying to get the sguil 0.8.0 client running on it.  I followed the instructions provided by this link, http://taosecurity.blogspot.com/2003/07/want-to-become-f8-monkey-my-friend.html.  However they didn't work for me.  When I click on squil.tk, nothing happens.

Has anyone gotten this to work?

Thanks

David Lynum
IT Support Lead, Wholesale Applications Community (WAC)
Desk:    +1 (925) 201-8520
Email: david.lynum-n2cvkwpcAxXR7s880joybQ< at >public.gmane.org<mailto:david.lynum-n2cvkwpcAxXR7s880joybQ< at >public.gmane.org>

6210 Stoneridge Mall, Road Suite 400 Pleasanton, CA  94588
www.wacapps.net<http://www.wacapps.net/>



------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users

sguil raw transfer queue

Jeremy Hoel — 2011-11-30T19:58:48

So once you start to transfer a transcript/wireshark, if that gets
interupted or there is a delay, does that stop any other files from
being transferred?  It seems if I get a delay/error in transferring
then nothing seems to work until I restart sguild.

Is there some cool way to clear/flush the cache/queue log in order
help transfers work again?

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Restarting sguild syslog messsages

Jeremy Hoel — 2011-11-29T19:03:41

When I restart sguild (the server bit) I see a LOT of messages in
/var/log/messages on the sguil server about "Archived Alert" and it
seems to be going through and listing all the alerts that got F8'd.
Is this normal or is there a job I should setup to allow this to
happen in the background so that if sguil gets restarted it doesn't
take that long to restart?

I don't see any config option in the server config to require this or
change this from happening.

Thanks!

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Error with packet data

Lay, James — 2011-11-29T15:27:14

Suddenly I'm starting to see the below when running sguild getting ICMP
packet data:

 

2011-11-29 15:24:29 pid(9992)  sock21 added to clientList

Error: mysqlsel/db server: Can't open file:
'./sguildb/icmphdr_External_20111125.frm' (errno: 24)

mysqlsel/db server: Can't open file:
'./sguildb/icmphdr_External_20111125.frm' (errno: 24)

    while executing

"mysqlsel $MAIN_DB_SOCKETID $query -flatlist"

    (procedure "FlatDBQuery" line 5)

    invoked from within

"FlatDBQuery $query"

    (procedure "GetIcmpData" line 4)

    invoked from within

"$clientCmd $socketID [lindex $data 1] [lindex $data 2] "

    ("GetIcmpData" arm line 1)

    invoked from within

"switch -exact $clientCmd {

 

      DeleteEventIDList   { $clientCmd $socketID [lindex $data 1]
[lindex $data 2] [lindex $data 3] }

 

      EventHistoryR..."

    (procedure "ClientCmdRcvd" line 46)

    invoked from within

"ClientCmdRcvd sock21"

SGUILD: killing child procs...

SGUILD: Exiting...

 

Anyone see anything like this?  Been working fine for a few months
now...sguil version is the latest 0.8.0.

 

Thanks,

 

James

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d_______________________________________________
Sguil-users mailing list
Sguil-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f< at >public.gmane.org
https://lists.sourceforge.net/lists/listinfo/sguil-users