Wednesday, April 29, 2009

Sguil: Issue with Reverse DNS

I had an interesting issue with SGUIL. Interesting in the sense that the developer had no idea why I was having this issue, and could offer no insight. I had a rather “square peg, round hole” solution to fix it.

In version 0.7 of Sguil, the Reverse DNS option would not work on my machine, both with the External DNS option checked, and without it checked. In both instances I would get the following error:

The odd thing was this function worked just fine in previous versions of Sguil. So, to fix this, I went back to the IP address lookup used in the previous versions of Sguil. I edited the /sguilRoot/client/lib/extdata.tcl file to look like so:


#
# GetHostbyAddr: uses extended tcl (wishx) to get an ips hostname
#                May move to a server func in the future
#
proc GetHostbyAddr { ip } {

#    global EXT_DNS EXT_DNS_SERVER HOME_NET

#    if { $EXT_DNS } {

#        if { ![info exists EXT_DNS_SERVER] } {

#            ErrorMessage "An external name server has not been configured in sguil.conf. Resolution aborted."
#            return

#        } else {

#            set nameserver $EXT_DNS_SERVER

#            if { [info exists HOME_NET] } {

              # Loop thru HOME_NET. If ip matches any networks than use a the locally configured
              # name server
#                foreach homeNet $HOME_NET {

#                    set netMask [ip::mask $homeNet]
#                    if { [ip::equal ${ip}/${netMask} $homeNet] } { set nameserver local }

#                }

#            }

#        }

#    } else {

#        set nameserver local

#    }

#    if { $nameserver == "local" } {

#        set tok [dns::resolve $ip]

#    } else {

#        set tok [dns::resolve $ip -nameserver $nameserver]

#    }

#    set hostname [dns::name $tok]
#    dns::cleanup $tok
#    if { $hostname == "" } { set hostname "Unknown" }
#    return $hostname
if [catch {host_info official_name $ip} hostname] {
  set hostname "Unknown"
}
return $hostname
}


This took care of my problem. My only guess is that there is something with the ActiveTCL implementation of the DNS library on Windows that prevented this from working. I am not sure what the advantage of using the DNS library instead of the TCLX host_info command is due to my lack of experience in TCL/TK.

But this does illustrate an important point. Since Sguil was written in a scripted interpreted language (TCL/TK), making a change to my instance was trivial. Edit a file, and I had my issue resolved. Had this been in a compiled language, I would have had either compile the source, which would have taken more time, or gone back to the developer, submit a bug fix, and wait. In this case, it is fortunate that the tool was not developed that way.

Posted by at

2 comments:

Vince said...

Hey...just googled onto your post and it fixed the exact same problem I was having! I am running the latest sguil CVS client on FC10 and so far hadn't had any problems with it. My only guess is some Fedora update broke something in a library that the resolver was depending on...but I had been wondering how to fix the problem and you gave me the solution...thank you!

2:51 PM
Anonymous said...

Your solution didnt work for me but i found other solution on google: http://programming.itags.org/tcl/146124/

after set tok [dns::resolve $ip]
i added vwait $tok

and after set tok [dns::resolve $ip -nameserver $nameserver]
added vwait $tok

12:42 AM

Post a Comment

Subscribe to: Post Comments (Atom)