Re: [Sguil-devel] Trying out sguil 0.6.1, some errors encountered
Status: Beta
Brought to you by:
bamm
From: Bamm V. <bam...@gm...> - 2007-02-28 15:41:02
|
>From a mysql prompt run: SELECT INET_NTOA(src_ip), INET_NTOA(dst_ip), ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum FROM event WHERE sid=1 and cid=268 Right now I am at a loss at what the problem could be. Any chance you can join #snort-gui and we can do some debugging there? Bammkkkk On 2/28/07, Jonathan Gill <jon...@se...> wrote: > Hi Bamm, > > Here is the the top and bottom of the log (minus the alert data and some > login info) from sguild run in the forground with debug set to 2. I did > include the alert that caused the crash when I clicked on show packet data. > > Thanks > > Jonathan > > -----------Start of log-------------- > > pid(7829) Loading access list: /etc/sguild/sguild.access > pid(7829) Sensor access list set to ALLOW ANY. > pid(7829) Client access list set to ALLOW ANY. > pid(7829) Email Configuration: > pid(7829) Config file: /etc/sguild/sguild.email > pid(7829) Enabled: No > pid(7829) Connecting to <ourdb server> on 3306 as <sguil user> > pid(7829) MySQL Version: version 5.0.18-log > pid(7829) SguilDB Version: 0.11 > pid(7830) Loaderd Forked > pid(7831) Queryd Forked > pid(7829) Retrieving DB info... > pid(7829) SELECT hostname FROM sensor ORDER BY hostname ASC > pid(7829) Warning: Event table appears to be empty. > pid(7829) If this is a new DB, then you can safely ignore this warning. > pid(7829) Retrieving DB info... > pid(7829) Getting a list of tables. > pid(7829) ...Getting info on history. > pid(7829) ...Getting info on nessus. > pid(7829) ...Getting info on nessus_data. > pid(7829) ...Getting info on portscan. > pid(7829) ...Getting info on sensor. > pid(7829) ...Getting info on sessions. > pid(7829) ...Getting info on status. > pid(7829) ...Getting info on user_info. > pid(7829) ...Getting info on version. > pid(7829) Sguild Initialized. > pid(7829) Sensor agent connect from 10.185.218.30:57857 sock13 > pid(7829) Validating sensor access: 10.185.218.30 : > pid(7829) Valid sensor agent: 10.185.218.30 > pid(7829) Sensor Data Rcvd: AgentInit securecirt-office 0 > pid(7829) New sensor. Adding sensor securecirt-office to the DB. > pid(7829) No clients to send info msg to. > pid(7829) Sent sock13: SensorID 1 > pid(7829) Sensor Data Rcvd: DiskReport /var/log/snort/ 53% > pid(7829) No clients to send info msg to. > pid(7829) Sensor Data Rcvd: PING > pid(7829) Sensor Data Rcvd: SystemMessage {Barnyard connected via > sensor localh > ost.} > pid(7829) No clients to send info msg to. > pid(7829) Sensor Data Rcvd: BarnyardConnect 1 > pid(7829) Sensor Data Rcvd: AgentLastCidReq sock6 1 > pid(7829) Sent sock13: LastCidResults sock6 0 > pid(7829) Sensor Data Rcvd: BYEventRcvd sock6 0 1 1 securecirt-office > 105 105 { > 2007-02-27 09:53:34} 1 486 4 {ICMP Destination Unreachable Communication > with De > stination Host is Administratively Prohibited} {2007-02-27 09:53:34} 3 > misc-acti > vity 3232240857 192.168.20.217 1024345354 aa.bb.cc.dd 1 4 5 0 68 2737 0 > 0 248 24 > 686 3 10 21674 {} {} {} {} {} {} {} {} {} {} {} {} {} {} > 00000000450000288AA9000 > 0F9060CB03D0E450ACA4FDE0EA4AB00504BEE127A0000000050040E2446BF0000 > pid(7829) Creating event table event_securecirt-office_20070227. > pid(7829) Creating tcphdr table tcphdr_securecirt-office_20070227. > pid(7829) Creating udphdr table udphdr_securecirt-office_20070227. > pid(7829) Creating icmphdr table icmphdr_securecirt-office_20070227. > pid(7829) Creating data table data_securecirt-office_20070227. > pid(7829) Creating event MERGE table. > pid(7829) Creating tcphdr MERGE table. > pid(7829) Creating udphdr MERGE table. > pid(7829) Creating icmphdr MERGE table. > pid(7829) Creating data MERGE table. > pid(7829) Alert Received: 0 3 misc-activity securecirt-office > {2007-02-27 09:53 > :34} 1 1 {ICMP Destination Unreachable Communication with Destination > Host is Ad > ministratively Prohibited} 192.168.20.217 aa.bb.cc.dd 1 {} {} 486 4 105 105 > pid(7829) No clients to send alert to. > > ------bottom of the log--------- > ... > ... > ... > pid(7829) Sending sock14: InsertEvent 0 3 misc-activity > securecirt-office {2007 > -02-28 05:28:51} 1 268 {MS-SQL version overflow attempt} aa.bb.cc.dd > ee.ff.gg.hh > 17 1556 1434 1 > ... > ... > ... > pid(7829) Client Command Received: SendEscalatedEvents > pid(7829) Client Command Received: SendGlobalQryList > pid(7829) Sending sock14: GlobalQryList {Last Modified||Return the > events modif > ied in the last 30 mins||WHERE event.last_modified > DATE_SUB(NOW(), > INTERVAL 30 > MINUTE) ORDER BY event.last_modified DESC LIMIT 500||event} {DNS > Overflow||Look > s for TCP DNS sessions with large source bytes. Since DNS requests > generally hav > e low byte counts, this could be a buffer overflow||WHERE > sessions.start_time > > DATE_SUB(NOW(), INTERVAL 1 DAY) AND sessions.dst_port=53 AND > sessions.src_bytes > > 1000 LIMIT 500||sessions} {Auto Cats||Select event auto updated in > the last 10 > mins||WHERE user_info.uid=event.last_uid AND user_info.username='auto' > AND even > t.last_modified > DATE_SUB(NOW(), INTERVAL 10 MINUTE) LIMIT 500||event} > pid(7829) Client Command Received: SendReportQryList > pid(7829) Sending sock14: ReportQryList none > pid(7829) Client Command Received: SendClientSensorStatusInfo > pid(7829) Sending sock14: SensorStatusUpdate {securecirt-office {1 > {2007-02-28 > 07:13:45} 1 0 None}} > pid(7829) Client Command Received: PING > pid(7829) Client Command Received: GetIPData 1 268 > Error: mysqlsel/db server: Can't find file: 'event' (errno: 2) > mysqlsel/db server: Can't find file: 'event' (errno: 2) > while executing > "mysqlsel $MAIN_DB_SOCKETID $query -flatlist" > (procedure "FlatDBQuery" line 5) > invoked from within > "FlatDBQuery $query" > (procedure "GetIPData" line 4) > invoked from within > "$clientCmd $socketID $index1 $index2 " > ("GetIPData" arm line 1) > invoked from within > "switch -exact $clientCmd { > DeleteEventID { $clientCmd $socketID $index1 $index2 } > DeleteEventIDList { $clientCmd $socketID $data1 } > ..." > (procedure "ClientCmdRcvd" line 30) > invoked from within > "ClientCmdRcvd sock14" > SGUILD: killing child procs... > SGUILD: Exiting... > > > > Bamm Visscher wrote: > > Can you run sguild in the foreground with -d 2 instead of syslog? > > > > Bammkkkk > > > > > > > > -- > Jonathan Gill SecureCiRT Pte Ltd > http://www.securecirt.com/ > PGP : 315C 314D CD36 CBFF 728E F167 FCD8 15B7 0287 > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Sguil-devel mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-devel > -- sguil - The Analyst Console for NSM http://sguil.sf.net |