Re: [Sguil-users] More issues detected with sguil 0.8.0
Status: Beta
Brought to you by:
bamm
From: carlopmart <car...@gm...> - 2011-10-18 14:30:21
|
On 10/18/2011 02:33 PM, carlopmart wrote: > Hi all, > > I have migrated my SL6.1 sguil server to Debian 6.0 to do some tests > with sguil 0.8.0 and try to find the source of my problems > (http://marc.info/?l=sguil-users&m=131846135624417&w=2 and > http://sourceforge.net/mailarchive/forum.php?thread_name=4E96AE9F.3060007%40gmail.com&forum_name=sguil-users). > > > Acctually my sguil components are: > > Sguil Server: Debian 6.0 > Sguil Sensor: SL6.1 > Sguil Client: SL6.1 > > In all hosts I am using tcl version 8.4 without threads. > > Actually, snort sensor, barnyard2 and daemonlogger are running in > localtime mode. I have did it some tests yesterday and this morning, > like for example this alarm: > > [**] [1:498:7] ATTACK-RESPONSES id check returned root [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 10/17-16:11:06.242301 217.160.51.31:80 -> 172.25.50.21:52729 > TCP TTL:52 TOS:0x0 ID:55905 IpLen:20 DgmLen:350 DF > ***AP*** Seq: 0x23B272C4 Ack: 0xDE828508 Win: 0x50 TcpLen: 20 > > It is a web access to http://www.testmyids.com. Sguil client shows me > "No Data Sent" (using transcript and transcript force new). Transcipt > window in the client side shows me this: > > Your request has been sent to the server. > Please be patient as this can take some time. > Raw data request sent to idskvm01. > Making a list of local log files. > Looking in /nsm/sensor_data/idskvm01/dailylogs/2011-10-17. > Making a list of local log files in > /nsm/sensor_data/idskvm01/dailylogs/2011-10-17. > Available log files: > 1318878003 1318874403 1318870805 1318867770 1318863603 1318860543 > Creating unique data file: /usr/sbin/tcpdump -r > /nsm/sensor_data/idskvm01/dailylogs/2011-10-17/snort.log.1318867770 -w > /tmp/172.25.50.21:52729_217.160.51.31:80-6.raw host 217.160.51.31 and > host 172.25.50.21 and port 80 and port 52729 and proto 6 > Receiving raw file from sensor. > Finished. > > That is totally wrong. In sensor logs directory exists these files: > > [root@newsensor 2011-10-18]# ls -al > total 476852 > drwxr-xr-x 2 root root 4096 Oct 17 21:00 . > drwxr-xr-x 7 root root 4096 Oct 18 10:23 .. > -rw-r--r-- 1 root root 31328052 Oct 17 17:00 snort.log.1318860543 > -rw-r--r-- 1 root root 127475650 Oct 17 17:38 snort.log.1318863603 > -rw-r--r-- 1 root root 222866766 Oct 17 19:00 snort.log.1318867770 > -rw-r--r-- 1 root root 50607147 Oct 17 20:00 snort.log.1318870805 > -rw-r--r-- 1 root root 20628956 Oct 17 21:00 snort.log.1318874403 > -rw-r--r-- 1 root root 35355407 Oct 17 21:52 snort.log.1318878003 > > As you can see, file that contains the event is snort.log.1318860543. > Evidence: > > [root@newsensor 2011-10-17]# tcpdump -r snort.log.1318860543 host > 217.160.51.31 and host 172.25.50.21 and port 80 and port 52729 and proto 6 > reading from file snort.log.1318860543, link-type EN10MB (Ethernet) > 16:11:06.152255 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [S], seq 1944376206, win 5840, > options [mss 1460,sackOK,TS val 22875674 ecr 0,nop,wscale 6], length 0 > 16:11:06.234114 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [S.], seq 2322515419, ack 1944376207, win > 5840, options [mss 1460,nop,wscale 7], length 0 > 16:11:06.234175 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [.], ack 1, win 92, length 0 > 16:11:06.234268 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [P.], seq 1:472, ack 1, win 92, > length 471 > 16:11:06.322014 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [.], ack 472, win 54, length 0 > 16:11:06.324208 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [P.], seq 1:311, ack 472, win 54, length 310 > 16:11:06.324217 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [.], ack 311, win 108, length 0 > 16:11:06.368034 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [P.], seq 472:912, ack 311, win > 108, length 440 > 16:11:06.456879 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [.], seq 311:1763, ack 912, win 63, > length 1452 > 16:11:06.456926 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [.], ack 1763, win 154, length 0 > 16:11:06.458039 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [P.], seq 1763:2788, ack 912, win 63, > length 1025 > 16:11:06.458048 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [.], ack 2788, win 200, length 0 > 16:11:09.817201 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [F.], seq 2788, ack 912, win 63, length 0 > 16:11:09.817342 IP proxy.hpulabs.org.52729 > > s193738556.websitehome.co.uk.http: Flags [F.], seq 912, ack 2789, win > 200, length 0 > 16:11:09.898147 IP s193738556.websitehome.co.uk.http > > proxy.hpulabs.org.52729: Flags [.], ack 913, win 63, length 0 > > > , but transcipt order searchs in snort.log.1318867770. Why?? Changing > snort, barnyard2 and daemonlogger to UTC time, nothing changes. But now > the surprise: migrating all sguil components from 0.8.0 to 0.7.0, all > works as expected ... > > I do not understand what is happening..... OOpps .. I have made a mistake .... SL6.1 comes with tcl8.5 without threads: [root@newsensor ~]# ls -la /usr/bin/tclsh lrwxrwxrwx 1 root root 8 Oct 13 22:24 /usr/bin/tclsh -> tclsh8.5 [root@newsensor ~]# tclsh % info exists ::tcl_platform(threaded) 0 Could this be the source of all my problems with sguil-0.8.0?? but why it works well wiht sguil-0.7.0?? -- CL Martinez carlopmart {at} gmail {d0t} com |