Re: [Sguil-users] More issues detected with sguil 0.8.0
Status: Beta
Brought to you by:
bamm
From: Paul H. <pau...@gm...> - 2011-10-18 19:05:20
|
On Tue, Oct 18, 2011 at 4:00 PM, John Root <JR...@sa...> wrote: >>>> carlopmart <car...@gm...> 10/18/2011 12:24 PM >>> > On 10/18/2011 07:50 PM, Dave Crawford wrote: > > Exists one thing that i don't understand. How can server or sensor knows > what pcap file needs to read to dipslay the trace in the transcript > window?? It reads the timestamps from the files (those are seconds): Available log files: 1318961974 1318961916 1318961859 1318961800 1318961745 1318961691 1318961639 I guess a simple test would be to convert those and look inside the files. It will let you know if the times are in sync. > Or do they only look at the active pcap file, processed by > daemonlogger or snort in logpacket mode? At least, that's the feeling I > have. > > -- > CL Martinez > carlopmart {at} gmail {d0t} com > > There are more informed guys here to answer this but I'll take a stab. The sguil config tells the server which host and path to look in for a given sensor instance and writes an aggregated pcap that is ultimately copied to the server. Here's a contrived example: > > Your request has been sent to the server. > Please be patient as this can take some time. > Raw data request sent to SOME-SENSOR. > Making a list of local log files. > Looking in /nsm/snort_data/SOME-SENSOR/dailylogs/2011-10-18. > Making a list of local log files in /nsm/snort_data/SOME-SENSOR/dailylogs/2011-10-18. > Available log files: > 1318961974 1318961916 1318961859 1318961800 1318961745 1318961691 1318961639 > Creating unique data file: /usr/sbin/tcpdump -r /nsm/snort_data/SOME-SENSOR/dailylogs/2011-10-18/snort.log.1318960951 -w /nsm/tmp/192.168.76.135:58727_10.10.66.18:3510-6.raw host 10.10.66.18 and host 192.168.76.135 and port 3510 and port 58727 and proto 6 > Receiving raw file from sensor. > > My clients are hanging perpetually at this point. > > We are seeing instances where the transcript is requested for SENSOR1 event and for some unknown reason the client parses "/nsm/snort_data/SENSOR2/dailylogs/2011-XX-XX." It only happens between the two sensors that are on separate hosts but in the same NET_GROUP. Early on I suspected a typo (or a reference to the original Net Name - Ext_Net) but never found anything. I didn't find any problems with the Net Names in the DB either. Oddly this behavior is not consistent and the "prefered" sensor name to parse seems to change between sguild restarts. I'm pretty well stumped. > > John > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- Paul Halliday http://www.squertproject.org/ |