Re: [Sguil-users] [Spam] Re: Sguil client doesn't shows me packet captures (Not Solved)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 10/13/2011 11:25 AM, carlopmart wrote:
> On 10/13/2011 10:17 AM, carlopmart wrote:
>> On 10/13/2011 01:35 AM, Paul Halliday wrote:
>>> On Wed, Oct 12, 2011 at 8:15 PM, carlopmart<car...@gm...> wrote:
>>>> On 10/13/2011 12:50 AM, Paul Halliday wrote:
>
>>> ...
>>>> This capture doesn't works from the client side. From the server side,
>>>> file is empty:
>>>>
>>>> [root@dunharrow idsesxi]# ls -ltr
>>>> total 1356
>>>> -rw-r--r-- 1 root root 0 Oct 13 00:49
>>>> 172.25.50.30:59000_172.25.110.3:22-6.raw
>>>
>>> I could be wrong but doesn't there need to be data in order create a
>>> transcript.
>>>
>>> Does the transcript window just say: "No Data Sent" ?
>>>
>>>>
>>
>> No, transcript windows goes blank ... If I try to transcript (force new)
>> sometimes shows "No Data sent" or goes blank too ....
>>
>>
>
> Here another example. Screenshot shows how transcript windows doesn't
> works.
>
>  From the sensor side:
>
> [root@eorlingas 2011-10-13]# pwd
> /nsm/sensor_data/idsesxi/dailylogs/2011-10-13
> [root@eorlingas 2011-10-13]# tcpdump -r snort.log.1318496405 host
> 217.160.51.31 and host 172.25.50.30 and port 80 and port 33873 and proto 6
> reading from file snort.log.1318496405, link-type EN10MB (Ethernet)
> 11:15:45.709355 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [S], seq 1930430944, win 5840,
> options [mss 1460,sackOK,TS val 3590743 ecr 0,nop,wscale 6], length 0
> 11:15:45.785828 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [S.], seq 248532818, ack 1930430945,
> win 5840, options [mss 1460,nop,wscale 7], length 0
> 11:15:45.786023 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [.], ack 1, win 92, length 0
> 11:15:45.786161 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [P.], seq 1:420, ack 1, win 92,
> length 419
> 11:15:45.869104 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [.], ack 420, win 54, length 0
> 11:15:45.870896 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [P.], seq 1:311, ack 420, win 54,
> length 310
> 11:15:45.871107 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [.], ack 311, win 108, length 0
> 11:15:45.885406 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [P.], seq 420:777, ack 311, win
> 108, length 357
> 11:15:45.969334 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [.], seq 311:1763, ack 777, win 63,
> length 1452
> 11:15:45.969994 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [P.], seq 1763:2788, ack 777, win 63,
> length 1025
> 11:15:45.970171 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [.], ack 2788, win 199, length 0
> 11:15:49.975146 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [F.], seq 2788, ack 777, win 63, length 0
> 11:15:50.014580 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [.], ack 2789, win 199, length 0
> 11:15:55.379330 IP silmaril.hpulabs.org.33873 >
> s193738556.websitehome.co.uk.http: Flags [F.], seq 777, ack 2789, win
> 199, length 0
> 11:15:55.455473 IP s193738556.websitehome.co.uk.http >
> silmaril.hpulabs.org.33873: Flags [.], ack 778, win 63, length 0
>
> session is fully captured ... And tcpdump file is generated in sensor
> filesystem:
>
> [root@eorlingas 2011-10-13]# ls -ltr
> /tmp/172.25.50.30\:33873_217.160.51.31\:80-6.raw
> -rw-r--r-- 1 root root 4553 Oct 13 11:15
> /tmp/172.25.50.30:33873_217.160.51.31:80-6.raw
>
>

FYI, I have downgraded to sguil 0.7.0 and all works ok. I will do more 
tests but it seems that all goes on.

Bamm, it could be a bug using SL6.1 (a RHEL derived like CentOS is) as a 
hosts for server and sensors??

-- 
CL Martinez
carlopmart {at} gmail {d0t} com