Re: [Sguil-users] [Spam] Re: Sguil client doesn't shows me packet captures (Not Solved)
Status: Beta
Brought to you by:
bamm
From: carlopmart <car...@gm...> - 2011-10-13 14:35:33
|
On 10/13/2011 11:25 AM, carlopmart wrote: > On 10/13/2011 10:17 AM, carlopmart wrote: >> On 10/13/2011 01:35 AM, Paul Halliday wrote: >>> On Wed, Oct 12, 2011 at 8:15 PM, carlopmart<car...@gm...> wrote: >>>> On 10/13/2011 12:50 AM, Paul Halliday wrote: > >>> ... >>>> This capture doesn't works from the client side. From the server side, >>>> file is empty: >>>> >>>> [root@dunharrow idsesxi]# ls -ltr >>>> total 1356 >>>> -rw-r--r-- 1 root root 0 Oct 13 00:49 >>>> 172.25.50.30:59000_172.25.110.3:22-6.raw >>> >>> I could be wrong but doesn't there need to be data in order create a >>> transcript. >>> >>> Does the transcript window just say: "No Data Sent" ? >>> >>>> >> >> No, transcript windows goes blank ... If I try to transcript (force new) >> sometimes shows "No Data sent" or goes blank too .... >> >> > > Here another example. Screenshot shows how transcript windows doesn't > works. > > From the sensor side: > > [root@eorlingas 2011-10-13]# pwd > /nsm/sensor_data/idsesxi/dailylogs/2011-10-13 > [root@eorlingas 2011-10-13]# tcpdump -r snort.log.1318496405 host > 217.160.51.31 and host 172.25.50.30 and port 80 and port 33873 and proto 6 > reading from file snort.log.1318496405, link-type EN10MB (Ethernet) > 11:15:45.709355 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [S], seq 1930430944, win 5840, > options [mss 1460,sackOK,TS val 3590743 ecr 0,nop,wscale 6], length 0 > 11:15:45.785828 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [S.], seq 248532818, ack 1930430945, > win 5840, options [mss 1460,nop,wscale 7], length 0 > 11:15:45.786023 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [.], ack 1, win 92, length 0 > 11:15:45.786161 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [P.], seq 1:420, ack 1, win 92, > length 419 > 11:15:45.869104 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [.], ack 420, win 54, length 0 > 11:15:45.870896 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [P.], seq 1:311, ack 420, win 54, > length 310 > 11:15:45.871107 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [.], ack 311, win 108, length 0 > 11:15:45.885406 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [P.], seq 420:777, ack 311, win > 108, length 357 > 11:15:45.969334 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [.], seq 311:1763, ack 777, win 63, > length 1452 > 11:15:45.969994 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [P.], seq 1763:2788, ack 777, win 63, > length 1025 > 11:15:45.970171 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [.], ack 2788, win 199, length 0 > 11:15:49.975146 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [F.], seq 2788, ack 777, win 63, length 0 > 11:15:50.014580 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [.], ack 2789, win 199, length 0 > 11:15:55.379330 IP silmaril.hpulabs.org.33873 > > s193738556.websitehome.co.uk.http: Flags [F.], seq 777, ack 2789, win > 199, length 0 > 11:15:55.455473 IP s193738556.websitehome.co.uk.http > > silmaril.hpulabs.org.33873: Flags [.], ack 778, win 63, length 0 > > session is fully captured ... And tcpdump file is generated in sensor > filesystem: > > [root@eorlingas 2011-10-13]# ls -ltr > /tmp/172.25.50.30\:33873_217.160.51.31\:80-6.raw > -rw-r--r-- 1 root root 4553 Oct 13 11:15 > /tmp/172.25.50.30:33873_217.160.51.31:80-6.raw > > FYI, I have downgraded to sguil 0.7.0 and all works ok. I will do more tests but it seems that all goes on. Bamm, it could be a bug using SL6.1 (a RHEL derived like CentOS is) as a hosts for server and sensors?? -- CL Martinez carlopmart {at} gmail {d0t} com |