sguil-users — Sguil users list.

[Sguil-users] email notification

[priscille G. <pri...@gm...>]

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
	{page:WordSection1;}
--></style></head><body lang=fr-CG link=blue vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=FR>Hello everyone. I've been working on sguil 0.9.0 for a while now, I've enjoyed the tool, it's very rich. However, I would now like to be able to receive email notifications when an alert appears and send details of the alerts via email on the sguil interface, but I still can't. Could you please help me?</span><span lang=fr-CG><o:p></o:p></span></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Envoyé à partir de <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Courrier</a> pour Windows</p><p class=MsoNormal><o:p>&nbsp;</o:p></p></div></body></html>

[Sguil-users] sguil alert

[Eln <ele...@gm...>]

Hello,

I use Security Onion and in /var/log/nsm/securityonion/sguild.log i have :

Sensor Data Rcvd: BYEventRcvd sock1054610 ...
and
Alert Received: 0 2 attempted-recon
Where can i modify  Alert Received to include payload?
Thanks

[Sguil-users] error iwidgets

[hernani c. <coe...@sa...>]

hello, i have installed kali linux debian

i have installed sguil, ./sguild works fine, but the ./sguil.tk give me
this error --->

ERROR: Cannot fine the Iwidgets extension.
The iwidgets package is part of the incr tcl extension and is
available as a port/package most systems.
See http://www.tcltk.com/iwidgets/ for more info.


i have installed iwidgets from repositories debian

can someone help me?

thanks

hernani coelho

[Sguil-users] Squirt Interface is empty!

[Gerhard M. <gmo...@gm...>]

Helo List,

I’ve installed Sguil version 0.9.0 on CentOS 6.7 with Squert. When a log into the Squert web page, there is no data at all! I can see that I receive alerts on the OS but nothing on the Squert page!

Gerhard,

[Sguil-users] Installing sguil on OpenBSD 5.9 (problem with mysqltcl)

[ML m. <mln...@ya...>]

Hello,

I am trying to install Sguil 0.9 on OpenBSD 5.9 with Tcl 8.5 and manage to install without any problems TclX 8.4 but for the mysqltcl package it simply does not want to work... When I test it from the Tcl shell I get the following error:


% package require mysqltcl
couldn't load file "/usr/local/lib/tcl/mysqltcl-3.052/libmysqltcl3052.so.1.0": Cannot load specified object


an ldd on the library file does not show any missing libraries:

/usr/local/lib/mysqltcl-3.052/libmysqltcl3052.so.1.0:
Start            End              Type Open Ref GrpRef Name
00001d77173b4000 00001d77177be000 dlib 2    0   0      /usr/local/lib/mysqltcl-3.052/libmysqltcl3052.so.1.0
00001d76af76e000 00001d76afed5000 rlib 0    1   0      /usr/local/lib/libmysqlclient.so.27.0
00001d7704cb0000 00001d77050c2000 rlib 0    1   0      /usr/lib/libpthread.so.20.1
00001d769ee91000 00001d769f2a6000 rlib 0    1   0      /usr/lib/libz.so.5.0
00001d774da5e000 00001d774deb8000 rlib 0    1   0      /usr/lib/libssl.so.38.0
00001d7710a74000 00001d7711043000 rlib 0    2   0      /usr/lib/libcrypto.so.37.0
00001d76b1fda000 00001d76b24f0000 rlib 0    1   0      /usr/lib/libstdc++.so.57.0
00001d7772653000 00001d7772a7b000 rlib 0    2   0      /usr/lib/libm.so.9.0


I used the following configure parameters to compile mysqltcl: --with-tcl=/usr/local/lib/tcl/tcl8.5/ --with-mysql-include=/usr/local/include/mysql/ --with-mysql-lib=/usr/local/lib/mysql/ 

Any ideas what could be going wrong here? or did anyone else manage to install Sguil on a modern OpenBSD 5.9?


Regards
ML

[Sguil-users] Purging old interfaces

[James L. <jl...@sl...>]

Quick question...is purging interfaces no longer in use just a process 
of purging old data, or is there something else I need to do.  Thank 
you.

James

Re: [Sguil-users] Missing events and merge tables troubleshooting

[Matt G <sec...@gm...>]

Bamm Visscher <bamm.visscher@...> writes:

 
> It looks like this bug may be a timezone issue. Is the timezone of your 
server set to something other than UTC?
> Bamm
> 

That was exactly it. Thank you for responding, works great now!

Re: [Sguil-users] Missing events and merge tables troubleshooting

[Bamm V. <bam...@gm...>]

It looks like this bug may be a timezone issue. Is the timezone of your
server set to something other than UTC?

Bamm

On Tue, Dec 15, 2015 at 10:06 AM, Matt G <sec...@gm...> wrote:

> No doubt about it, sguil rocks.
>
>
> Unfortunately, though, I'm experiencing a strange behavior with my sguil
> installation. It has worked flawlessly for years, but it has recently
> developed a problem.
>
> In the console, whenever I mark an aggregated row of alerts with F8 (No
> action required), I almost always get the dreaded error:
>
> ERROR: Some events may not have been updated. Event(s) may be missing
> from DB. See sguild output for more information.
>
> So I've turned up the debugging on sguil and also on mysql. Here is a
> representative event:
>
> sguild log:
>
> Dec 15 07:33:45 skipper SGUILD: ERROR: Number of updates mismatched
> number of events.  Number of EVENTS:  5  Number of UPDATES: 4 Update
> List: 4.251447 4.289120 4.341253 4.398851 4.401153
>
> The associated mysql activity looks like this:
>
> UPDATE `event_internal_20151208` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (289120)
> UPDATE `event_internal_20151210` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (398851)
> UPDATE `event_internal_20151209` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (341253)
> UPDATE `event_internal_20151211` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (401153)
> UPDATE `event_internal_20151207` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (251447)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 251447, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 289120, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 341253, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 398851, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 401153, 2, '2015-12-15 14:33:45', 1)
>
> So clearly one of the update events is failing. When I walk through the
> SQL I find the failing event:
>
>
> mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253);
> +--------+
> | cid    |
> +--------+
> | 341253 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql> SELECT cid FROM `event_internal_20151208` WHERE cid IN (289120);
> +--------+
> | cid    |
> +--------+
> | 289120 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (398851);
> +--------+
> | cid    |
> +--------+
> | 398851 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253);
> +--------+
> | cid    |
> +--------+
> | 341253 |
> +--------+
> 1 row in set (0.00 sec)
>
> mysql> SELECT cid FROM `event_internal_20151211` WHERE cid IN (401153);
> Empty set (0.01 sec)
>
> mysql> SELECT cid FROM `event_internal_20151207` WHERE cid IN (251447);
> +--------+
> | cid    |
> +--------+
> | 251447 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql>
>
> After poking around a bit, I've discovered that the "missing" event with
> cid 401153 is actually in a different table (belonging to the same
> parent merge table):
>
> mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (401153);
> +--------+
> | cid    |
> +--------+
> | 401153 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql>
>
> So sguil is updating the record in event_internal_20151211 but the event
> lives in event_internal_20151210. This is happening constantly in my
> installation. Any ideas what I might do to resolve this?
>
>
> Thanks.
>
> --Matt
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>



-- 
sguil - The Analyst Console for NSM
http://www.sguil.net

[Sguil-users] Autocat oddness

[Reuben P. <reu...@gm...>]

Hey all, quick question.

I have a process that trips an emerging threats rule when it attempts to go
to an akamai IP to pull down some OFAC information.  The whois for the
destination ip shows two CIDR blocks for that IP.  Since the autocat rule
wizard (via SecurityOnion 12) only allows one IP/CIDR notation in an
address field, I had to create two autocat rules, each with a different
CIDR notated IP range in the destination field.  Everything else between
the two events from the autocat perspective is the same, and yet, I still
get daily alerts showing up when  the process runs (again, same source ip,
same destination ip and port).  I would think that Autocat should catch
this using one of the two rules.. what gives here?  Am I going about this
the wrong way?

Thanks in advance
Reuben A. Popp

Re: [Sguil-users] Missing events and merge tables troubleshooting

[Edward F. <edw...@gm...>]

I did a git-clone in the beginning of May and set up 3 new systems, all
have that annoying "feature" :)
Thank you for digging into it. I never took the time.

Hope there will be a fix one day :)

E

On Tue, Dec 15, 2015 at 4:06 PM, Matt G <sec...@gm...> wrote:

> No doubt about it, sguil rocks.
>
>
> Unfortunately, though, I'm experiencing a strange behavior with my sguil
> installation. It has worked flawlessly for years, but it has recently
> developed a problem.
>
> In the console, whenever I mark an aggregated row of alerts with F8 (No
> action required), I almost always get the dreaded error:
>
> ERROR: Some events may not have been updated. Event(s) may be missing
> from DB. See sguild output for more information.
>
> So I've turned up the debugging on sguil and also on mysql. Here is a
> representative event:
>
> sguild log:
>
> Dec 15 07:33:45 skipper SGUILD: ERROR: Number of updates mismatched
> number of events.  Number of EVENTS:  5  Number of UPDATES: 4 Update
> List: 4.251447 4.289120 4.341253 4.398851 4.401153
>
> The associated mysql activity looks like this:
>
> UPDATE `event_internal_20151208` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (289120)
> UPDATE `event_internal_20151210` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (398851)
> UPDATE `event_internal_20151209` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (341253)
> UPDATE `event_internal_20151211` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (401153)
> UPDATE `event_internal_20151207` SET status=1, last_modified='2015-12-15
> 14:33:45', last_uid='2' WHERE sid=4 AND cid IN (251447)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 251447, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 289120, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 341253, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 398851, 2, '2015-12-15 14:33:45', 1)
> INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4,
> 401153, 2, '2015-12-15 14:33:45', 1)
>
> So clearly one of the update events is failing. When I walk through the
> SQL I find the failing event:
>
>
> mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253);
> +--------+
> | cid    |
> +--------+
> | 341253 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql> SELECT cid FROM `event_internal_20151208` WHERE cid IN (289120);
> +--------+
> | cid    |
> +--------+
> | 289120 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (398851);
> +--------+
> | cid    |
> +--------+
> | 398851 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253);
> +--------+
> | cid    |
> +--------+
> | 341253 |
> +--------+
> 1 row in set (0.00 sec)
>
> mysql> SELECT cid FROM `event_internal_20151211` WHERE cid IN (401153);
> Empty set (0.01 sec)
>
> mysql> SELECT cid FROM `event_internal_20151207` WHERE cid IN (251447);
> +--------+
> | cid    |
> +--------+
> | 251447 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql>
>
> After poking around a bit, I've discovered that the "missing" event with
> cid 401153 is actually in a different table (belonging to the same
> parent merge table):
>
> mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (401153);
> +--------+
> | cid    |
> +--------+
> | 401153 |
> +--------+
> 1 row in set (0.02 sec)
>
> mysql>
>
> So sguil is updating the record in event_internal_20151211 but the event
> lives in event_internal_20151210. This is happening constantly in my
> installation. Any ideas what I might do to resolve this?
>
>
> Thanks.
>
> --Matt
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>



-- 
Edward Bjarte Fjellskål
Senior Security Analyst
http://www.gamelinux.org/

[Sguil-users] Missing events and merge tables troubleshooting

[Matt G <sec...@gm...>]

No doubt about it, sguil rocks.


Unfortunately, though, I'm experiencing a strange behavior with my sguil 
installation. It has worked flawlessly for years, but it has recently 
developed a problem.

In the console, whenever I mark an aggregated row of alerts with F8 (No 
action required), I almost always get the dreaded error:

ERROR: Some events may not have been updated. Event(s) may be missing 
from DB. See sguild output for more information.

So I've turned up the debugging on sguil and also on mysql. Here is a 
representative event:

sguild log:

Dec 15 07:33:45 skipper SGUILD: ERROR: Number of updates mismatched 
number of events.  Number of EVENTS:  5  Number of UPDATES: 4 Update 
List: 4.251447 4.289120 4.341253 4.398851 4.401153

The associated mysql activity looks like this:

UPDATE `event_internal_20151208` SET status=1, last_modified='2015-12-15 
14:33:45', last_uid='2' WHERE sid=4 AND cid IN (289120)
UPDATE `event_internal_20151210` SET status=1, last_modified='2015-12-15 
14:33:45', last_uid='2' WHERE sid=4 AND cid IN (398851)
UPDATE `event_internal_20151209` SET status=1, last_modified='2015-12-15 
14:33:45', last_uid='2' WHERE sid=4 AND cid IN (341253)
UPDATE `event_internal_20151211` SET status=1, last_modified='2015-12-15 
14:33:45', last_uid='2' WHERE sid=4 AND cid IN (401153)
UPDATE `event_internal_20151207` SET status=1, last_modified='2015-12-15 
14:33:45', last_uid='2' WHERE sid=4 AND cid IN (251447)
INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 
251447, 2, '2015-12-15 14:33:45', 1)
INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 
289120, 2, '2015-12-15 14:33:45', 1)
INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 
341253, 2, '2015-12-15 14:33:45', 1)
INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 
398851, 2, '2015-12-15 14:33:45', 1)
INSERT INTO history (sid, cid, uid, timestamp, status) VALUES ( 4, 
401153, 2, '2015-12-15 14:33:45', 1)

So clearly one of the update events is failing. When I walk through the 
SQL I find the failing event:


mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253);
+--------+
| cid    |
+--------+
| 341253 |
+--------+
1 row in set (0.02 sec)

mysql> SELECT cid FROM `event_internal_20151208` WHERE cid IN (289120);
+--------+
| cid    |
+--------+
| 289120 |
+--------+
1 row in set (0.02 sec)

mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (398851);
+--------+
| cid    |
+--------+
| 398851 |
+--------+
1 row in set (0.02 sec)

mysql> SELECT cid FROM `event_internal_20151209` WHERE cid IN (341253);
+--------+
| cid    |
+--------+
| 341253 |
+--------+
1 row in set (0.00 sec)

mysql> SELECT cid FROM `event_internal_20151211` WHERE cid IN (401153);
Empty set (0.01 sec)

mysql> SELECT cid FROM `event_internal_20151207` WHERE cid IN (251447);
+--------+
| cid    |
+--------+
| 251447 |
+--------+
1 row in set (0.02 sec)

mysql>

After poking around a bit, I've discovered that the "missing" event with 
cid 401153 is actually in a different table (belonging to the same 
parent merge table):

mysql> SELECT cid FROM `event_internal_20151210` WHERE cid IN (401153);
+--------+
| cid    |
+--------+
| 401153 |
+--------+
1 row in set (0.02 sec)

mysql>

So sguil is updating the record in event_internal_20151211 but the event 
lives in event_internal_20151210. This is happening constantly in my 
installation. Any ideas what I might do to resolve this?


Thanks.

--Matt

Re: [Sguil-users] Troubleshoot SGUIL email issues

[Matt . <stt...@gm...>]

Nevermind, the server was blocked again due to the noise. Will follow-up on
the SO list.

On Tue, Dec 8, 2015 at 8:41 AM, Matt . <stt...@gm...> wrote:

> Now emails aren't working again, they stopped yesterday afternoon/evening.
>
> After each event there are entries that say "no clients to send info msg
> to".
>
> On Tue, Dec 8, 2015 at 4:03 AM, Doug Burks <dou...@gm...> wrote:
>
>> If your Sguil emails are working properly now and these new error
>> messages are unrelated, then that would suggest this is not a Sguil
>> problem and thus beyond the scope of this mailing list.
>>
>> On Mon, Dec 7, 2015 at 5:51 PM, Matt . <stt...@gm...> wrote:
>> > Sorry I meant to state that when I posted. I did check the log file,
>> didn't
>> > see errors, restarted anyways. I also tried a few changes for the fun
>> of it,
>> > no love.
>> >
>> > Now today it's now mostly working... Not sure why since I hadn't changed
>> > anything since the deployment until the problems started happening
>> recently.
>> >
>> > That said there's one outlier, The mail server is getting frequent
>> request
>> > from the Security Onion server still. Pasting in a snippet, happening
>> many
>> > times a minute. I substitued the actual server name "servername", it
>> isn't a
>> > real domain name as the error implies. I've sifted through config files
>> for
>> > nullmailr etc and while I found on eplace that i replaced "servername"
>> with
>> > an actual domain name I must be failing to look a tsome fonig file.
>> >
>> > MAIL+FROM:<sg...@se...rvername>
>> >
>> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
>> > ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2152 QUIT QUIT
>> > 221+Service+closing+transmission+channel ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 HELO
>> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 MAIL
>> > MAIL+FROM:<ro...@se...rvername>
>> >
>> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
>> > ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 QUIT QUIT
>> > 221+Service+closing+transmission+channel ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 HELO
>> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 MAIL
>> > MAIL+FROM:<ro...@se...rvername>
>> >
>> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
>> > ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 QUIT QUIT
>> > 221+Service+closing+transmission+channel ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 HELO
>> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 MAIL
>> > MAIL+FROM:<ro...@se...rvername>
>> >
>> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
>> > ICOM-ME
>> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 QUIT QUIT
>> > 221+Service+closing+transmission+channel ICOM-ME
>> >
>> > Thanks,
>> > Matt
>> >
>> > On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...>
>> wrote:
>> >>
>> >> Hi Matt,
>> >>
>> >> Have you checked the sguild log file?
>> >> /var/log/nsm/securityonion/sguild.log
>> >>
>> >> Have you tried restarting sguild?
>> >> sudo nsm_server_ps-restart
>> >>
>> >> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote:
>> >> > I use Security Onion which utilizes SGUIL. I've stopped receiving
>> email
>> >> > from
>> >> > SGUIL on my main server. I don't see errors in sguil.log.
>> >> >
>> >> > I've since enabled SGUIL email on a secondary server (duplicating the
>> >> > config
>> >> > of the main one). It's working properly.
>> >> >
>> >> > At one point the IP was blocked of the main server, weeks ago, but it
>> >> > was
>> >> > unblocked. I'm wondering if SGUIL is choking on the backlog or
>> >> > something.
>> >> >
>> >> > I'm ok with purging old email and starting from "now". What steps
>> can I
>> >> > take
>> >> > to troubleshoot this further? I'm guessing I'm not checking a
>> location
>> >> > for
>> >> > some logs somewhere.
>> >> >
>> >> > Thanks,
>> >> > Matt
>> >> >
>> >> >
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Go from Idea to Many App Stores Faster with Intel(R) XDK
>> >> > Give your users amazing mobile app experiences with Intel(R) XDK.
>> >> > Use one codebase in this all-in-one HTML5 development environment.
>> >> > Design, debug & build mobile apps & 2D/3D high-impact games for
>> multiple
>> >> > OSs.
>> >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> >> > _______________________________________________
>> >> > Sguil-users mailing list
>> >> > Sgu...@li...
>> >> > https://lists.sourceforge.net/lists/listinfo/sguil-users
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Doug Burks
>> >> Need Security Onion Training or Commercial Support?
>> >> http://securityonionsolutions.com
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> >> Give your users amazing mobile app experiences with Intel(R) XDK.
>> >> Use one codebase in this all-in-one HTML5 development environment.
>> >> Design, debug & build mobile apps & 2D/3D high-impact games for
>> multiple
>> >> OSs.
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> >> _______________________________________________
>> >> Sguil-users mailing list
>> >> Sgu...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sguil-users
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Go from Idea to Many App Stores Faster with Intel(R) XDK
>> > Give your users amazing mobile app experiences with Intel(R) XDK.
>> > Use one codebase in this all-in-one HTML5 development environment.
>> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> > OSs.
>> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> > _______________________________________________
>> > Sguil-users mailing list
>> > Sgu...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sguil-users
>> >
>>
>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> _______________________________________________
>> Sguil-users mailing list
>> Sgu...@li...
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>
>
>

Re: [Sguil-users] Troubleshoot SGUIL email issues

[Matt . <stt...@gm...>]

Now emails aren't working again, they stopped yesterday afternoon/evening.

After each event there are entries that say "no clients to send info msg
to".

On Tue, Dec 8, 2015 at 4:03 AM, Doug Burks <dou...@gm...> wrote:

> If your Sguil emails are working properly now and these new error
> messages are unrelated, then that would suggest this is not a Sguil
> problem and thus beyond the scope of this mailing list.
>
> On Mon, Dec 7, 2015 at 5:51 PM, Matt . <stt...@gm...> wrote:
> > Sorry I meant to state that when I posted. I did check the log file,
> didn't
> > see errors, restarted anyways. I also tried a few changes for the fun of
> it,
> > no love.
> >
> > Now today it's now mostly working... Not sure why since I hadn't changed
> > anything since the deployment until the problems started happening
> recently.
> >
> > That said there's one outlier, The mail server is getting frequent
> request
> > from the Security Onion server still. Pasting in a snippet, happening
> many
> > times a minute. I substitued the actual server name "servername", it
> isn't a
> > real domain name as the error implies. I've sifted through config files
> for
> > nullmailr etc and while I found on eplace that i replaced "servername"
> with
> > an actual domain name I must be failing to look a tsome fonig file.
> >
> > MAIL+FROM:<sg...@se...rvername>
> >
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> > ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2152 QUIT QUIT
> > 221+Service+closing+transmission+channel ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 HELO
> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 MAIL
> > MAIL+FROM:<ro...@se...rvername>
> >
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> > ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 QUIT QUIT
> > 221+Service+closing+transmission+channel ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 HELO
> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 MAIL
> > MAIL+FROM:<ro...@se...rvername>
> >
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> > ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 QUIT QUIT
> > 221+Service+closing+transmission+channel ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 HELO
> > HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 MAIL
> > MAIL+FROM:<ro...@se...rvername>
> >
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> > ICOM-ME
> > 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 QUIT QUIT
> > 221+Service+closing+transmission+channel ICOM-ME
> >
> > Thanks,
> > Matt
> >
> > On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> wrote:
> >>
> >> Hi Matt,
> >>
> >> Have you checked the sguild log file?
> >> /var/log/nsm/securityonion/sguild.log
> >>
> >> Have you tried restarting sguild?
> >> sudo nsm_server_ps-restart
> >>
> >> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote:
> >> > I use Security Onion which utilizes SGUIL. I've stopped receiving
> email
> >> > from
> >> > SGUIL on my main server. I don't see errors in sguil.log.
> >> >
> >> > I've since enabled SGUIL email on a secondary server (duplicating the
> >> > config
> >> > of the main one). It's working properly.
> >> >
> >> > At one point the IP was blocked of the main server, weeks ago, but it
> >> > was
> >> > unblocked. I'm wondering if SGUIL is choking on the backlog or
> >> > something.
> >> >
> >> > I'm ok with purging old email and starting from "now". What steps can
> I
> >> > take
> >> > to troubleshoot this further? I'm guessing I'm not checking a location
> >> > for
> >> > some logs somewhere.
> >> >
> >> > Thanks,
> >> > Matt
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Go from Idea to Many App Stores Faster with Intel(R) XDK
> >> > Give your users amazing mobile app experiences with Intel(R) XDK.
> >> > Use one codebase in this all-in-one HTML5 development environment.
> >> > Design, debug & build mobile apps & 2D/3D high-impact games for
> multiple
> >> > OSs.
> >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> >> > _______________________________________________
> >> > Sguil-users mailing list
> >> > Sgu...@li...
> >> > https://lists.sourceforge.net/lists/listinfo/sguil-users
> >> >
> >>
> >>
> >>
> >> --
> >> Doug Burks
> >> Need Security Onion Training or Commercial Support?
> >> http://securityonionsolutions.com
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Go from Idea to Many App Stores Faster with Intel(R) XDK
> >> Give your users amazing mobile app experiences with Intel(R) XDK.
> >> Use one codebase in this all-in-one HTML5 development environment.
> >> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> >> OSs.
> >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> >> _______________________________________________
> >> Sguil-users mailing list
> >> Sgu...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Go from Idea to Many App Stores Faster with Intel(R) XDK
> > Give your users amazing mobile app experiences with Intel(R) XDK.
> > Use one codebase in this all-in-one HTML5 development environment.
> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> > OSs.
> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> > _______________________________________________
> > Sguil-users mailing list
> > Sgu...@li...
> > https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>

Re: [Sguil-users] Troubleshoot SGUIL email issues

[Doug B. <dou...@gm...>]

If your Sguil emails are working properly now and these new error
messages are unrelated, then that would suggest this is not a Sguil
problem and thus beyond the scope of this mailing list.

On Mon, Dec 7, 2015 at 5:51 PM, Matt . <stt...@gm...> wrote:
> Sorry I meant to state that when I posted. I did check the log file, didn't
> see errors, restarted anyways. I also tried a few changes for the fun of it,
> no love.
>
> Now today it's now mostly working... Not sure why since I hadn't changed
> anything since the deployment until the problems started happening recently.
>
> That said there's one outlier, The mail server is getting frequent request
> from the Security Onion server still. Pasting in a snippet, happening many
> times a minute. I substitued the actual server name "servername", it isn't a
> real domain name as the error implies. I've sifted through config files for
> nullmailr etc and while I found on eplace that i replaced "servername" with
> an actual domain name I must be failing to look a tsome fonig file.
>
> MAIL+FROM:<sg...@se...rvername>
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2152 QUIT QUIT
> 221+Service+closing+transmission+channel ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 HELO
> HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 MAIL
> MAIL+FROM:<ro...@se...rvername>
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 QUIT QUIT
> 221+Service+closing+transmission+channel ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 HELO
> HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 MAIL
> MAIL+FROM:<ro...@se...rvername>
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 QUIT QUIT
> 221+Service+closing+transmission+channel ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 HELO
> HELO+domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 MAIL
> MAIL+FROM:<ro...@se...rvername>
> 501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
> ICOM-ME
> 2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 QUIT QUIT
> 221+Service+closing+transmission+channel ICOM-ME
>
> Thanks,
> Matt
>
> On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> wrote:
>>
>> Hi Matt,
>>
>> Have you checked the sguild log file?
>> /var/log/nsm/securityonion/sguild.log
>>
>> Have you tried restarting sguild?
>> sudo nsm_server_ps-restart
>>
>> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote:
>> > I use Security Onion which utilizes SGUIL. I've stopped receiving email
>> > from
>> > SGUIL on my main server. I don't see errors in sguil.log.
>> >
>> > I've since enabled SGUIL email on a secondary server (duplicating the
>> > config
>> > of the main one). It's working properly.
>> >
>> > At one point the IP was blocked of the main server, weeks ago, but it
>> > was
>> > unblocked. I'm wondering if SGUIL is choking on the backlog or
>> > something.
>> >
>> > I'm ok with purging old email and starting from "now". What steps can I
>> > take
>> > to troubleshoot this further? I'm guessing I'm not checking a location
>> > for
>> > some logs somewhere.
>> >
>> > Thanks,
>> > Matt
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Go from Idea to Many App Stores Faster with Intel(R) XDK
>> > Give your users amazing mobile app experiences with Intel(R) XDK.
>> > Use one codebase in this all-in-one HTML5 development environment.
>> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> > OSs.
>> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> > _______________________________________________
>> > Sguil-users mailing list
>> > Sgu...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sguil-users
>> >
>>
>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> _______________________________________________
>> Sguil-users mailing list
>> Sgu...@li...
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

Re: [Sguil-users] Troubleshoot SGUIL email issues

[Matt . <stt...@gm...>]

Sorry I meant to state that when I posted. I did check the log file, didn't
see errors, restarted anyways. I also tried a few changes for the fun of
it, no love.

Now today it's now mostly working... Not sure why since I hadn't changed
anything since the deployment until the problems started happening recently.

That said there's one outlier, The mail server is getting frequent request
from the Security Onion server still. Pasting in a snippet, happening many
times a minute. I substitued the actual server name "servername", it isn't
a real domain name as the error implies. I've sifted through config files
for nullmailr etc and while I found on eplace that i replaced "servername"
with an actual domain name I must be failing to look a tsome fonig file.

MAIL+FROM:<sg...@se...rvername>
501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2152 QUIT QUIT
221+Service+closing+transmission+channel ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 HELO HELO+
domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 MAIL
MAIL+FROM:<ro...@se...rvername>
501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1624 QUIT QUIT
221+Service+closing+transmission+channel ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 HELO HELO+
domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 MAIL
MAIL+FROM:<ro...@se...rvername>
501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 1460 QUIT QUIT
221+Service+closing+transmission+channel ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 HELO HELO+
domain.com 250+Requested+mail+action+okay,+completed ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 MAIL
MAIL+FROM:<ro...@se...rvername>
501+Your+domain+does+not+seem+to+be+valid.+Could+not+find+MX+record+for+your+domain.
ICOM-ME
2015-12-07 14:19:20 xx.xx.xx.xx SMTP-IN  xx.xx.xx.74 2000 QUIT QUIT
221+Service+closing+transmission+channel ICOM-ME

Thanks,
Matt

On Fri, Dec 4, 2015 at 4:14 PM, Doug Burks <dou...@gm...> wrote:

> Hi Matt,
>
> Have you checked the sguild log file?
> /var/log/nsm/securityonion/sguild.log
>
> Have you tried restarting sguild?
> sudo nsm_server_ps-restart
>
> On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote:
> > I use Security Onion which utilizes SGUIL. I've stopped receiving email
> from
> > SGUIL on my main server. I don't see errors in sguil.log.
> >
> > I've since enabled SGUIL email on a secondary server (duplicating the
> config
> > of the main one). It's working properly.
> >
> > At one point the IP was blocked of the main server, weeks ago, but it was
> > unblocked. I'm wondering if SGUIL is choking on the backlog or something.
> >
> > I'm ok with purging old email and starting from "now". What steps can I
> take
> > to troubleshoot this further? I'm guessing I'm not checking a location
> for
> > some logs somewhere.
> >
> > Thanks,
> > Matt
> >
> >
> >
> ------------------------------------------------------------------------------
> > Go from Idea to Many App Stores Faster with Intel(R) XDK
> > Give your users amazing mobile app experiences with Intel(R) XDK.
> > Use one codebase in this all-in-one HTML5 development environment.
> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> > OSs.
> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> > _______________________________________________
> > Sguil-users mailing list
> > Sgu...@li...
> > https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>

Re: [Sguil-users] Troubleshoot SGUIL email issues

[Doug B. <dou...@gm...>]

Hi Matt,

Have you checked the sguild log file?
/var/log/nsm/securityonion/sguild.log

Have you tried restarting sguild?
sudo nsm_server_ps-restart

On Fri, Dec 4, 2015 at 5:35 PM, Matt . <stt...@gm...> wrote:
> I use Security Onion which utilizes SGUIL. I've stopped receiving email from
> SGUIL on my main server. I don't see errors in sguil.log.
>
> I've since enabled SGUIL email on a secondary server (duplicating the config
> of the main one). It's working properly.
>
> At one point the IP was blocked of the main server, weeks ago, but it was
> unblocked. I'm wondering if SGUIL is choking on the backlog or something.
>
> I'm ok with purging old email and starting from "now". What steps can I take
> to troubleshoot this further? I'm guessing I'm not checking a location for
> some logs somewhere.
>
> Thanks,
> Matt
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Sguil-users] Troubleshoot SGUIL email issues

[Matt . <stt...@gm...>]

I use Security Onion which utilizes SGUIL. I've stopped receiving email
from SGUIL on my main server. I don't see errors in sguil.log.

I've since enabled SGUIL email on a secondary server (duplicating the
config of the main one). It's working properly.

At one point the IP was blocked of the main server, weeks ago, but it was
unblocked. I'm wondering if SGUIL is choking on the backlog or something.

I'm ok with purging old email and starting from "now". What steps can I
take to troubleshoot this further? I'm guessing I'm not checking a location
for some logs somewhere.

Thanks,
Matt

Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

[Lay, J. <jam...@wi...>]

Thanks again for the link Paul!  Fixed up with :

If you can't downgrade, a workaround could be to force some other cipher on the sensors, like MD5.

change these lines in snort_agent.tcl and pcap_agent.tcl:

tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5

Woot!

James
From: Paul Halliday [mailto:pau...@gm...]
Sent: Tuesday, June 23, 2015 9:14 AM
To: sgu...@li...
Subject: Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

That might help you.

On Tue, Jun 23, 2015 at 12:13 PM, Paul Halliday <pau...@gm...<mailto:pau...@gm...>> wrote:
James,

Take a quick peek at the most recent threads on the security onion mailing list WRT to this. I think is was fixed with an updated tcltls package.

On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...<mailto:jam...@wi...>> wrote:
From sguild:

2015-06-23 14:45:36 pid(14931)  Sensor agent connect from 127.0.0.1:40300<http://127.0.0.1:40300> sock15
2015-06-23 14:45:36 pid(14931)  Validating sensor access: 127.0.0.1 :
2015-06-23 14:45:36 pid(14931)  Valid sensor agent: 127.0.0.1
2015-06-23 14:45:36 pid(14931)  ERROR: handshake failed: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931)  Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable
2015-06-23 14:45:36 pid(14931)  Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931)  Closing socket.

From the snort_agent:

Connected to localhost
Sending sguild (sock3) RegisterAgent snort POS POS
ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS
Socket sock3 closed
Attempting to reconnect.

Is there any way to disable ssl usage?  In my case the agents are on the local machine anyway.  Thank you.

James

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Sguil-users mailing list
Sgu...@li...<mailto:Sgu...@li...>
https://lists.sourceforge.net/lists/listinfo/sguil-users



--
Paul Halliday
http://www.pintumbler.org/



--
Paul Halliday
http://www.pintumbler.org/

Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

[Lay, J. <jam...@wi...>]

Thanks Paul…appreciate it.

James

From: Paul Halliday [mailto:pau...@gm...]
Sent: Tuesday, June 23, 2015 9:14 AM
To: sgu...@li...
Subject: Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

That might help you.

On Tue, Jun 23, 2015 at 12:13 PM, Paul Halliday <pau...@gm...<mailto:pau...@gm...>> wrote:
James,

Take a quick peek at the most recent threads on the security onion mailing list WRT to this. I think is was fixed with an updated tcltls package.

On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...<mailto:jam...@wi...>> wrote:
From sguild:

2015-06-23 14:45:36 pid(14931)  Sensor agent connect from 127.0.0.1:40300<http://127.0.0.1:40300> sock15
2015-06-23 14:45:36 pid(14931)  Validating sensor access: 127.0.0.1 :
2015-06-23 14:45:36 pid(14931)  Valid sensor agent: 127.0.0.1
2015-06-23 14:45:36 pid(14931)  ERROR: handshake failed: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931)  Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable
2015-06-23 14:45:36 pid(14931)  Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931)  Closing socket.

From the snort_agent:

Connected to localhost
Sending sguild (sock3) RegisterAgent snort POS POS
ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS
Socket sock3 closed
Attempting to reconnect.

Is there any way to disable ssl usage?  In my case the agents are on the local machine anyway.  Thank you.

James

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Sguil-users mailing list
Sgu...@li...<mailto:Sgu...@li...>
https://lists.sourceforge.net/lists/listinfo/sguil-users



--
Paul Halliday
http://www.pintumbler.org/



--
Paul Halliday
http://www.pintumbler.org/

Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

[Paul H. <pau...@gm...>]

http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

That might help you.

On Tue, Jun 23, 2015 at 12:13 PM, Paul Halliday <pau...@gm...>
wrote:

> James,
>
> Take a quick peek at the most recent threads on the security onion mailing
> list WRT to this. I think is was fixed with an updated tcltls package.
>
> On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...>
> wrote:
>
>>  From sguild:
>>
>>
>>
>> 2015-06-23 14:45:36 pid(14931)  Sensor agent connect from 127.0.0.1:40300
>> sock15
>>
>> 2015-06-23 14:45:36 pid(14931)  Validating sensor access: 127.0.0.1 :
>>
>> 2015-06-23 14:45:36 pid(14931)  Valid sensor agent: 127.0.0.1
>>
>> 2015-06-23 14:45:36 pid(14931)  ERROR: handshake failed: sslv3 alert
>> handshake failure
>>
>> 2015-06-23 14:45:36 pid(14931)  Error: Improper sensor cmd received:
>> VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)":
>> no such variable
>>
>> 2015-06-23 14:45:36 pid(14931)  Error from socket sock15: SSL channel
>> "sock15": error: sslv3 alert handshake failure
>>
>> 2015-06-23 14:45:36 pid(14931)  Closing socket.
>>
>>
>>
>> From the snort_agent:
>>
>>
>>
>> Connected to localhost
>>
>> Sending sguild (sock3) RegisterAgent snort POS POS
>>
>> ERROR: error writing "sock3": software caused connection abort :
>> RegisterAgent snort POS POS
>>
>> Socket sock3 closed
>>
>> Attempting to reconnect.
>>
>>
>>
>> Is there any way to disable ssl usage?  In my case the agents are on the
>> local machine anyway.  Thank you.
>>
>>
>>
>> James
>>
>>
>> ------------------------------------------------------------------------------
>> Monitor 25 network devices or servers for free with OpManager!
>> OpManager is web-based network management software that monitors
>> network devices and physical & virtual servers, alerts via email & sms
>> for fault. Monitor 25 devices for free with no restriction. Download now
>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>> _______________________________________________
>> Sguil-users mailing list
>> Sgu...@li...
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>
>>
>
>
> --
> Paul Halliday
> http://www.pintumbler.org/
>



-- 
Paul Halliday
http://www.pintumbler.org/

Re: [Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

[Paul H. <pau...@gm...>]

James,

Take a quick peek at the most recent threads on the security onion mailing
list WRT to this. I think is was fixed with an updated tcltls package.

On Tue, Jun 23, 2015 at 11:55 AM, Lay, James <jam...@wi...>
wrote:

>  From sguild:
>
>
>
> 2015-06-23 14:45:36 pid(14931)  Sensor agent connect from 127.0.0.1:40300
> sock15
>
> 2015-06-23 14:45:36 pid(14931)  Validating sensor access: 127.0.0.1 :
>
> 2015-06-23 14:45:36 pid(14931)  Valid sensor agent: 127.0.0.1
>
> 2015-06-23 14:45:36 pid(14931)  ERROR: handshake failed: sslv3 alert
> handshake failure
>
> 2015-06-23 14:45:36 pid(14931)  Error: Improper sensor cmd received:
> VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)":
> no such variable
>
> 2015-06-23 14:45:36 pid(14931)  Error from socket sock15: SSL channel
> "sock15": error: sslv3 alert handshake failure
>
> 2015-06-23 14:45:36 pid(14931)  Closing socket.
>
>
>
> From the snort_agent:
>
>
>
> Connected to localhost
>
> Sending sguild (sock3) RegisterAgent snort POS POS
>
> ERROR: error writing "sock3": software caused connection abort :
> RegisterAgent snort POS POS
>
> Socket sock3 closed
>
> Attempting to reconnect.
>
>
>
> Is there any way to disable ssl usage?  In my case the agents are on the
> local machine anyway.  Thank you.
>
>
>
> James
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>


-- 
Paul Halliday
http://www.pintumbler.org/

[Sguil-users] Sguil broken after OpenSSL update (Ubuntu)

[Lay, J. <jam...@wi...>]

>From sguild:

2015-06-23 14:45:36 pid(14931)  Sensor agent connect from 127.0.0.1:40300 sock15
2015-06-23 14:45:36 pid(14931)  Validating sensor access: 127.0.0.1 :
2015-06-23 14:45:36 pid(14931)  Valid sensor agent: 127.0.0.1
2015-06-23 14:45:36 pid(14931)  ERROR: handshake failed: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931)  Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable
2015-06-23 14:45:36 pid(14931)  Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931)  Closing socket.

>From the snort_agent:

Connected to localhost
Sending sguild (sock3) RegisterAgent snort POS POS
ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS
Socket sock3 closed
Attempting to reconnect.

Is there any way to disable ssl usage?  In my case the agents are on the local machine anyway.  Thank you.

James

Re: [Sguil-users] Error improper sensor cmd received

[E. F. <edw...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

compiling a newer version of tcpflow seems to fix it.

Seems like the error on newer debian/ubuntu with tcpflow erroring:
   "write error to stdout"
b0rks the sguil pcap agent, and leaving it in a limbo state.

E

On 05/08/2015 11:12 AM, Edward Fjellskål wrote:
> Did you guys solve this? Im seeing the same. Ubuntu 14.04 tcl8.6.
> 
> E
> 
> On Tue, Nov 11, 2014 at 2:33 PM, C. L. Martinez
> <car...@gm...> wrote:
> 
>> Thanks Bamm. Nop, the only error message that I have is on the
>> sguil server side:
>> 
>> Nov  4 14:49:00 plzfsiem04 SGUILD: Error: Improper sensor cmd 
>> received: RawDataFile 10.196.0.15:59567_107.20.198.79:443-6.raw
>> 5 20588: error writing "stdout": I/O error Nov  4 14:49:00
>> bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): 
>> <D4><C3><B2><A1>#002 Nov  4 14:49:00 bsdsguil01 SGUILD: Error:
>> Improper sensor cmd received: <D4><C3><B2><A1>#002 Nov  4
>> 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): Nov  4
>> 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received: 
>> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19):
>> <C4> Nov  4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor
>> cmd received: <C4> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd
>> Unknown (sock19): Nov  4 14:49:00 bsdsguil01 SGUILD: Error:
>> Improper sensor cmd received: Nov  4 14:49:00 bsdsguil01 SGUILD:
>> Sensor Cmd Unknown (sock19): <C4> Nov  4 14:49:00 bsdsguil01
>> SGUILD: Error: Improper sensor cmd received: <C4>
>> 
>> On Tue, Nov 11, 2014 at 12:35 PM, Bamm Visscher
>> <bam...@gm...> wrote:
>>> Can you send more details?  Do you have output for
>>> pcap_agent.tcl?
>>> 
>>> Bamm
>>> 
>>> On Tue, Nov 11, 2014 at 5:32 AM, C. L. Martinez
>>> <car...@gm...> wrote:
>>>> 
>>>> Ok, I don't why but the problem is with pcap_agent script.
>>>> Restarting every hour, problem disappears ...
>>>> 
>>>> On Fri, Nov 7, 2014 at 2:15 PM, C. L. Martinez
>>>> <car...@gm...> wrote:
>>>>> Uhmm . maybe the problemas is that sguil server is
>>>>> installed under lxc container?? Hard disk is ok, works
>>>>> without problema.
>>>>> 
>>>>> 
>>>>> On Friday, November 7, 2014, James Lay
>>>>> <jl...@sl...>
>> wrote:
>>>>>> 
>>>>>> On Fri, 2014-11-07 at 12:32 +0000, C. L. Martinez wrote:
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> How can I debug this error?
>>>>>> 
>>>>>> Nov  7 12:28:03 sguiltst01 SGUILD: Error: Improper sensor
>>>>>> cmd received: RawDataFile
>>>>>> 10.196.0.98:61540_173.194.40.184:443-6.raw 4 182244:
>>>>>> error writing "stdout": I/O error
>>>>>> 
>>>>>> Is it a problem with sguil server or with the agent??
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>> ------------------------------------------------------------------------------
>>>>>>
>> 
_______________________________________________
>>>>>> Sguil-users mailing list 
>>>>>> Sgu...@li... 
>>>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>>>>> 
>>>>>> 
>>>>>> That looks like it might be a disk thing...what do dmes
>>>>>> and smartctl have to show?
>>>>>> 
>>>>>> James
>>>> 
>>>> 
>>>> 
>> ------------------------------------------------------------------------------
>>>>
>> 
Comprehensive Server Monitoring with Site24x7.
>>>> Monitor 10 servers for $9/Month. Get alerted through email,
>>>> SMS, voice calls or mobile push
>> notifications.
>>>> Take corrective actions from your mobile device.
>>>> 
>>>> 
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>>>
>> 
_______________________________________________
>>>> Sguil-users mailing list Sgu...@li... 
>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>> 
>>> 
>>> 
>>> 
>>> -- sguil - The Analyst Console for NSM http://www.sguil.net
>>> 
>>> 
>> ------------------------------------------------------------------------------
>>>
>> 
Comprehensive Server Monitoring with Site24x7.
>>> Monitor 10 servers for $9/Month. Get alerted through email,
>>> SMS, voice calls or mobile push notifications. Take corrective
>>> actions from your mobile device.
>>> 
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>>
>> 
_______________________________________________
>>> Sguil-users mailing list Sgu...@li... 
>>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>>
>> 
Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month. Get alerted through email, SMS,
>> voice calls or mobile push notifications. Take corrective actions
>> from your mobile device.
>> 
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>
>> 
_______________________________________________
>> Sguil-users mailing list Sgu...@li... 
>> https://lists.sourceforge.net/lists/listinfo/sguil-users
>> 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVTJZkAAoJEAf3kNGaI009b6gIAKK27c5FVZfKw6BEFUHb+90y
yP6vyZGVsvk55SAvA8JWe8ycrxU7zQi08TKkk6tjm0fxSv7fOl9zrWcOfjGEYZVx
fejUrylapjPg2vRNXgluf+OHcszBRltGvLHfFaqLkJwvGrH1qUl+E/XIYZVBgdvt
8P8G25GHcK+Ttj2TyWQgR5xKEpCyAdcirBffCvj9CM5jwVkgh+yy8EtVnZ9GZZx1
WequH+gozth186rw2zfy2GnXU9q2BgVtOVs6J7RH+aQOZRKsKLW03Q+TqUH+p8Tt
RybB6VfNprBpELfpFk3uF9P4zsIb17JW0PcLnIjgKZYIPxMGzuMzITLXq7AJx9Y=
=EvZJ
-----END PGP SIGNATURE-----

Re: [Sguil-users] Error improper sensor cmd received

[Edward F. <edw...@gm...>]

Did you guys solve this? Im seeing the same. Ubuntu 14.04 tcl8.6.

E

On Tue, Nov 11, 2014 at 2:33 PM, C. L. Martinez <car...@gm...>
wrote:

> Thanks Bamm. Nop, the only error message that I have is on the sguil
> server side:
>
> Nov  4 14:49:00 plzfsiem04 SGUILD: Error: Improper sensor cmd
> received: RawDataFile 10.196.0.15:59567_107.20.198.79:443-6.raw 5
> 20588: error writing "stdout": I/O error
> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19):
> <D4><C3><B2><A1>#002
> Nov  4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd
> received: <D4><C3><B2><A1>#002
> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19):
> Nov  4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received:
> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): <C4>
> Nov  4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received:
> <C4>
> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19):
> Nov  4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received:
> Nov  4 14:49:00 bsdsguil01 SGUILD: Sensor Cmd Unknown (sock19): <C4>
> Nov  4 14:49:00 bsdsguil01 SGUILD: Error: Improper sensor cmd received:
> <C4>
>
> On Tue, Nov 11, 2014 at 12:35 PM, Bamm Visscher <bam...@gm...>
> wrote:
> > Can you send more details?  Do you have output for pcap_agent.tcl?
> >
> > Bamm
> >
> > On Tue, Nov 11, 2014 at 5:32 AM, C. L. Martinez <car...@gm...>
> > wrote:
> >>
> >> Ok, I don't why but the problem is with pcap_agent script. Restarting
> >> every hour, problem disappears ...
> >>
> >> On Fri, Nov 7, 2014 at 2:15 PM, C. L. Martinez <car...@gm...>
> >> wrote:
> >> > Uhmm . maybe the problemas is that sguil server is installed under lxc
> >> > container?? Hard disk is ok, works without problema.
> >> >
> >> >
> >> > On Friday, November 7, 2014, James Lay <jl...@sl...>
> wrote:
> >> >>
> >> >> On Fri, 2014-11-07 at 12:32 +0000, C. L. Martinez wrote:
> >> >>
> >> >> Hi all,
> >> >>
> >> >>  How can I debug this error?
> >> >>
> >> >> Nov  7 12:28:03 sguiltst01 SGUILD: Error: Improper sensor cmd
> >> >> received: RawDataFile 10.196.0.98:61540_173.194.40.184:443-6.raw 4
> >> >> 182244: error writing "stdout": I/O error
> >> >>
> >> >>  Is it a problem with sguil server or with the agent??
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> _______________________________________________
> >> >> Sguil-users mailing list
> >> >> Sgu...@li...
> >> >> https://lists.sourceforge.net/lists/listinfo/sguil-users
> >> >>
> >> >>
> >> >> That looks like it might be a disk thing...what do dmes and smartctl
> >> >> have
> >> >> to show?
> >> >>
> >> >> James
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Comprehensive Server Monitoring with Site24x7.
> >> Monitor 10 servers for $9/Month.
> >> Get alerted through email, SMS, voice calls or mobile push
> notifications.
> >> Take corrective actions from your mobile device.
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> Sguil-users mailing list
> >> Sgu...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
> >
> >
> >
> > --
> > sguil - The Analyst Console for NSM
> > http://www.sguil.net
> >
> >
> ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Sguil-users mailing list
> > Sgu...@li...
> > https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>



-- 
Edward Bjarte Fjellskål
Senior Security Analyst
http://www.gamelinux.org/

Re: [Sguil-users] Sguil-users Digest, Vol 82, Issue 2

[Nguyen V. D. <dun...@vc...>]

Dear
I checked back my system to fix.
And now my service pads , pads agent, snort , snort agent. But sguil still
running
1. When i start sancp_agent , i received a alert:

"[root@SVR080 ~]# service sancp_agent-SVR080 start
Starting sancp_agent-SVR080:                               [  OK  ]
[root@SVR080 ~]# Error: can't read "MAX_COPY": no such variable
can't read "MAX_COPY": no such variable
    while executing
"if { $ACTIVE_COPY >= $MAX_COPY } { vwait ACTIVE_COPY }"
    (procedure "CheckForSancpFiles" line 29)
    invoked from within
"CheckForSancpFiles"
    ("after" script)
service sancp_agent-SVR080 status
SANCP agent for sensor SVR080 is DOWN

2. My barnyard have a lot off log " /var/log/message" that:

"Apr 14 12:18:12 SVR080 barnyard[4099]: Waiting 15 secs to try again.
Apr 14 12:18:27 SVR080 barnyard[4099]: Cannot connect to localhost on TCP
port 7746.
Apr 14 12:18:27 SVR080 barnyard[4099]: Waiting 15 secs to try again.
Apr 14 12:18:42 SVR080 barnyard[4099]: Connected to localhost on 7746.
Apr 14 12:18:42 SVR080 barnyard[4099]: ERROR: Invalid packet length:
3626607104
Apr 14 12:18:42 SVR080 barnyard[4099]: FATAL ERROR: Read error
Apr 14 12:18:42 SVR080 barnyard[4099]: Exiting "

So, my sguil still not run.

I hope your reply.
Thanks so much



On Fri, Apr 10, 2015 at 7:00 PM, <sgu...@li...>
wrote:

> Send Sguil-users mailing list submissions to
>         sgu...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/sguil-users
> or, via email, send a message with subject or body 'help' to
>         sgu...@li...
>
> You can reach the person managing the list at
>         sgu...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Sguil-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Need support for "Error : bad cell index.." on sguil
>       server - client (Bamm Visscher)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 9 Apr 2015 10:40:15 -0400
> From: Bamm Visscher <bam...@gm...>
> Subject: Re: [Sguil-users] Need support for "Error : bad cell index.."
>         on sguil server - client
> To: Sguil <sgu...@li...>
> Message-ID:
>         <
> CAC...@ma...>
> Content-Type: text/plain; charset="utf-8"
>
> The error is from the Sguil client and should not prevent you from viewing
> or receiving events. If you select "OK", the client should function as
> normal.
>
> In order to debug further, can you better describe what you were doing when
> the error occurred? Also, please send the full error output. You should be
> able to cut and pasted the full text versus sending a screen shot.
>
> Bamm
>
>
> On Sat, Apr 4, 2015 at 3:38 AM, Nguyen Viet Dung <dun...@vc...
> >
> wrote:
>
> > Dear
> > I'm a administrator network of company at Viet nam. I setup sguil to
> > monitor network security on my system which i 'm admin.
> > So, i have a error warning that :
> > " Error: bad cell index ",srcip": must be active, anchor, end, @x,y, or
> > row,col, where row must be active, anchor, end, top, bottom, a number, a
> > full key, or a name, and col must be active, anchor, end, left, right, a
> > number, or a name
> > bad cell index ",srcip": must be active, anchor, end, @x,y, or row,col,
> > where row must be active, anchor, end, top, bottom, a number, a full key,
> > or a name, and col must be active, anchor, end, left, right, a number,
> or a
> > name"
> >
> > Now, i can't see traffic, log .. on sguil. I don't Known this error ,
> from
> > sguil server? sguil client? or sguil sensor?
> > I hope your reply. Thanks you so muc
> >
> > ps: i sent to you a figure which i shot from my monitor
> >
> > --
> > VC Corporation.
> > Email: dun...@vc...
> > Mobile: 0988133013
> > C? ??nh: 04.39743410 - Ext:248
> >
> > Address: 17th floor, VTCOnline tower, 18 Tam Trinh St, Hanoi.
> >
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> > exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> > event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > _______________________________________________
> > Sguil-users mailing list
> > Sgu...@li...
> > https://lists.sourceforge.net/lists/listinfo/sguil-users
> >
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://www.sguil.net
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>
> ------------------------------
>
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>
>
> End of Sguil-users Digest, Vol 82, Issue 2
> ******************************************
>



-- 
VC Corporation.
Email: dun...@vc...
Mobile: 0988133013
Cố định: 04.39743410 - Ext:248

Address: 17th floor, VTCOnline tower, 18 Tam Trinh St, Hanoi.