Thread: [Sguil-users] 0.9.0 upgrade died
Status: Beta
Brought to you by:
bamm
From: James L. <jl...@sl...> - 2014-07-02 14:02:33
|
Topic says it...I'm unable to restart squild at this point in time: Starting with: sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access mysqlexec/db server: Table 'sguildb.event_External_20140702' doesn't exist while executing "mysqlexec $MAIN_DB_SOCKETID $updateString" (procedure "UpdateDBStatus" line 11) invoked from within "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" (procedure "AutoCat" line 43) invoked from within "AutoCat $row" ("foreach" body line 6) invoked from within "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { InfoMessage "Archived Alert: $row" set LAST_EVENT_ID([lindex $row 3]) "[li..." invoked from within "if { $mergeTableListArray(event) != "" } { # Get the archived alerts LogMessage "Querying DB for archived events..." set MAJOR_MYSQL_VERS..." (file "/opt/bin/sguil/sguild" line 734) I have no clue on how to proceed beside blowing out the current database, which I really don't want to have to do... please help. Thank you. James |
From: Y M <sn...@ou...> - 2014-07-02 14:19:46
|
James, Can you verify if the table actually exists? Login to MySQL:mysql -u <user> -p Once in, go with:USE sguildb; Then:SHOW TABLES; and verify if the table exists. If the table exists, then make a backup of it or the database (just in case), and then try repairing the table with: REPAIR TABLE <table_name>; This may (or may not) help you resolve the issue. Thanks. YM > To: sgu...@li... > Date: Wed, 2 Jul 2014 08:02:25 -0600 > From: jl...@sl... > Subject: [Sguil-users] 0.9.0 upgrade died > > Topic says it...I'm unable to restart squild at this point in time: > > Starting with: > > sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C > /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g > /opt/etc/snort/sguild/sguild.queries -A > /opt/etc/snort/sguild/sguild.access > > mysqlexec/db server: Table 'sguildb.event_External_20140702' doesn't > exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] > [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > > > I have no clue on how to proceed beside blowing out the current > database, which I really don't want to have to do... please help. Thank > you. > > James > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |
From: James L. <jl...@sl...> - 2014-07-02 14:23:41
|
On 2014-07-02 08:19, Y M wrote: > James, > > Can you verify if the table actually exists? > > Login to MySQL: > mysql -u <user> -p > > Once in, go with: > USE sguildb; > > Then: > SHOW TABLES; > > and verify if the table exists. If the table exists, then make a > backup of it or the database (just in case), and then try repairing > the table with: > > REPAIR TABLE <table_name>; > > This may (or may not) help you resolve the issue. Thanks. > > YM > >> To: sgu...@li... >> Date: Wed, 2 Jul 2014 08:02:25 -0600 >> From: jl...@sl... >> Subject: [Sguil-users] 0.9.0 upgrade died >> >> Topic says it...I'm unable to restart squild at this point in time: >> >> Starting with: >> >> sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C >> /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g > >> /opt/etc/snort/sguild/sguild.queries -A >> /opt/etc/snort/sguild/sguild.access >> >> mysqlexec/db server: Table 'sguildb.event_External_20140702' doesn't > >> exist >> while executing >> "mysqlexec $MAIN_DB_SOCKETID $updateString" >> (procedure "UpdateDBStatus" line 11) >> invoked from within >> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] >> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" >> (procedure "AutoCat" line 43) >> invoked from within >> "AutoCat $row" >> ("foreach" body line 6) >> invoked from within >> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { >> >> InfoMessage "Archived Alert: $row" >> set LAST_EVENT_ID([lindex $row 3]) "[li..." >> invoked from within >> "if { $mergeTableListArray(event) != "" } { >> >> # Get the archived alerts >> LogMessage "Querying DB for archived events..." >> set MAJOR_MYSQL_VERS..." >> (file "/opt/bin/sguil/sguild" line 734) >> >> >> I have no clue on how to proceed beside blowing out the current >> database, which I really don't want to have to do... please help. > Thank >> you. >> >> James Yea it doesn't...it's like squil never created it :( Thanks YM. James |
From: James L. <jl...@sl...> - 2014-07-02 14:27:00
|
On 2014-07-02 08:23, James Lay wrote: > On 2014-07-02 08:19, Y M wrote: >> James, >> >> Can you verify if the table actually exists? >> >> Login to MySQL: >> mysql -u <user> -p >> >> Once in, go with: >> USE sguildb; >> >> Then: >> SHOW TABLES; >> >> and verify if the table exists. If the table exists, then make a >> backup of it or the database (just in case), and then try repairing >> the table with: >> >> REPAIR TABLE <table_name>; >> >> This may (or may not) help you resolve the issue. Thanks. >> >> YM >> >>> To: sgu...@li... >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 >>> From: jl...@sl... >>> Subject: [Sguil-users] 0.9.0 upgrade died >>> >>> Topic says it...I'm unable to restart squild at this point in time: >>> >>> Starting with: >>> >>> sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C >>> /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf >>> -g >> >>> /opt/etc/snort/sguild/sguild.queries -A >>> /opt/etc/snort/sguild/sguild.access >>> >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' >>> doesn't >> >>> exist >>> while executing >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" >>> (procedure "UpdateDBStatus" line 11) >>> invoked from within >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" >>> (procedure "AutoCat" line 43) >>> invoked from within >>> "AutoCat $row" >>> ("foreach" body line 6) >>> invoked from within >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { >>> >>> InfoMessage "Archived Alert: $row" >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." >>> invoked from within >>> "if { $mergeTableListArray(event) != "" } { >>> >>> # Get the archived alerts >>> LogMessage "Querying DB for archived events..." >>> set MAJOR_MYSQL_VERS..." >>> (file "/opt/bin/sguil/sguild" line 734) >>> >>> >>> I have no clue on how to proceed beside blowing out the current >>> database, which I really don't want to have to do... please help. >> Thank >>> you. >>> >>> James > > Yea it doesn't...it's like squil never created it :( Thanks YM. > > James > I initially got this yesterday: barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and got: Failed to insert 155843: mysqlexec/db server: Duplicate entry 4-155843 for key PRIMARY#012 And since then no good. Jaems |
From: Y M <sn...@ou...> - 2014-07-02 14:45:48
|
> To: sgu...@li... > Date: Wed, 2 Jul 2014 08:26:53 -0600 > From: jl...@sl... > Subject: Re: [Sguil-users] 0.9.0 upgrade died > > On 2014-07-02 08:23, James Lay wrote: > > On 2014-07-02 08:19, Y M wrote: > >> James, > >> > >> Can you verify if the table actually exists? > >> > >> Login to MySQL: > >> mysql -u <user> -p > >> > >> Once in, go with: > >> USE sguildb; > >> > >> Then: > >> SHOW TABLES; > >> > >> and verify if the table exists. If the table exists, then make a > >> backup of it or the database (just in case), and then try repairing > >> the table with: > >> > >> REPAIR TABLE <table_name>; > >> > >> This may (or may not) help you resolve the issue. Thanks. > >> > >> YM > >> > >>> To: sgu...@li... > >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 > >>> From: jl...@sl... > >>> Subject: [Sguil-users] 0.9.0 upgrade died > >>> > >>> Topic says it...I'm unable to restart squild at this point in time: > >>> > >>> Starting with: > >>> > >>> sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C > >>> /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf > >>> -g > >> > >>> /opt/etc/snort/sguild/sguild.queries -A > >>> /opt/etc/snort/sguild/sguild.access > >>> > >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' > >>> doesn't > >> > >>> exist > >>> while executing > >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" > >>> (procedure "UpdateDBStatus" line 11) > >>> invoked from within > >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] > >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > >>> (procedure "AutoCat" line 43) > >>> invoked from within > >>> "AutoCat $row" > >>> ("foreach" body line 6) > >>> invoked from within > >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > >>> > >>> InfoMessage "Archived Alert: $row" > >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." > >>> invoked from within > >>> "if { $mergeTableListArray(event) != "" } { > >>> > >>> # Get the archived alerts > >>> LogMessage "Querying DB for archived events..." > >>> set MAJOR_MYSQL_VERS..." > >>> (file "/opt/bin/sguil/sguild" line 734) > >>> > >>> > >>> I have no clue on how to proceed beside blowing out the current > >>> database, which I really don't want to have to do... please help. > >> Thank > >>> you. > >>> > >>> James > > > > Yea it doesn't...it's like squil never created it :( Thanks YM. > > > > James > > > > I initially got this yesterday: > > barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and got: > Failed to insert 155843: mysqlexec/db server: Duplicate entry 4-155843 > for key PRIMARY#012 > > And since then no good. > James, is your barnyard2 feeding two databases; the one that comes with Barnyard2, as well as the one with the Sguil server? I have seen this error with the schema/database that comes with Barnyard2 (usually the sig_reference table), but never seen it on the Sguil database. YM > Jaems > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |
From: James L. <jl...@sl...> - 2014-07-02 14:47:23
|
On 2014-07-02 08:45, Y M wrote: >> To: sgu...@li... >> Date: Wed, 2 Jul 2014 08:26:53 -0600 >> From: jl...@sl... >> Subject: Re: [Sguil-users] 0.9.0 upgrade died >> >> On 2014-07-02 08:23, James Lay wrote: >> > On 2014-07-02 08:19, Y M wrote: >> >> James, >> >> >> >> Can you verify if the table actually exists? >> >> >> >> Login to MySQL: >> >> mysql -u <user> -p >> >> >> >> Once in, go with: >> >> USE sguildb; >> >> >> >> Then: >> >> SHOW TABLES; >> >> >> >> and verify if the table exists. If the table exists, then make a >> >> backup of it or the database (just in case), and then try > repairing >> >> the table with: >> >> >> >> REPAIR TABLE <table_name>; >> >> >> >> This may (or may not) help you resolve the issue. Thanks. >> >> >> >> YM >> >> >> >>> To: sgu...@li... >> >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 >> >>> From: jl...@sl... >> >>> Subject: [Sguil-users] 0.9.0 upgrade died >> >>> >> >>> Topic says it...I'm unable to restart squild at this point in > time: >> >>> >> >>> Starting with: >> >>> >> >>> sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf > -C >> >>> /opt/etc/snort/sguild/certs -a > /opt/etc/snort/sguild/autocat.conf >> >>> -g >> >> >> >>> /opt/etc/snort/sguild/sguild.queries -A >> >>> /opt/etc/snort/sguild/sguild.access >> >>> >> >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' >> >>> doesn't >> >> >> >>> exist >> >>> while executing >> >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" >> >>> (procedure "UpdateDBStatus" line 11) >> >>> invoked from within >> >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data > 5] >> >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" >> >>> (procedure "AutoCat" line 43) >> >>> invoked from within >> >>> "AutoCat $row" >> >>> ("foreach" body line 6) >> >>> invoked from within >> >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { >> >>> >> >>> InfoMessage "Archived Alert: $row" >> >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." >> >>> invoked from within >> >>> "if { $mergeTableListArray(event) != "" } { >> >>> >> >>> # Get the archived alerts >> >>> LogMessage "Querying DB for archived events..." >> >>> set MAJOR_MYSQL_VERS..." >> >>> (file "/opt/bin/sguil/sguild" line 734) >> >>> >> >>> >> >>> I have no clue on how to proceed beside blowing out the current >> >>> database, which I really don't want to have to do... please > help. >> >> Thank >> >>> you. >> >>> >> >>> James >> > >> > Yea it doesn't...it's like squil never created it :( Thanks YM. >> > >> > James >> > >> >> I initially got this yesterday: >> >> barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and > got: >> Failed to insert 155843: mysqlexec/db server: Duplicate entry > 4-155843 >> for key PRIMARY#012 >> >> And since then no good. >> > > James, is your barnyard2 feeding two databases; the one that comes > with Barnyard2, as well as the one with the Sguil server? > > I have seen this error with the schema/database that comes with > Barnyard2 (usually the sig_reference table), but never seen it on the > Sguil database. > > YM > Negative...just the one, though I have multiple sensors feeding into it. Thanks again YM. James |
From: Y M <sn...@ou...> - 2014-07-02 14:50:40
|
The error message does not specify which table where the PK conflict is happening :( . Let me have a look at the schema and will try to get back to you soon. > To: sn...@ou... > Subject: RE: [Sguil-users] 0.9.0 upgrade died > Date: Wed, 2 Jul 2014 08:47:15 -0600 > From: jl...@sl... > CC: sgu...@li... > > On 2014-07-02 08:45, Y M wrote: > >> To: sgu...@li... > >> Date: Wed, 2 Jul 2014 08:26:53 -0600 > >> From: jl...@sl... > >> Subject: Re: [Sguil-users] 0.9.0 upgrade died > >> > >> On 2014-07-02 08:23, James Lay wrote: > >> > On 2014-07-02 08:19, Y M wrote: > >> >> James, > >> >> > >> >> Can you verify if the table actually exists? > >> >> > >> >> Login to MySQL: > >> >> mysql -u <user> -p > >> >> > >> >> Once in, go with: > >> >> USE sguildb; > >> >> > >> >> Then: > >> >> SHOW TABLES; > >> >> > >> >> and verify if the table exists. If the table exists, then make a > >> >> backup of it or the database (just in case), and then try > > repairing > >> >> the table with: > >> >> > >> >> REPAIR TABLE <table_name>; > >> >> > >> >> This may (or may not) help you resolve the issue. Thanks. > >> >> > >> >> YM > >> >> > >> >>> To: sgu...@li... > >> >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 > >> >>> From: jl...@sl... > >> >>> Subject: [Sguil-users] 0.9.0 upgrade died > >> >>> > >> >>> Topic says it...I'm unable to restart squild at this point in > > time: > >> >>> > >> >>> Starting with: > >> >>> > >> >>> sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf > > -C > >> >>> /opt/etc/snort/sguild/certs -a > > /opt/etc/snort/sguild/autocat.conf > >> >>> -g > >> >> > >> >>> /opt/etc/snort/sguild/sguild.queries -A > >> >>> /opt/etc/snort/sguild/sguild.access > >> >>> > >> >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' > >> >>> doesn't > >> >> > >> >>> exist > >> >>> while executing > >> >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" > >> >>> (procedure "UpdateDBStatus" line 11) > >> >>> invoked from within > >> >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data > > 5] > >> >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > >> >>> (procedure "AutoCat" line 43) > >> >>> invoked from within > >> >>> "AutoCat $row" > >> >>> ("foreach" body line 6) > >> >>> invoked from within > >> >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > >> >>> > >> >>> InfoMessage "Archived Alert: $row" > >> >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." > >> >>> invoked from within > >> >>> "if { $mergeTableListArray(event) != "" } { > >> >>> > >> >>> # Get the archived alerts > >> >>> LogMessage "Querying DB for archived events..." > >> >>> set MAJOR_MYSQL_VERS..." > >> >>> (file "/opt/bin/sguil/sguild" line 734) > >> >>> > >> >>> > >> >>> I have no clue on how to proceed beside blowing out the current > >> >>> database, which I really don't want to have to do... please > > help. > >> >> Thank > >> >>> you. > >> >>> > >> >>> James > >> > > >> > Yea it doesn't...it's like squil never created it :( Thanks YM. > >> > > >> > James > >> > > >> > >> I initially got this yesterday: > >> > >> barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and > > got: > >> Failed to insert 155843: mysqlexec/db server: Duplicate entry > > 4-155843 > >> for key PRIMARY#012 > >> > >> And since then no good. > >> > > > > James, is your barnyard2 feeding two databases; the one that comes > > with Barnyard2, as well as the one with the Sguil server? > > > > I have seen this error with the schema/database that comes with > > Barnyard2 (usually the sig_reference table), but never seen it on the > > Sguil database. > > > > YM > > > > Negative...just the one, though I have multiple sensors feeding into > it. Thanks again YM. > > James |
From: James L. <jl...@sl...> - 2014-07-02 14:53:45
|
On 2014-07-02 08:50, Y M wrote: > The error message does not specify which table where the PK conflict > is happening :( . Let me have a look at the schema and will try to > get > back to you soon. > >> To: sn...@ou... >> Subject: RE: [Sguil-users] 0.9.0 upgrade died >> Date: Wed, 2 Jul 2014 08:47:15 -0600 >> From: jl...@sl... >> CC: sgu...@li... >> >> On 2014-07-02 08:45, Y M wrote: >> >> To: sgu...@li... >> >> Date: Wed, 2 Jul 2014 08:26:53 -0600 >> >> From: jl...@sl... >> >> Subject: Re: [Sguil-users] 0.9.0 upgrade died >> >> >> >> On 2014-07-02 08:23, James Lay wrote: >> >> > On 2014-07-02 08:19, Y M wrote: >> >> >> James, >> >> >> >> >> >> Can you verify if the table actually exists? >> >> >> >> >> >> Login to MySQL: >> >> >> mysql -u <user> -p >> >> >> >> >> >> Once in, go with: >> >> >> USE sguildb; >> >> >> >> >> >> Then: >> >> >> SHOW TABLES; >> >> >> >> >> >> and verify if the table exists. If the table exists, then make > a >> >> >> backup of it or the database (just in case), and then try >> > repairing >> >> >> the table with: >> >> >> >> >> >> REPAIR TABLE <table_name>; >> >> >> >> >> >> This may (or may not) help you resolve the issue. Thanks. >> >> >> >> >> >> YM >> >> >> >> >> >>> To: sgu...@li... >> >> >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 >> >> >>> From: jl...@sl... >> >> >>> Subject: [Sguil-users] 0.9.0 upgrade died >> >> >>> >> >> >>> Topic says it...I'm unable to restart squild at this point in >> > time: >> >> >>> >> >> >>> Starting with: >> >> >>> >> >> >>> sudo /opt/bin/sguil/sguild -c > /opt/etc/snort/sguild/sguild.conf >> > -C >> >> >>> /opt/etc/snort/sguild/certs -a >> > /opt/etc/snort/sguild/autocat.conf >> >> >>> -g >> >> >> >> >> >>> /opt/etc/snort/sguild/sguild.queries -A >> >> >>> /opt/etc/snort/sguild/sguild.access >> >> >>> >> >> >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' >> >> >>> doesn't >> >> >> >> >> >>> exist >> >> >>> while executing >> >> >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" >> >> >>> (procedure "UpdateDBStatus" line 11) >> >> >>> invoked from within >> >> >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex > $data >> > 5] >> >> >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" >> >> >>> (procedure "AutoCat" line 43) >> >> >>> invoked from within >> >> >>> "AutoCat $row" >> >> >>> ("foreach" body line 6) >> >> >>> invoked from within >> >> >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { >> >> >>> >> >> >>> InfoMessage "Archived Alert: $row" >> >> >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." >> >> >>> invoked from within >> >> >>> "if { $mergeTableListArray(event) != "" } { >> >> >>> >> >> >>> # Get the archived alerts >> >> >>> LogMessage "Querying DB for archived events..." >> >> >>> set MAJOR_MYSQL_VERS..." >> >> >>> (file "/opt/bin/sguil/sguild" line 734) >> >> >>> >> >> >>> >> >> >>> I have no clue on how to proceed beside blowing out the > current >> >> >>> database, which I really don't want to have to do... please >> > help. >> >> >> Thank >> >> >>> you. >> >> >>> >> >> >>> James >> >> > >> >> > Yea it doesn't...it's like squil never created it :( Thanks YM. >> >> > >> >> > James >> >> > >> >> >> >> I initially got this yesterday: >> >> >> >> barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and >> > got: >> >> Failed to insert 155843: mysqlexec/db server: Duplicate entry >> > 4-155843 >> >> for key PRIMARY#012 >> >> >> >> And since then no good. >> >> >> > >> > James, is your barnyard2 feeding two databases; the one that comes >> > with Barnyard2, as well as the one with the Sguil server? >> > >> > I have seen this error with the schema/database that comes with >> > Barnyard2 (usually the sig_reference table), but never seen it on > the >> > Sguil database. >> > >> > YM >> > >> >> Negative...just the one, though I have multiple sensors feeding into > >> it. Thanks again YM. >> >> James Thanks YM....I wasn't running it GMT, so not sure if that had anything to do with it. I'm going to blow out the database in a couple minutes if I don't find a resolution soon. James |
From: Y M <sn...@ou...> - 2014-07-02 15:02:00
|
> To: sn...@ou... > Subject: RE: [Sguil-users] 0.9.0 upgrade died > Date: Wed, 2 Jul 2014 08:53:37 -0600 > From: jl...@sl... > CC: sgu...@li... > > On 2014-07-02 08:50, Y M wrote: > > The error message does not specify which table where the PK conflict > > is happening :( . Let me have a look at the schema and will try to > > get > > back to you soon. > > > >> To: sn...@ou... > >> Subject: RE: [Sguil-users] 0.9.0 upgrade died > >> Date: Wed, 2 Jul 2014 08:47:15 -0600 > >> From: jl...@sl... > >> CC: sgu...@li... > >> > >> On 2014-07-02 08:45, Y M wrote: > >> >> To: sgu...@li... > >> >> Date: Wed, 2 Jul 2014 08:26:53 -0600 > >> >> From: jl...@sl... > >> >> Subject: Re: [Sguil-users] 0.9.0 upgrade died > >> >> > >> >> On 2014-07-02 08:23, James Lay wrote: > >> >> > On 2014-07-02 08:19, Y M wrote: > >> >> >> James, > >> >> >> > >> >> >> Can you verify if the table actually exists? > >> >> >> > >> >> >> Login to MySQL: > >> >> >> mysql -u <user> -p > >> >> >> > >> >> >> Once in, go with: > >> >> >> USE sguildb; > >> >> >> > >> >> >> Then: > >> >> >> SHOW TABLES; > >> >> >> > >> >> >> and verify if the table exists. If the table exists, then make > > a > >> >> >> backup of it or the database (just in case), and then try > >> > repairing > >> >> >> the table with: > >> >> >> > >> >> >> REPAIR TABLE <table_name>; > >> >> >> > >> >> >> This may (or may not) help you resolve the issue. Thanks. > >> >> >> > >> >> >> YM > >> >> >> > >> >> >>> To: sgu...@li... > >> >> >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 > >> >> >>> From: jl...@sl... > >> >> >>> Subject: [Sguil-users] 0.9.0 upgrade died > >> >> >>> > >> >> >>> Topic says it...I'm unable to restart squild at this point in > >> > time: > >> >> >>> > >> >> >>> Starting with: > >> >> >>> > >> >> >>> sudo /opt/bin/sguil/sguild -c > > /opt/etc/snort/sguild/sguild.conf > >> > -C > >> >> >>> /opt/etc/snort/sguild/certs -a > >> > /opt/etc/snort/sguild/autocat.conf > >> >> >>> -g > >> >> >> > >> >> >>> /opt/etc/snort/sguild/sguild.queries -A > >> >> >>> /opt/etc/snort/sguild/sguild.access > >> >> >>> > >> >> >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' > >> >> >>> doesn't > >> >> >> > >> >> >>> exist > >> >> >>> while executing > >> >> >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" > >> >> >>> (procedure "UpdateDBStatus" line 11) > >> >> >>> invoked from within > >> >> >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex > > $data > >> > 5] > >> >> >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > >> >> >>> (procedure "AutoCat" line 43) > >> >> >>> invoked from within > >> >> >>> "AutoCat $row" > >> >> >>> ("foreach" body line 6) > >> >> >>> invoked from within > >> >> >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > >> >> >>> > >> >> >>> InfoMessage "Archived Alert: $row" > >> >> >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." > >> >> >>> invoked from within > >> >> >>> "if { $mergeTableListArray(event) != "" } { > >> >> >>> > >> >> >>> # Get the archived alerts > >> >> >>> LogMessage "Querying DB for archived events..." > >> >> >>> set MAJOR_MYSQL_VERS..." > >> >> >>> (file "/opt/bin/sguil/sguild" line 734) > >> >> >>> > >> >> >>> > >> >> >>> I have no clue on how to proceed beside blowing out the > > current > >> >> >>> database, which I really don't want to have to do... please > >> > help. > >> >> >> Thank > >> >> >>> you. > >> >> >>> > >> >> >>> James > >> >> > > >> >> > Yea it doesn't...it's like squil never created it :( Thanks YM. > >> >> > > >> >> > James > >> >> > > >> >> > >> >> I initially got this yesterday: > >> >> > >> >> barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and > >> > got: > >> >> Failed to insert 155843: mysqlexec/db server: Duplicate entry > >> > 4-155843 > >> >> for key PRIMARY#012 > >> >> > >> >> And since then no good. > >> >> > >> > > >> > James, is your barnyard2 feeding two databases; the one that comes > >> > with Barnyard2, as well as the one with the Sguil server? > >> > > >> > I have seen this error with the schema/database that comes with > >> > Barnyard2 (usually the sig_reference table), but never seen it on > > the > >> > Sguil database. > >> > > >> > YM > >> > > >> > >> Negative...just the one, though I have multiple sensors feeding into > > > >> it. Thanks again YM. > >> > >> James > > Thanks YM....I wasn't running it GMT, so not sure if that had anything > to do with it. I'm going to blow out the database in a couple minutes > if I don't find a resolution soon. > I wasn't able to identify the table by just reading the data, too many possibilities, and without the exact name of the table this is going to be a punch of guesses. Sorry. YM > James |
From: Bamm V. <bam...@gm...> - 2014-07-02 16:48:00
|
Hi James, This does look like there is a TZ issue at play. I'll dig deeper when I get a chance this evening. One way to get back up would be to temporarily disable the autocat rule that is triggering the update. Bamm On Wed, Jul 2, 2014 at 11:01 AM, Y M <sn...@ou...> wrote: > > > > To: sn...@ou... > > Subject: RE: [Sguil-users] 0.9.0 upgrade died > > Date: Wed, 2 Jul 2014 08:53:37 -0600 > > > From: jl...@sl... > > CC: sgu...@li... > > > > On 2014-07-02 08:50, Y M wrote: > > > The error message does not specify which table where the PK conflict > > > is happening :( . Let me have a look at the schema and will try to > > > get > > > back to you soon. > > > > > >> To: sn...@ou... > > >> Subject: RE: [Sguil-users] 0.9.0 upgrade died > > >> Date: Wed, 2 Jul 2014 08:47:15 -0600 > > >> From: jl...@sl... > > >> CC: sgu...@li... > > >> > > >> On 2014-07-02 08:45, Y M wrote: > > >> >> To: sgu...@li... > > >> >> Date: Wed, 2 Jul 2014 08:26:53 -0600 > > >> >> From: jl...@sl... > > >> >> Subject: Re: [Sguil-users] 0.9.0 upgrade died > > >> >> > > >> >> On 2014-07-02 08:23, James Lay wrote: > > >> >> > On 2014-07-02 08:19, Y M wrote: > > >> >> >> James, > > >> >> >> > > >> >> >> Can you verify if the table actually exists? > > >> >> >> > > >> >> >> Login to MySQL: > > >> >> >> mysql -u <user> -p > > >> >> >> > > >> >> >> Once in, go with: > > >> >> >> USE sguildb; > > >> >> >> > > >> >> >> Then: > > >> >> >> SHOW TABLES; > > >> >> >> > > >> >> >> and verify if the table exists. If the table exists, then make > > > a > > >> >> >> backup of it or the database (just in case), and then try > > >> > repairing > > >> >> >> the table with: > > >> >> >> > > >> >> >> REPAIR TABLE <table_name>; > > >> >> >> > > >> >> >> This may (or may not) help you resolve the issue. Thanks. > > >> >> >> > > >> >> >> YM > > >> >> >> > > >> >> >>> To: sgu...@li... > > >> >> >>> Date: Wed, 2 Jul 2014 08:02:25 -0600 > > >> >> >>> From: jl...@sl... > > >> >> >>> Subject: [Sguil-users] 0.9.0 upgrade died > > >> >> >>> > > >> >> >>> Topic says it...I'm unable to restart squild at this point in > > >> > time: > > >> >> >>> > > >> >> >>> Starting with: > > >> >> >>> > > >> >> >>> sudo /opt/bin/sguil/sguild -c > > > /opt/etc/snort/sguild/sguild.conf > > >> > -C > > >> >> >>> /opt/etc/snort/sguild/certs -a > > >> > /opt/etc/snort/sguild/autocat.conf > > >> >> >>> -g > > >> >> >> > > >> >> >>> /opt/etc/snort/sguild/sguild.queries -A > > >> >> >>> /opt/etc/snort/sguild/sguild.access > > >> >> >>> > > >> >> >>> mysqlexec/db server: Table 'sguildb.event_External_20140702' > > >> >> >>> doesn't > > >> >> >> > > >> >> >>> exist > > >> >> >>> while executing > > >> >> >>> "mysqlexec $MAIN_DB_SOCKETID $updateString" > > >> >> >>> (procedure "UpdateDBStatus" line 11) > > >> >> >>> invoked from within > > >> >> >>> "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex > > > $data > > >> > 5] > > >> >> >>> [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > > >> >> >>> (procedure "AutoCat" line 43) > > >> >> >>> invoked from within > > >> >> >>> "AutoCat $row" > > >> >> >>> ("foreach" body line 6) > > >> >> >>> invoked from within > > >> >> >>> "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > >> >> >>> > > >> >> >>> InfoMessage "Archived Alert: $row" > > >> >> >>> set LAST_EVENT_ID([lindex $row 3]) "[li..." > > >> >> >>> invoked from within > > >> >> >>> "if { $mergeTableListArray(event) != "" } { > > >> >> >>> > > >> >> >>> # Get the archived alerts > > >> >> >>> LogMessage "Querying DB for archived events..." > > >> >> >>> set MAJOR_MYSQL_VERS..." > > >> >> >>> (file "/opt/bin/sguil/sguild" line 734) > > >> >> >>> > > >> >> >>> > > >> >> >>> I have no clue on how to proceed beside blowing out the > > > current > > >> >> >>> database, which I really don't want to have to do... please > > >> > help. > > >> >> >> Thank > > >> >> >>> you. > > >> >> >>> > > >> >> >>> James > > >> >> > > > >> >> > Yea it doesn't...it's like squil never created it :( Thanks YM. > > >> >> > > > >> >> > James > > >> >> > > > >> >> > > >> >> I initially got this yesterday: > > >> >> > > >> >> barnyard2[28950]: FATAL ERROR: sguil: Expected Confirm 155843 and > > >> > got: > > >> >> Failed to insert 155843: mysqlexec/db server: Duplicate entry > > >> > 4-155843 > > >> >> for key PRIMARY#012 > > >> >> > > >> >> And since then no good. > > >> >> > > >> > > > >> > James, is your barnyard2 feeding two databases; the one that comes > > >> > with Barnyard2, as well as the one with the Sguil server? > > >> > > > >> > I have seen this error with the schema/database that comes with > > >> > Barnyard2 (usually the sig_reference table), but never seen it on > > > the > > >> > Sguil database. > > >> > > > >> > YM > > >> > > > >> > > >> Negative...just the one, though I have multiple sensors feeding into > > > > > >> it. Thanks again YM. > > >> > > >> James > > > > Thanks YM....I wasn't running it GMT, so not sure if that had anything > > to do with it. I'm going to blow out the database in a couple minutes > > if I don't find a resolution soon. > > > > I wasn't able to identify the table by just reading the data, too many > possibilities, and without the exact name of the table this is going to be > a punch of guesses. Sorry. > > YM > > > James > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://www.sguil.net |
From: James L. <jl...@sl...> - 2014-07-02 16:55:52
|
On 2014-07-02 10:47, Bamm Visscher wrote: > Hi James, > > This does look like there is a TZ issue at play. Ill dig deeper when > I > get a chance this evening. One way to get back up would be to > temporarily disable the autocat rule that is triggering the update. > > Bamm > Thanks Bamm...I ended up blowing out the db and starting over :( I now have my mysql with the below config in my.cnf: [mysqld] default_time_zone = '+00:00' verified with: mysql> SELECT @@global.time_zone; +--------------------+ | @@global.time_zone | +--------------------+ | +00:00 | +--------------------+ 1 row in set (0.00 sec) I sure hope that's what this needs...I don't want to have to do this again ;) James |
From: James L. <jl...@sl...> - 2014-07-03 00:17:00
|
On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > Hi James, > > > > This does look like there is a TZ issue at play. I'll dig deeper when > I get a chance this evening. One way to get back up would be to > temporarily disable the autocat rule that is triggering the update. > > > Bamm > And again...moments ago: Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate entry 4-904 for key PRIMARY#012. I'm officially at a loss at one to do now besides roll back to 0.8.0. James |
From: Bamm V. <bam...@gm...> - 2014-07-03 00:53:52
|
Did this cause your DB to fail again? Restarting BY should fix it. Bamm On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> wrote: > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > Hi James, > > > > This does look like there is a TZ issue at play. I'll dig deeper when I > get a chance this evening. One way to get back up would be to temporarily > disable the autocat rule that is triggering the update. > > > > Bamm > > > > And again...moments ago: > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected > Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate > entry 4-904 for key PRIMARY#012. I'm officially at a loss at one to do now > besides roll back to 0.8.0. > > James > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://www.sguil.net |
From: James L. <jl...@sl...> - 2014-07-03 01:22:25
|
On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > Did this cause your DB to fail again? Restarting BY should fix it. > > > > Bamm > > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > > Hi James, > > > > > > This does look like there is a TZ issue at play. I'll dig > > deeper when I get a chance this evening. One way to get back > > up would be to temporarily disable the autocat rule that is > > triggering the update. > > > > > > Bamm > > > > > > > And again...moments ago: > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: > Expected Confirm 904 and got: Failed to insert 904: > mysqlexec/db server: Duplicate entry 4-904 for key > PRIMARY#012. I'm officially at a loss at one to do now > besides roll back to 0.8.0. > > James Negative....sguild will no longer start....exact same thing as earlier...around the same time as well: [19:20:47 @ids:~$] mysqlexec/db server: Table 'sguildb.event_External_20140703' doesn't exist while executing "mysqlexec $MAIN_DB_SOCKETID $updateString" (procedure "UpdateDBStatus" line 11) invoked from within "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" (procedure "AutoCat" line 43) invoked from within "AutoCat $row" ("foreach" body line 6) invoked from within "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { InfoMessage "Archived Alert: $row" set LAST_EVENT_ID([lindex $row 3]) "[li..." invoked from within "if { $mergeTableListArray(event) != "" } { # Get the archived alerts LogMessage "Querying DB for archived events..." set MAJOR_MYSQL_VERS..." (file "/opt/bin/sguil/sguild" line 734) |
From: James L. <jl...@sl...> - 2014-07-03 01:40:55
|
On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > > > Did this cause your DB to fail again? Restarting BY should fix it. > > > > > > Bamm > > > > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> > > wrote: > > > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > > > > Hi James, > > > > > > > > > This does look like there is a TZ issue at play. I'll dig > > > deeper when I get a chance this evening. One way to get > > > back up would be to temporarily disable the autocat rule > > > that is triggering the update. > > > > > > > > > Bamm > > > > > > > > > > > And again...moments ago: > > > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: > > sguil: Expected Confirm 904 and got: Failed to insert 904: > > mysqlexec/db server: Duplicate entry 4-904 for key > > PRIMARY#012. I'm officially at a loss at one to do now > > besides roll back to 0.8.0. > > > > James > > > Negative....sguild will no longer start....exact same thing as > earlier...around the same time as well: > > [19:20:47 @ids:~$] mysqlexec/db server: Table > 'sguildb.event_External_20140703' doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] > [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > > Anyway I've got sguild, agents, and barnyard2 all shut down for the rest of this week...I'll either roll back to 0.8.0 or something else...thanks Bamm...I appreciate it. James |
From: Bamm V. <bam...@gm...> - 2014-07-03 12:09:04
|
I would check to make sure the localtime for your sensors/servers are all set to UTC. Not just the DB. Bamm On Wed, Jul 2, 2014 at 9:40 PM, James Lay <jl...@sl...> wrote: > On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > > Did this cause your DB to fail again? Restarting BY should fix it. > > > Bamm > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > Hi James, > > > This does look like there is a TZ issue at play. I'll dig deeper when I > get a chance this evening. One way to get back up would be to temporarily > disable the autocat rule that is triggering the update. > > > Bamm > > > > And again...moments ago: > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected > Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate > entry 4-904 for key PRIMARY#012. I'm officially at a loss at one to do now > besides roll back to 0.8.0. > > James > > > Negative....sguild will no longer start....exact same thing as > earlier...around the same time as well: > > [19:20:47 @ids <jlay@goids>:~$] mysqlexec/db server: Table > 'sguildb.event_External_20140703' doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex > $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > > > > Anyway I've got sguild, agents, and barnyard2 all shut down for the rest > of this week...I'll either roll back to 0.8.0 or something else...thanks > Bamm...I appreciate it. > > James > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://www.sguil.net |
From: James L. <jl...@sl...> - 2014-07-03 13:10:06
|
On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote: > I would check to make sure the localtime for your sensors/servers are > all set to UTC. Not just the DB. > > > > Bamm > > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > > > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > > > > > Did this cause your DB to fail again? Restarting BY should > > > fix it. > > > > > > > > > Bamm > > > > > > > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay > > > <jl...@sl...> wrote: > > > > > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher > > > wrote: > > > > > > > Hi James, > > > > > > > > > > > > This does look like there is a TZ issue at play. > > > > I'll dig deeper when I get a chance this > > > > evening. One way to get back up would be to > > > > temporarily disable the autocat rule that is > > > > triggering the update. > > > > > > > > > > > > Bamm > > > > > > > > > > > > > > > > And again...moments ago: > > > > > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL > > > ERROR: sguil: Expected Confirm 904 and got: Failed > > > to insert 904: mysqlexec/db server: Duplicate > > > entry 4-904 for key PRIMARY#012. I'm officially > > > at a loss at one to do now besides roll back to > > > 0.8.0. > > > > > > James > > > > > > Negative....sguild will no longer start....exact same thing > > as earlier...around the same time as well: > > > > [19:20:47 @ids:~$] mysqlexec/db server: Table > > 'sguildb.event_External_20140703' doesn't exist > > while executing > > "mysqlexec $MAIN_DB_SOCKETID $updateString" > > (procedure "UpdateDBStatus" line 11) > > invoked from within > > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex > > $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID > > $acCat($rid)" > > (procedure "AutoCat" line 43) > > invoked from within > > "AutoCat $row" > > ("foreach" body line 6) > > invoked from within > > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > > > InfoMessage "Archived Alert: $row" > > set LAST_EVENT_ID([lindex $row 3]) "[li..." > > invoked from within > > "if { $mergeTableListArray(event) != "" } { > > > > # Get the archived alerts > > LogMessage "Querying DB for archived events..." > > set MAJOR_MYSQL_VERS..." > > (file "/opt/bin/sguil/sguild" line 734) > > > > > > > Ok Bamm.....I'll try that....is that going to fix my current inability to start sguild, or will I have to redo the db again? Thank you. James |
From: James L. <jl...@sl...> - 2014-07-07 15:50:27
|
On 2014-07-03 07:09, James Lay wrote: > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote: > >> I would check to make sure the localtime for your sensors/servers >> are all set to UTC. Not just the DB. > >> Ok....this was done this morning: [15:42:19 @ids:~$] date Mon Jul 7 15:47:32 UTC 2014 and: mysql> SELECT @@global.time_zone; +--------------------+ | @@global.time_zone | +--------------------+ | +00:00 | +--------------------+ 1 row in set (0.00 sec) sguildb started....I'm assuming that it's because we've passed the date of July 3rd when I had the issue. This is going to be interesting as I have reports and pulledpork that specifically fire at certain times. I'll keep you posted...thanks Bamm. James |
From: Bamm V. <bam...@gm...> - 2014-07-03 14:55:49
|
Is there more output from the debug you can send? Bamm On Thu, Jul 3, 2014 at 9:09 AM, James Lay <jl...@sl...> wrote: > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote: > > I would check to make sure the localtime for your sensors/servers are all > set to UTC. Not just the DB. > > > > Bamm > > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > > Did this cause your DB to fail again? Restarting BY should fix it. > > > Bamm > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > Hi James, > > > This does look like there is a TZ issue at play. I'll dig deeper when I > get a chance this evening. One way to get back up would be to temporarily > disable the autocat rule that is triggering the update. > > > Bamm > > > > And again...moments ago: > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected > Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate > entry 4-904 for key PRIMARY#012. I'm officially at a loss at one to do now > besides roll back to 0.8.0. > > James > > > Negative....sguild will no longer start....exact same thing as > earlier...around the same time as well: > > [19:20:47 @ids <jlay@goids>:~$] mysqlexec/db server: Table > 'sguildb.event_External_20140703' doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex > $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > > > > > > Ok Bamm.....I'll try that....is that going to fix my current inability to > start sguild, or will I have to redo the db again? Thank you. > > James > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://www.sguil.net |
From: James L. <jl...@sl...> - 2014-07-03 15:08:39
|
On Thu, 2014-07-03 at 10:55 -0400, Bamm Visscher wrote: > Is there more output from the debug you can send? > > > > Bamm > > > > On Thu, Jul 3, 2014 at 9:09 AM, James Lay <jl...@sl...> > wrote: > > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote: > > > I would check to make sure the localtime for your > > sensors/servers are all set to UTC. Not just the DB. > > > > > > Bamm > > > > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay > > <jl...@sl...> wrote: > > > > On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > > > > > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher > > > wrote: > > > > > > > Did this cause your DB to fail again? Restarting > > > > BY should fix it. > > > > > > > > > > > > Bamm > > > > > > > > > > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay > > > > <jl...@sl...> wrote: > > > > > > > > On Wed, 2014-07-02 at 12:47 -0400, Bamm > > > > Visscher wrote: > > > > > > > > > Hi James, > > > > > > > > > > > > > > > This does look like there is a TZ > > > > > issue at play. I'll dig deeper when I > > > > > get a chance this evening. One way to > > > > > get back up would be to temporarily > > > > > disable the autocat rule that is > > > > > triggering the update. > > > > > > > > > > > > > > > Bamm > > > > > > > > > > > > > > > > > > > > > And again...moments ago: > > > > > > > > Jul 2 18:01:59 x.x.x.x > > > > barnyard2[15859]: FATAL ERROR: sguil: > > > > Expected Confirm 904 and got: Failed to > > > > insert 904: mysqlexec/db server: > > > > Duplicate entry 4-904 for key > > > > PRIMARY#012. I'm officially at a loss > > > > at one to do now besides roll back to > > > > 0.8.0. > > > > > > > > James > > > > > > > > > Negative....sguild will no longer start....exact > > > same thing as earlier...around the same time as > > > well: > > > > > > [19:20:47 @ids:~$] mysqlexec/db server: Table > > > 'sguildb.event_External_20140703' doesn't exist > > > while executing > > > "mysqlexec $MAIN_DB_SOCKETID $updateString" > > > (procedure "UpdateDBStatus" line 11) > > > invoked from within > > > "UpdateDBStatus [lindex $data 3] [lindex $data 4] > > > [lindex $data 5] [lindex $data 6] > > > [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > > > (procedure "AutoCat" line 43) > > > invoked from within > > > "AutoCat $row" > > > ("foreach" body line 6) > > > invoked from within > > > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry > > > -list] { > > > > > > InfoMessage "Archived Alert: $row" > > > set LAST_EVENT_ID([lindex $row 3]) > > > "[li..." > > > invoked from within > > > "if { $mergeTableListArray(event) != "" } { > > > > > > # Get the archived alerts > > > LogMessage "Querying DB for archived > > > events..." > > > set MAJOR_MYSQL_VERS..." > > > (file "/opt/bin/sguil/sguild" line 734) > > > > > > > > > > > > > > > > > Ok Bamm.....I'll try that....is that going to fix my current > inability to start sguild, or will I have to redo the db > again? Thank you. > > James > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java > and Eclipse > Turn processes into business applications with Bonita BPM > Community Edition > Quickly connect people, data, and systems into organized > workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > > > -- > > sguil - The Analyst Console for NSM > http://www.sguil.net > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users Here's the full debug: 2014-07-03 15:06:48 pid(5657) Loading access list: /opt/etc/snort/sguild/sguild.access 2014-07-03 15:06:48 pid(5657) Sensor access list set to ALLOW ANY. 2014-07-03 15:06:48 pid(5657) Client access list set to ALLOW ANY. 2014-07-03 15:06:48 pid(5657) Email Configuration: 2014-07-03 15:06:48 pid(5657) Config file: /etc/sguild/sguild.email 2014-07-03 15:06:48 pid(5657) Enabled: No 2014-07-03 15:06:48 pid(5657) Connecting to localhost on 3306 as sguil 2014-07-03 15:06:48 pid(5657) MySQL Version: version 5.5.37-0ubuntu0.12.04.1 2014-07-03 15:06:48 pid(5657) SguilDB Version: 0.14 2014-07-03 15:06:48 pid(5657) Creating event MERGE table. 2014-07-03 15:06:48 pid(5657) Creating tcphdr MERGE table. 2014-07-03 15:06:48 pid(5657) Creating udphdr MERGE table. 2014-07-03 15:06:48 pid(5657) Creating icmphdr MERGE table. 2014-07-03 15:06:48 pid(5657) Creating data MERGE table. 2014-07-03 15:06:48 pid(5659) Loaderd Forked 2014-07-03 15:06:48 pid(5657) Retrieving DB info... 2014-07-03 15:06:48 pid(5657) SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC 2014-07-03 15:06:48 pid(5660) Queryd Forked 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE sid=4 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE sid=2 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE sid=3 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE sid=1 2014-07-03 15:06:48 pid(5657) Querying DB for archived events... mysqlexec/db server: Table 'sguildb.event_External_20140703' doesn't exist while executing "mysqlexec $MAIN_DB_SOCKETID $updateString" (procedure "UpdateDBStatus" line 11) invoked from within "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" (procedure "AutoCat" line 43) invoked from within "AutoCat $row" ("foreach" body line 6) invoked from within "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { InfoMessage "Archived Alert: $row" set LAST_EVENT_ID([lindex $row 3]) "[li..." invoked from within "if { $mergeTableListArray(event) != "" } { # Get the archived alerts LogMessage "Querying DB for archived events..." set MAJOR_MYSQL_VERS..." (file "/opt/bin/sguil/sguild" line 734) 2014-07-03 15:06:48 pid(5659) Unknown command received from sguild: Thanks Bamm. James |
From: Bamm V. <bam...@gm...> - 2014-07-03 16:33:57
|
Are you running with -d 2? Bamm On Jul 3, 2014 11:09 AM, "James Lay" <jl...@sl...> wrote: > On Thu, 2014-07-03 at 10:55 -0400, Bamm Visscher wrote: > > Is there more output from the debug you can send? > > > > Bamm > > > > On Thu, Jul 3, 2014 at 9:09 AM, James Lay <jl...@sl...> > wrote: > > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote: > > I would check to make sure the localtime for your sensors/servers are all > set to UTC. Not just the DB. > > > Bamm > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > > Did this cause your DB to fail again? Restarting BY should fix it. > > > Bamm > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > Hi James, > > > This does look like there is a TZ issue at play. I'll dig deeper when I > get a chance this evening. One way to get back up would be to temporarily > disable the autocat rule that is triggering the update. > > > Bamm > > > > And again...moments ago: > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected > Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate > entry 4-904 for key PRIMARY#012. I'm officially at a loss at one to do now > besides roll back to 0.8.0. > > James > > > Negative....sguild will no longer start....exact same thing as > earlier...around the same time as well: > > [19:20:47 @ids <jlay@goids>:~$] mysqlexec/db server: Table > 'sguildb.event_External_20140703' doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex > $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > > > > > > > Ok Bamm.....I'll try that....is that going to fix my current inability > to start sguild, or will I have to redo the db again? Thank you. > > James > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > -- > > sguil - The Analyst Console for NSM > http://www.sguil.net > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awardshttp://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sguil-users > > > Here's the full debug: > > 2014-07-03 15:06:48 pid(5657) Loading access list: > /opt/etc/snort/sguild/sguild.access > 2014-07-03 15:06:48 pid(5657) Sensor access list set to ALLOW ANY. > 2014-07-03 15:06:48 pid(5657) Client access list set to ALLOW ANY. > 2014-07-03 15:06:48 pid(5657) Email Configuration: > 2014-07-03 15:06:48 pid(5657) Config file: /etc/sguild/sguild.email > 2014-07-03 15:06:48 pid(5657) Enabled: No > 2014-07-03 15:06:48 pid(5657) Connecting to localhost on 3306 as sguil > 2014-07-03 15:06:48 pid(5657) MySQL Version: version > 5.5.37-0ubuntu0.12.04.1 > 2014-07-03 15:06:48 pid(5657) SguilDB Version: 0.14 > 2014-07-03 15:06:48 pid(5657) Creating event MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating tcphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating udphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating icmphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating data MERGE table. > 2014-07-03 15:06:48 pid(5659) Loaderd Forked > 2014-07-03 15:06:48 pid(5657) Retrieving DB info... > 2014-07-03 15:06:48 pid(5657) SELECT sid, net_name, hostname, > agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC > 2014-07-03 15:06:48 pid(5660) Queryd Forked > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE > sid=4 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE > sid=2 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE > sid=3 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM event WHERE > sid=1 > 2014-07-03 15:06:48 pid(5657) Querying DB for archived events... > mysqlexec/db server: Table 'sguildb.event_External_20140703' doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex > $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > 2014-07-03 15:06:48 pid(5659) Unknown command received from sguild: > > Thanks Bamm. > > James > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > |
From: James L. <jl...@sl...> - 2014-07-03 23:09:41
|
On Thu, 2014-07-03 at 12:33 -0400, Bamm Visscher wrote: > Are you running with -d 2? > > Bamm > > > On Jul 3, 2014 11:09 AM, "James Lay" <jl...@sl...> wrote: > > On Thu, 2014-07-03 at 10:55 -0400, Bamm Visscher wrote: > > > Is there more output from the debug you can send? > > > > > > Bamm > > > > > > On Thu, Jul 3, 2014 at 9:09 AM, James Lay > > <jl...@sl...> wrote: > > > > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher > > wrote: > > > > > I would check to make sure the localtime for your > > > sensors/servers are all set to UTC. Not just the > > > DB. > > > > > > > > > Bamm > > > > > > > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay > > > <jl...@sl...> wrote: > > > > > > On Wed, 2014-07-02 at 19:22 -0600, James > > > Lay wrote: > > > > > > > On Wed, 2014-07-02 at 20:53 -0400, Bamm > > > > Visscher wrote: > > > > > > > > > Did this cause your DB to fail again? > > > > > Restarting BY should fix it. > > > > > > > > > > > > > > > Bamm > > > > > > > > > > > > > > > On Wed, Jul 2, 2014 at 8:16 PM, James > > > > > Lay <jl...@sl...> wrote: > > > > > > > > > > On Wed, 2014-07-02 at 12:47 > > > > > -0400, Bamm Visscher wrote: > > > > > > > > > > > Hi James, > > > > > > > > > > > > > > > > > > This does look like there is > > > > > > a TZ issue at play. I'll dig > > > > > > deeper when I get a chance > > > > > > this evening. One way to get > > > > > > back up would be to > > > > > > temporarily disable the > > > > > > autocat rule that is > > > > > > triggering the update. > > > > > > > > > > > > > > > > > > Bamm > > > > > > > > > > > > > > > > > > > > > > > > > > And again...moments ago: > > > > > > > > > > Jul 2 18:01:59 x.x.x.x > > > > > barnyard2[15859]: FATAL ERROR: > > > > > sguil: Expected Confirm 904 > > > > > and got: Failed to insert 904: > > > > > mysqlexec/db server: Duplicate > > > > > entry 4-904 for key > > > > > PRIMARY#012. I'm officially > > > > > at a loss at one to do now > > > > > besides roll back to 0.8.0. > > > > > > > > > > James > > > > > > > > > > > > Negative....sguild will no longer > > > > start....exact same thing as > > > > earlier...around the same time as well: > > > > > > > > [19:20:47 @ids:~$] mysqlexec/db server: > > > > Table 'sguildb.event_External_20140703' > > > > doesn't exist > > > > while executing > > > > "mysqlexec $MAIN_DB_SOCKETID > > > > $updateString" > > > > (procedure "UpdateDBStatus" line 11) > > > > invoked from within > > > > "UpdateDBStatus [lindex $data 3] [lindex > > > > $data 4] [lindex $data 5] [lindex $data > > > > 6] [GetCurrentTimeStamp] $AUTOID > > > > $acCat($rid)" > > > > (procedure "AutoCat" line 43) > > > > invoked from within > > > > "AutoCat $row" > > > > ("foreach" body line 6) > > > > invoked from within > > > > "foreach row [mysqlsel $MAIN_DB_SOCKETID > > > > $tmpQry -list] { > > > > > > > > InfoMessage "Archived Alert: > > > > $row" > > > > set LAST_EVENT_ID([lindex $row > > > > 3]) "[li..." > > > > invoked from within > > > > "if { $mergeTableListArray(event) != > > > > "" } { > > > > > > > > # Get the archived alerts > > > > LogMessage "Querying DB for archived > > > > events..." > > > > set MAJOR_MYSQL_VERS..." > > > > (file "/opt/bin/sguil/sguild" line > > > > 734) > > > > > > > > > > > > > > > > > > > > > > > > > Ok Bamm.....I'll try that....is that going to fix my > > current inability to start sguild, or will I have to > > redo the db again? Thank you. > > > > James > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built > > on Java and Eclipse > > Turn processes into business applications with > > Bonita BPM Community Edition > > Quickly connect people, data, and systems into > > organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > > > > > > > > -- > > sguil - The Analyst Console for NSM > > http://www.sguil.net > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and Eclipse > > Turn processes into business applications with Bonita BPM Community Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > Here's the full debug: > > 2014-07-03 15:06:48 pid(5657) Loading access > list: /opt/etc/snort/sguild/sguild.access > 2014-07-03 15:06:48 pid(5657) Sensor access list set to ALLOW > ANY. > 2014-07-03 15:06:48 pid(5657) Client access list set to ALLOW > ANY. > 2014-07-03 15:06:48 pid(5657) Email Configuration: > 2014-07-03 15:06:48 pid(5657) Config > file: /etc/sguild/sguild.email > 2014-07-03 15:06:48 pid(5657) Enabled: No > 2014-07-03 15:06:48 pid(5657) Connecting to localhost on 3306 > as sguil > 2014-07-03 15:06:48 pid(5657) MySQL Version: version > 5.5.37-0ubuntu0.12.04.1 > 2014-07-03 15:06:48 pid(5657) SguilDB Version: 0.14 > 2014-07-03 15:06:48 pid(5657) Creating event MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating tcphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating udphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating icmphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating data MERGE table. > 2014-07-03 15:06:48 pid(5659) Loaderd Forked > 2014-07-03 15:06:48 pid(5657) Retrieving DB info... > 2014-07-03 15:06:48 pid(5657) SELECT sid, net_name, > hostname, agent_type FROM sensor WHERE active='Y' ORDER BY > net_name, sid ASC > 2014-07-03 15:06:48 pid(5660) Queryd Forked > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=4 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=2 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=3 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=1 > 2014-07-03 15:06:48 pid(5657) Querying DB for archived > events... > mysqlexec/db server: Table 'sguildb.event_External_20140703' > doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex > $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID > $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > 2014-07-03 15:06:48 pid(5659) Unknown command received from > sguild: > > Thanks Bamm. > > James > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java > and Eclipse > Turn processes into business applications with Bonita BPM > Community Edition > Quickly connect people, data, and systems into organized > workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users Sent this in...waiting on moderator approval. James |
From: James L. <jl...@sl...> - 2014-07-03 19:49:26
|
On Thu, 2014-07-03 at 12:33 -0400, Bamm Visscher wrote: > Are you running with -d 2? > > Bamm > > > On Jul 3, 2014 11:09 AM, "James Lay" <jl...@sl...> wrote: > > On Thu, 2014-07-03 at 10:55 -0400, Bamm Visscher wrote: > > > Is there more output from the debug you can send? > > > > > > Bamm > > > > > > On Thu, Jul 3, 2014 at 9:09 AM, James Lay > > <jl...@sl...> wrote: > > > > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher > > wrote: > > > > > I would check to make sure the localtime for your > > > sensors/servers are all set to UTC. Not just the > > > DB. > > > > > > > > > Bamm > > > > > > > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay > > > <jl...@sl...> wrote: > > > > > > On Wed, 2014-07-02 at 19:22 -0600, James > > > Lay wrote: > > > > > > > On Wed, 2014-07-02 at 20:53 -0400, Bamm > > > > Visscher wrote: > > > > > > > > > Did this cause your DB to fail again? > > > > > Restarting BY should fix it. > > > > > > > > > > > > > > > Bamm > > > > > > > > > > > > > > > On Wed, Jul 2, 2014 at 8:16 PM, James > > > > > Lay <jl...@sl...> wrote: > > > > > > > > > > On Wed, 2014-07-02 at 12:47 > > > > > -0400, Bamm Visscher wrote: > > > > > > > > > > > Hi James, > > > > > > > > > > > > > > > > > > This does look like there is > > > > > > a TZ issue at play. I'll dig > > > > > > deeper when I get a chance > > > > > > this evening. One way to get > > > > > > back up would be to > > > > > > temporarily disable the > > > > > > autocat rule that is > > > > > > triggering the update. > > > > > > > > > > > > > > > > > > Bamm > > > > > > > > > > > > > > > > > > > > > > > > > > And again...moments ago: > > > > > > > > > > Jul 2 18:01:59 x.x.x.x > > > > > barnyard2[15859]: FATAL ERROR: > > > > > sguil: Expected Confirm 904 > > > > > and got: Failed to insert 904: > > > > > mysqlexec/db server: Duplicate > > > > > entry 4-904 for key > > > > > PRIMARY#012. I'm officially > > > > > at a loss at one to do now > > > > > besides roll back to 0.8.0. > > > > > > > > > > James > > > > > > > > > > > > Negative....sguild will no longer > > > > start....exact same thing as > > > > earlier...around the same time as well: > > > > > > > > [19:20:47 @ids:~$] mysqlexec/db server: > > > > Table 'sguildb.event_External_20140703' > > > > doesn't exist > > > > while executing > > > > "mysqlexec $MAIN_DB_SOCKETID > > > > $updateString" > > > > (procedure "UpdateDBStatus" line 11) > > > > invoked from within > > > > "UpdateDBStatus [lindex $data 3] [lindex > > > > $data 4] [lindex $data 5] [lindex $data > > > > 6] [GetCurrentTimeStamp] $AUTOID > > > > $acCat($rid)" > > > > (procedure "AutoCat" line 43) > > > > invoked from within > > > > "AutoCat $row" > > > > ("foreach" body line 6) > > > > invoked from within > > > > "foreach row [mysqlsel $MAIN_DB_SOCKETID > > > > $tmpQry -list] { > > > > > > > > InfoMessage "Archived Alert: > > > > $row" > > > > set LAST_EVENT_ID([lindex $row > > > > 3]) "[li..." > > > > invoked from within > > > > "if { $mergeTableListArray(event) != > > > > "" } { > > > > > > > > # Get the archived alerts > > > > LogMessage "Querying DB for archived > > > > events..." > > > > set MAJOR_MYSQL_VERS..." > > > > (file "/opt/bin/sguil/sguild" line > > > > 734) > > > > > > > > > > > > > > > > > > > > > > > > > Ok Bamm.....I'll try that....is that going to fix my > > current inability to start sguild, or will I have to > > redo the db again? Thank you. > > > > James > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built > > on Java and Eclipse > > Turn processes into business applications with > > Bonita BPM Community Edition > > Quickly connect people, data, and systems into > > organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > > > > > > > > -- > > sguil - The Analyst Console for NSM > > http://www.sguil.net > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and Eclipse > > Turn processes into business applications with Bonita BPM Community Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > Here's the full debug: > > 2014-07-03 15:06:48 pid(5657) Loading access > list: /opt/etc/snort/sguild/sguild.access > 2014-07-03 15:06:48 pid(5657) Sensor access list set to ALLOW > ANY. > 2014-07-03 15:06:48 pid(5657) Client access list set to ALLOW > ANY. > 2014-07-03 15:06:48 pid(5657) Email Configuration: > 2014-07-03 15:06:48 pid(5657) Config > file: /etc/sguild/sguild.email > 2014-07-03 15:06:48 pid(5657) Enabled: No > 2014-07-03 15:06:48 pid(5657) Connecting to localhost on 3306 > as sguil > 2014-07-03 15:06:48 pid(5657) MySQL Version: version > 5.5.37-0ubuntu0.12.04.1 > 2014-07-03 15:06:48 pid(5657) SguilDB Version: 0.14 > 2014-07-03 15:06:48 pid(5657) Creating event MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating tcphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating udphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating icmphdr MERGE table. > 2014-07-03 15:06:48 pid(5657) Creating data MERGE table. > 2014-07-03 15:06:48 pid(5659) Loaderd Forked > 2014-07-03 15:06:48 pid(5657) Retrieving DB info... > 2014-07-03 15:06:48 pid(5657) SELECT sid, net_name, > hostname, agent_type FROM sensor WHERE active='Y' ORDER BY > net_name, sid ASC > 2014-07-03 15:06:48 pid(5660) Queryd Forked > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=4 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=2 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=3 > 2014-07-03 15:06:48 pid(5657) SELECT MAX(timestamp) FROM > event WHERE sid=1 > 2014-07-03 15:06:48 pid(5657) Querying DB for archived > events... > mysqlexec/db server: Table 'sguildb.event_External_20140703' > doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex > $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID > $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > 2014-07-03 15:06:48 pid(5659) Unknown command received from > sguild: > > Thanks Bamm. > > James > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java > and Eclipse > Turn processes into business applications with Bonita BPM > Community Edition > Quickly connect people, data, and systems into organized > workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users Sent as an attachment, but it was pretty big (awaiting approval) so I'll nuke out the middle areas: 2014-07-03 18:28:50 pid(8757) Loading access list: /opt/etc/snort/sguild/sguild.access 2014-07-03 18:28:50 pid(8757) Sensor access list set to ALLOW ANY. 2014-07-03 18:28:50 pid(8757) Client access list set to ALLOW ANY. 2014-07-03 18:28:50 pid(8757) Email Configuration: 2014-07-03 18:28:50 pid(8757) Config file: /etc/sguild/sguild.email 2014-07-03 18:28:50 pid(8757) Enabled: No 2014-07-03 18:28:50 pid(8757) Connecting to localhost on 3306 as sguil 2014-07-03 18:28:50 pid(8757) MySQL Version: version 5.5.37-0ubuntux.x.x.x 2014-07-03 18:28:50 pid(8757) SguilDB Version: 0.14 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 2 External {} {} {} {} {} %%REGEXP%%COMPROMISED 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 3 {} {} {} {} 25 6 % %REGEXP%%Spamhaus 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 4 {} {} {} {} {} {} {%%REGEXP%%POLICY Vulnerable Java} 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 5 {} {} {} {} {} {} %%REGEXP%%INAPPROPRIATE 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 6 {} {} {} {} {} {} %%REGEXP%%USER_AGENTS 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 7 {} {} {} {} {} {} %%REGEXP%%PRIVACY 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 8 {} {} {} {} {} {} %%REGEXP%%SCAN 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 9 {} {} {} {} {} {} %%REGEXP%%Scan 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 10 {} {} {} {} {} {} %%REGEXP%%Ping 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 11 {} {} {} {} {} {} %%REGEXP%%SNMP 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 12 {} {} {} {} {} {} %%REGEXP%%Dshield 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 13 {} {} {} {} {} {} %%REGEXP%%CIARMY 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 14 {} {} {} {} {} {} %%REGEXP%%CINS 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 15 {} {} {} {} {} {} %%REGEXP%%RBN 16 {} 2014-07-03 18:28:50 pid(8757) Creating event MERGE table. 2014-07-03 18:28:50 pid(8757) Creating tcphdr MERGE table. 2014-07-03 18:28:50 pid(8757) Creating udphdr MERGE table. 2014-07-03 18:28:50 pid(8757) Creating icmphdr MERGE table. 2014-07-03 18:28:50 pid(8757) Creating data MERGE table. 2014-07-03 18:28:50 pid(8761) Loaderd Forked 2014-07-03 18:28:50 pid(8757) Retrieving DB info... 2014-07-03 18:28:50 pid(8757) SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC 2014-07-03 18:28:50 pid(8762) Queryd Forked 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=4 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=2 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=3 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=1 2014-07-03 18:28:50 pid(8757) Querying DB for archived events... 2014-07-03 18:28:50 pid(8757) SELECT event.status, event.priority, event.class, sensor.hostname, event.timestamp, event.sid, event.cid, event.signature, INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto, event.src_port, event.dst_port, event.signature_gen, event.signature_id, event.signature_rev, event.unified_event_id, unified_event_ref FROM event FORCE INDEX (status) JOIN sensor ON event.sid=sensor.sid WHERE event.status=0 ORDER BY event.timestamp ASC 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 1 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5157 5060 1 2011716 4 6419 6419 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=1 <redacted a lot more of these> 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 23:55:05} 4 288 {ET DROP Spamhaus DROP Listed Traffic Inbound group 11} x.x.x.x x.x.x.x 6 1374 25 1 2400010 2442 7180 7180 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=288 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 23:59:20} 4 289 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group 22} x.x.x.x x.x.x.x 6 6000 22222 1 2403342 1075 7203 7203 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=289 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-02 18:01:44} 4 904 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 53434 53 1 2402001 3390 10901 10901 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140703` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=904 mysqlexec/db server: Table 'sguildb.event_External_20140703' doesn't exist while executing "mysqlexec $MAIN_DB_SOCKETID $updateString" (procedure "UpdateDBStatus" line 11) invoked from within "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" (procedure "AutoCat" line 43) invoked from within "AutoCat $row" ("foreach" body line 6) invoked from within "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { InfoMessage "Archived Alert: $row" set LAST_EVENT_ID([lindex $row 3]) "[li..." invoked from within "if { $mergeTableListArray(event) != "" } { # Get the archived alerts LogMessage "Querying DB for archived events..." set MAJOR_MYSQL_VERS..." (file "/opt/bin/sguil/sguild" line 734) 2014-07-03 18:28:50 pid(8761) loaderd: Received: 2014-07-03 18:28:50 pid(8761) Unknown command received from sguild: thanks Bamm. James |
From: James L. <jl...@sl...> - 2014-07-03 18:40:08
|
[12:29:42 jlay@goids:~$] cat run.txt 2014-07-03 18:28:50 pid(8757) Loading access list: /opt/etc/snort/sguild/sguild.access 2014-07-03 18:28:50 pid(8757) Sensor access list set to ALLOW ANY. 2014-07-03 18:28:50 pid(8757) Client access list set to ALLOW ANY. 2014-07-03 18:28:50 pid(8757) Email Configuration: 2014-07-03 18:28:50 pid(8757) Config file: /etc/sguild/sguild.email 2014-07-03 18:28:50 pid(8757) Enabled: No 2014-07-03 18:28:50 pid(8757) Connecting to localhost on 3306 as sguil 2014-07-03 18:28:50 pid(8757) MySQL Version: version 5.5.37-0ubuntux.x.x.x 2014-07-03 18:28:50 pid(8757) SguilDB Version: 0.14 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 2 External {} {} {} {} {} %%REGEXP%%COMPROMISED 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 3 {} {} {} {} 25 6 %%REGEXP%%Spamhaus 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 4 {} {} {} {} {} {} {%%REGEXP%%POLICY Vulnerable Java} 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 5 {} {} {} {} {} {} %%REGEXP%%INAPPROPRIATE 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 6 {} {} {} {} {} {} %%REGEXP%%USER_AGENTS 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 7 {} {} {} {} {} {} %%REGEXP%%PRIVACY 15 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 8 {} {} {} {} {} {} %%REGEXP%%SCAN 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 9 {} {} {} {} {} {} %%REGEXP%%Scan 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 10 {} {} {} {} {} {} %%REGEXP%%Ping 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 11 {} {} {} {} {} {} %%REGEXP%%SNMP 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 12 {} {} {} {} {} {} %%REGEXP%%Dshield 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 13 {} {} {} {} {} {} %%REGEXP%%CIARMY 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 14 {} {} {} {} {} {} %%REGEXP%%CINS 16 {} 2014-07-03 18:28:50 pid(8757) Adding AutoCat Rule: 15 {} {} {} {} {} {} %%REGEXP%%RBN 16 {} 2014-07-03 18:28:50 pid(8757) Creating event MERGE table. 2014-07-03 18:28:50 pid(8757) Creating tcphdr MERGE table. 2014-07-03 18:28:50 pid(8757) Creating udphdr MERGE table. 2014-07-03 18:28:50 pid(8757) Creating icmphdr MERGE table. 2014-07-03 18:28:50 pid(8757) Creating data MERGE table. 2014-07-03 18:28:50 pid(8761) Loaderd Forked 2014-07-03 18:28:50 pid(8757) Retrieving DB info... 2014-07-03 18:28:50 pid(8757) SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC 2014-07-03 18:28:50 pid(8762) Queryd Forked 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=4 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=2 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=3 2014-07-03 18:28:50 pid(8757) SELECT MAX(timestamp) FROM event WHERE sid=1 2014-07-03 18:28:50 pid(8757) Querying DB for archived events... 2014-07-03 18:28:50 pid(8757) SELECT event.status, event.priority, event.class, sensor.hostname, event.timestamp, event.sid, event.cid, event.signature, INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto, event.src_port, event.dst_port, event.signature_gen, event.signature_id, event.signature_rev, event.unified_event_id, unified_event_ref FROM event FORCE INDEX (status) JOIN sensor ON event.sid=sensor.sid WHERE event.status=0 ORDER BY event.timestamp ASC 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 1 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5157 5060 1 2011716 4 6419 6419 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=1 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 2 {ET SCAN Sipvicious Scan} x.x.x.x x.x.x.x 17 5157 5060 1 2008578 6 6420 6420 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=2 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 3 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5157 5060 1 2011716 4 6421 6421 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=3 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 4 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5157 5060 1 2011716 4 6422 6422 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=4 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 5 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5157 5060 1 2011716 4 6423 6423 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=5 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:01:47} 4 6 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5157 5060 1 2011716 4 6424 6424 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=6 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:02:41} 4 7 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42} x.x.x.x x.x.x.x 6 11347 9160 1 2500082 3283 6425 6425 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=7 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:05:48} 4 10 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6429 6429 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=10 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:05:48} 4 9 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6428 6428 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=9 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:05:48} 4 8 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6427 6427 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=8 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:09:25} 4 11 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 8} x.x.x.x x.x.x.x 6 6000 22 1 2500014 3283 6435 6435 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=11 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:09:25} 4 12 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6436 6436 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=12 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:09:25} 4 13 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6437 6437 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=13 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:09:25} 4 14 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6438 6438 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=14 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:12:11} 4 15 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41} x.x.x.x x.x.x.x 6 21888 1471 1 2500080 3283 6442 6442 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=15 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:17:47} 4 16 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6521 6521 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=16 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 bad-unknown External {2014-07-01 18:18:50} 4 18 {Reserved Internal IP Traffic Inbound External Net} x.x.x.x x.x.x.x 6 3453 445 1 10000134 5 6523 6523 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 bad-unknown External {2014-07-01 18:18:50} 4 17 {Reserved Internal IP Traffic Inbound External Net} x.x.x.x x.x.x.x 6 3453 445 1 10000134 5 6522 6522 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 bad-unknown External {2014-07-01 18:18:53} 4 19 {Reserved Internal IP Traffic Inbound External Net} x.x.x.x x.x.x.x 6 3453 445 1 10000134 5 6524 6524 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 bad-unknown External {2014-07-01 18:18:53} 4 20 {Reserved Internal IP Traffic Inbound External Net} x.x.x.x x.x.x.x 6 3453 445 1 10000134 5 6525 6525 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:19:14} 4 21 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24} x.x.x.x x.x.x.x 6 65026 443 1 2403346 1075 6526 6526 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=21 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:19:42} 4 22 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 4667 22 1 2001219 18 6527 6527 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=22 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:19:42} 4 23 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 4667 22 1 2001219 18 6528 6528 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=23 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:20:49} 4 24 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 43397 137 1 2402001 3389 6529 6529 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=24 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:21:39} 4 25 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 21} x.x.x.x x.x.x.x 6 1484 993 1 2500040 3283 6530 6530 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=25 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:21:39} 4 26 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 1484 993 1 2402000 3389 6531 6531 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=26 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:34:15} 4 27 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 37965 137 1 2402001 3389 6532 6532 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=27 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:38:18} 4 28 {SCAN Potential Telnet Scan} x.x.x.x x.x.x.x 6 59124 23 1 10000126 1 6533 6533 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=28 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:45:02} 4 29 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6538 6538 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=29 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:51:54} 4 30 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42} x.x.x.x x.x.x.x 6 27253 81 1 2500082 3283 6573 6573 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=30 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:51:54} 4 31 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 27253 81 1 2402000 3389 6574 6574 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=31 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:54:13} 4 32 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6593 6593 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=32 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:54:13} 4 33 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6594 6594 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=33 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:55:29} 4 34 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 39089 137 1 2402001 3389 6595 6595 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=34 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:59:40} 4 37 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 29078 22 1 2001219 18 6598 6598 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=37 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 18:59:40} 4 36 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 29078 22 1 2001219 18 6597 6597 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=36 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:59:40} 4 35 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 15} x.x.x.x x.x.x.x 6 29078 22 1 2500028 3283 6596 6596 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=35 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 18:59:54} 4 38 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 33562 46417 1 2402000 3389 6599 6599 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=38 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:00:58} 4 39 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 19776 22 1 2001219 18 6600 6600 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=39 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:00:58} 4 40 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 19776 22 1 2001219 18 6601 6601 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=40 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:03:03} 4 41 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 39} x.x.x.x x.x.x.x 6 6000 22 1 2500076 3283 6607 6607 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=41 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:03:03} 4 42 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6608 6608 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=42 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:07:20} 4 43 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 51214 8080 1 2402000 3389 6610 6610 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=43 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:11:09} 4 44 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 54729 53 1 2402001 3389 6611 6611 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=44 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 3 protocol-command-dec External {2014-07-01 19:13:34} 4 45 {frag3: Fragmentation overlap} x.x.x.x x.x.x.x 89 {} {} 123 8 1 6612 6612 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:14:12} 4 46 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 56659 623 1 2402001 3389 6613 6613 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=46 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:14:29} 4 47 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 39964 623 1 2402001 3389 6614 6614 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=47 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:14:43} 4 48 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 35058 623 1 2402001 3389 6615 6615 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=48 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:14:44} 4 49 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5061 5060 1 2011716 4 6616 6616 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=49 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:14:44} 4 50 {ET SCAN Sipvicious Scan} x.x.x.x x.x.x.x 17 5061 5060 1 2008578 6 6617 6617 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=50 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:14:44} 4 51 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5061 5060 1 2011716 4 6618 6618 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=51 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:14:44} 4 52 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5061 5060 1 2011716 4 6619 6619 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=52 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:14:44} 4 53 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5061 5060 1 2011716 4 6620 6620 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=53 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:14:44} 4 54 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5061 5060 1 2011716 4 6621 6621 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=54 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:18:17} 4 55 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 38172 1080 1 2402000 3389 6626 6626 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=55 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:19:41} 4 56 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 54809 123 1 2402001 3389 6627 6627 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=56 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 bad-unknown External {2014-07-01 19:20:08} 4 57 {reputation: Packet is blacklisted} x.x.x.x x.x.x.x 17 62934 53 136 1 1 6628 6628 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:20:55} 4 58 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 7} x.x.x.x x.x.x.x 6 6000 22 1 2500012 3283 6629 6629 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=58 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:20:55} 4 59 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6630 6630 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=59 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:20:55} 4 60 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6631 6631 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=60 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:23:01} 4 61 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 42082 7777 1 2402000 3389 6632 6632 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=61 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:23:24} 4 62 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 57749 623 1 2402001 3389 6633 6633 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=62 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:23:36} 4 64 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6635 6635 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=64 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:23:36} 4 63 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6634 6634 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=63 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:24:26} 4 65 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group 26} x.x.x.x x.x.x.x 6 4355 8080 1 2403350 1075 6636 6636 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=65 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:25:19} 4 66 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 54123 137 1 2402001 3389 6638 6638 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=66 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:27:12} 4 67 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 40770 137 1 2402001 3389 6639 6639 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=67 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:27:19} 4 68 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 40} x.x.x.x x.x.x.x 6 10780 5900 1 2500078 3283 6640 6640 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=68 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:27:19} 4 69 {ET SCAN Potential VNC Scan 5900-5920} x.x.x.x x.x.x.x 6 10780 5900 1 2002911 4 6641 6641 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=69 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:27:59} 4 70 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 60265 137 1 2402001 3389 6642 6642 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=70 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:29:37} 4 71 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42} x.x.x.x x.x.x.x 6 13136 9160 1 2500082 3283 6643 6643 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=71 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:30:55} 4 72 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 39} x.x.x.x x.x.x.x 6 6000 22 1 2500076 3283 6644 6644 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=72 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:31:41} 4 73 {ET SCAN Potential VNC Scan 5900-5920} x.x.x.x x.x.x.x 6 22229 5900 1 2002911 4 6645 6645 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=73 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:31:47} 4 74 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6646 6646 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=74 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:32:00} 4 75 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 21} x.x.x.x x.x.x.x 6 34583 443 1 2500040 3283 6647 6647 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=75 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:32:00} 4 76 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 34583 443 1 2402000 3389 6648 6648 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=76 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 3 protocol-command-dec External {2014-07-01 19:34:11} 4 77 {frag3: Fragmentation overlap} x.x.x.x x.x.x.x 89 {} {} 123 8 1 6649 6649 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:41:53} 4 79 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6631 49152 1 2402000 3389 6835 6835 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=79 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:41:53} 4 78 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 21} x.x.x.x x.x.x.x 6 6631 49152 1 2500040 3283 6834 6834 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=78 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:47:17} 4 80 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24} x.x.x.x x.x.x.x 6 65026 443 1 2403346 1075 6836 6836 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=80 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:48:20} 4 81 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42} x.x.x.x x.x.x.x 6 46564 389 1 2500082 3283 6837 6837 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=81 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:49:41} 4 82 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42} x.x.x.x x.x.x.x 6 30566 9051 1 2500082 3283 6838 6838 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=82 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:50:23} 4 83 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 21} x.x.x.x x.x.x.x 6 23870 49152 1 2500040 3283 6839 6839 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=83 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:51:23} 4 85 {ET DROP Spamhaus DROP Listed Traffic Inbound group 3} x.x.x.x x.x.x.x 6 63225 22 1 2400002 2442 6841 6841 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:51:23} 4 84 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 45} x.x.x.x x.x.x.x 6 63225 22 1 2500088 3283 6840 6840 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=84 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:51:34} 4 86 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 39} x.x.x.x x.x.x.x 6 6000 22 1 2500076 3283 6842 6842 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=86 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:51:34} 4 87 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6843 6843 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=87 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:53:09} 4 88 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42} x.x.x.x x.x.x.x 6 14067 2067 1 2500082 3283 6844 6844 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=88 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:54:32} 4 89 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group 33} x.x.x.x x.x.x.x 6 7678 25 1 2403364 1075 6847 6847 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=89 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:56:50} 4 90 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 36417 137 1 2402001 3389 6848 6848 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=90 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:57:31} 4 96 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5065 5060 1 2011716 4 6854 6854 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=96 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:57:31} 4 95 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5065 5060 1 2011716 4 6853 6853 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=95 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:57:31} 4 94 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5065 5060 1 2011716 4 6852 6852 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=94 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:57:31} 4 93 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5065 5060 1 2011716 4 6851 6851 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=93 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:57:31} 4 92 {ET SCAN Sipvicious Scan} x.x.x.x x.x.x.x 17 5065 5060 1 2008578 6 6850 6850 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=92 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 19:57:31} 4 91 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5065 5060 1 2011716 4 6849 6849 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=91 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 19:59:11} 4 97 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6855 6855 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=97 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:00:21} 4 98 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group 35} x.x.x.x x.x.x.x 6 6000 1433 1 2403368 1075 6856 6856 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=98 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:00:21} 4 99 {SCAN Potential Open Proxy Scan} x.x.x.x x.x.x.x 6 6000 8080 1 10000121 1 6857 6857 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=99 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:03:53} 4 100 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 48572 46417 1 2402000 3389 6859 6859 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=100 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:04:45} 4 101 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41} x.x.x.x x.x.x.x 6 49620 143 1 2500080 3283 6860 6860 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=101 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:06:07} 4 102 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 47615 53 1 2402001 3389 6861 6861 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=102 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:07:09} 4 103 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 43} x.x.x.x x.x.x.x 6 17434 143 1 2500084 3283 6862 6862 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=103 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:10:25} 4 104 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 21} x.x.x.x x.x.x.x 6 7823 9999 1 2500040 3283 6863 6863 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=104 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:12:02} 4 105 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 48428 8080 1 2402000 3389 6864 6864 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=105 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:12:32} 4 106 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6865 6865 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=106 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:12:32} 4 107 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6866 6866 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=107 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-dos External {2014-07-01 20:13:37} 4 108 {ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03} x.x.x.x x.x.x.x 17 50345 123 1 2017919 2 6867 6867 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:15:07} 4 110 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 40000 5632 1 2402001 3389 6869 6869 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=110 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:15:07} 4 109 {ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 21} x.x.x.x x.x.x.x 17 40000 5632 1 2500041 3283 6868 6868 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=109 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:15:09} 4 111 {ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 43} x.x.x.x x.x.x.x 17 40000 5060 1 2500085 3283 6870 6870 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=111 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:19:53} 4 112 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 51680 123 1 2402001 3389 6875 6875 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=112 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:20:36} 4 113 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 56303 137 1 2402001 3389 6876 6876 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=113 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:21:00} 4 114 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 46197 623 1 2402001 3389 6877 6877 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=114 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:21:46} 4 115 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 60055 623 1 2402001 3389 6878 6878 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=115 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:23:33} 4 116 {ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42} x.x.x.x x.x.x.x 17 40000 1434 1 2500083 3283 6879 6879 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=116 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:23:33} 4 117 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 40000 1434 1 2402001 3389 6880 6880 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=117 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:32:14} 4 118 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 42082 7777 1 2402000 3389 6881 6881 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=118 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:32:19} 4 119 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 45} x.x.x.x x.x.x.x 6 64168 22 1 2500088 3283 6882 6882 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=119 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:35:10} 4 120 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 8} x.x.x.x x.x.x.x 6 6000 22 1 2500014 3283 6901 6901 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=120 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:35:10} 4 121 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6902 6902 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=121 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:35:10} 4 122 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6903 6903 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=122 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:35:10} 4 123 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6904 6904 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=123 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:36:36} 4 124 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 52960 53 1 2402001 3389 6905 6905 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=124 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:36:41} 4 125 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 39} x.x.x.x x.x.x.x 6 6000 22 1 2500076 3283 6906 6906 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=125 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:37:30} 4 126 {ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 2} x.x.x.x x.x.x.x 6 33953 902 1 2500002 3283 6909 6909 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=126 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:38:53} 4 127 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 35517 123 1 2402001 3389 6913 6913 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=127 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:42:12} 4 128 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 6000 22 1 2402000 3389 6914 6914 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=128 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:42:12} 4 129 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6915 6915 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=129 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:42:12} 4 130 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6916 6916 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=130 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:43:20} 4 131 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 17 56659 623 1 2402001 3389 6917 6917 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=131 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:44:13} 4 137 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5140 5060 1 2011716 4 6923 6923 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=137 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:44:13} 4 136 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5140 5060 1 2011716 4 6922 6922 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=136 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:44:13} 4 135 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5140 5060 1 2011716 4 6921 6921 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=135 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:44:13} 4 134 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5140 5060 1 2011716 4 6920 6920 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=134 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:44:13} 4 133 {ET SCAN Sipvicious Scan} x.x.x.x x.x.x.x 17 5140 5060 1 2008578 6 6919 6919 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=133 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:44:13} 4 132 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5140 5060 1 2011716 4 6918 6918 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=132 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 misc-attack External {2014-07-01 20:45:23} 4 138 {ET DROP Dshield Block Listed Source group 1} x.x.x.x x.x.x.x 6 54124 21320 1 2402000 3389 6924 6924 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=138 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:46:18} 4 139 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6925 6925 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=139 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:48:44} 4 141 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6927 6927 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=141 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:48:44} 4 140 {ET SCAN Potential SSH Scan} x.x.x.x x.x.x.x 6 6000 22 1 2001219 18 6926 6926 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=140 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:53:51} 4 147 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5094 5060 1 2011716 4 6933 6933 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_External_20140702` SET status=16, last_modified='2014-07-03 18:28:50', last_uid='1' WHERE sid=4 AND cid=147 2014-07-03 18:28:50 pid(8757) Archived Alert: 0 2 attempted-recon External {2014-07-01 20:53:51} 4 146 {ET SCAN Sipvicious User-Agent Detected (friendly-scanner)} x.x.x.x x.x.x.x 17 5094 5060 1 2011716 4 6932 6932 2014-07-03 18:28:50 pid(8757) AUTO MARKING EVENT AS : 16 2014-07-03 18:28:50 pid(8757) UPDATE `event_Ext... [truncated message content] |
From: Bamm V. <bam...@gm...> - 2014-07-18 11:46:44
|
Hi James, Did you ever change the system local time to UTC? If so, did it correct the issue? Bamm On Thu, Jul 3, 2014 at 2:39 PM, James Lay <jl...@sl...> wrote: > On Thu, 2014-07-03 at 12:33 -0400, Bamm Visscher wrote: > > Are you running with -d 2? > > Bamm > > On Jul 3, 2014 11:09 AM, "James Lay" <jl...@sl...> wrote: > > On Thu, 2014-07-03 at 10:55 -0400, Bamm Visscher wrote: > > Is there more output from the debug you can send? > > > Bamm > > > On Thu, Jul 3, 2014 at 9:09 AM, James Lay <jl...@sl...> > wrote: > > On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote: > > I would check to make sure the localtime for your sensors/servers are all > set to UTC. Not just the DB. > > > Bamm > > > On Wed, Jul 2, 2014 at 9:40 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote: > > On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote: > > Did this cause your DB to fail again? Restarting BY should fix it. > > > Bamm > > > On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jl...@sl...> > wrote: > > On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote: > > Hi James, > > > This does look like there is a TZ issue at play. I'll dig deeper when I > get a chance this evening. One way to get back up would be to temporarily > disable the autocat rule that is triggering the update. > > > Bamm > > > > And again...moments ago: > > Jul 2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected > Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate > entry 4-904 for key PRIMARY#012. I'm officially at a loss at one to do now > besides roll back to 0.8.0. > > James > > > Negative....sguild will no longer start....exact same thing as > earlier...around the same time as well: > > [19:20:47 @ids <jlay@goids>:~$] mysqlexec/db server: Table > 'sguildb.event_External_20140703' doesn't exist > while executing > "mysqlexec $MAIN_DB_SOCKETID $updateString" > (procedure "UpdateDBStatus" line 11) > invoked from within > "UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex > $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)" > (procedure "AutoCat" line 43) > invoked from within > "AutoCat $row" > ("foreach" body line 6) > invoked from within > "foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] { > > InfoMessage "Archived Alert: $row" > set LAST_EVENT_ID([lindex $row 3]) "[li..." > invoked from within > "if { $mergeTableListArray(event) != "" } { > > # Get the archived alerts > LogMessage "Querying DB for archived events..." > set MAJOR_MYSQL_VERS..." > (file "/opt/bin/sguil/sguild" line 734) > > > > > > > Ok Bamm.....I'll try that....is that going to fix my current inability to > start sguild, or will I have to redo the db again? Thank you. > > James > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > Here you go Bamm..including this in a txt file instead since it's kinda > beefy. > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://www.sguil.net |