[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Sguil Server fails to start
From: Cody Sapp <tgq714 () mocs ! utc ! edu>
Date: 2013-03-26 20:52:42
Message-ID: CACs3At0z+XSg81fwyaKVL8zr3Wm9KkaWNW6dOYknYJjzJLmZEg () mail ! gmail ! com
[Download RAW message or body]
That fixed it. Thanks you guys.
On Tue, Mar 26, 2013 at 4:27 PM, Doug Burks <doug.burks@gmail.com> wrote:
> Hi Cody,
>
> Based on the following snippet:
> Out of resources when opening file
> './securityonion_db/event_winning@002dossec_20130301.MYD' (Errcode:
> 24)
>
> please see:
>
> https://code.google.com/p/security-onion/wiki/FAQ#I_get_periodic_MySQL_crashes_and/or_error_code_24_
> "out_of_r
>
> Thanks,
> Doug
>
> On Tue, Mar 26, 2013 at 1:41 PM, Cody Sapp <tgq714@mocs.utc.edu> wrote:
> > Here it is:
> >
> > 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:
> > > > ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS Changed Asset - domain||1
> > 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:
> > > > ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS New Asset - domain||1
> > 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:
> > > > ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS Changed Asset - smtp||1
> > 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:
> > > > ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS New Asset - smtp||1
> > 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:
> > > > ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS Changed Asset - ssh||1
> > 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:
> > > > ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS New Asset - ssh||1
> > 2013-03-26 17:39:49 pid(30942) Email Configuration:
> > 2013-03-26 17:39:49 pid(30942) Config file: /etc/sguild/sguild.email
> > 2013-03-26 17:39:49 pid(30942) Enabled: No
> > 2013-03-26 17:39:49 pid(30942) Connecting to localhost on 3306 as sguil
> > 2013-03-26 17:39:49 pid(30942) MySQL Version: version
> > 5.5.29-0ubuntu0.12.04.2
> > 2013-03-26 17:39:49 pid(30942) SguilDB Version: 0.13
> > 2013-03-26 17:39:49
> > *************************************************************
> >
> > ERROR: You appear to be using an old version of
> > the
> > sguil database schema that does not support the MERGE tables
> > Please use the migrate_event.tcl script and see the CHANGES
> > document for more information
> >
> > . Table event returned status => event {} {} {} {} {} {} {} {} {} {} {}
> {}
> > {} {} {} {} {Out of resources when opening file
> > './securityonion_db/event_winning@002dossec_20130301.MYD' (Errcode: 24)}
> > *************************************************************
> >
> > SGUILD: Exiting...
> > ~
> >
> >
> > On Mon, Mar 25, 2013 at 6:19 PM, Doug Burks <doug.burks@gmail.com>
> wrote:
> > >
> > > Answered you in your first email.
> > > Doug
> > >
> > >
> > > On Monday, March 25, 2013, Cody Sapp wrote:
> > > >
> > > > Here is the output from sostat:
> > > >
> =========================================================================
> > > > Service Status
> > > >
> =========================================================================
> > > > Status: securityonion
> > > > * sguil server[ FAIL ]
> > > > Status: HIDS
> > > > * ossec_agent (sguil)[ OK ]
> > > > Status: Bro
> > > > Name Type Host Status Pid Peers Started
> > > > manager manager NOPE running 19781 ??? 25 Mar
> > > > 20:48:23
> > > > proxy proxy NOPE running 19833 ??? 25 Mar
> > > > 20:48:25
> > > > winning-eth0-1 worker NOPE running 19919 ??? 25 Mar
> > > > 20:48:27
> > > > winning-eth0-2 worker NOPE running 19918 ??? 25 Mar
> > > > 20:48:27
> > > > winning-eth1-1 worker NOPE running 19920 ??? 25 Mar
> > > > 20:48:27
> > > > winning-eth1-2 worker NOPE running 19921 ??? 25 Mar
> > > > 20:48:27
> > > > Status: winning-eth0
> > > > * netsniff-ng (full packet data)[ OK ]
> > > > * pcap_agent (sguil)[ OK ]
> > > > * snort_agent-1 (sguil)[ OK ]
> > > > * snort_agent-2 (sguil)[ OK ]
> > > > * snort_agent-3 (sguil)[ OK ]
> > > > * snort-1 (alert data)[ OK ]
> > > > * snort-2 (alert data)[ OK ]
> > > > * snort-3 (alert data)[ OK ]
> > > > * barnyard2-1 (spooler, unified2 format)[ OK ]
> > > > * barnyard2-2 (spooler, unified2 format)[ OK ]
> > > > * barnyard2-3 (spooler, unified2 format)[ OK ]
> > > > * prads (sessions/assets)[ OK ]
> > > > * sancp_agent (sguil)[ OK ]
> > > > * pads_agent (sguil)[ OK ]
> > > > * argus[ OK ]
> > > > * http_agent (sguil)[ OK ]
> > > > Status: winning-eth1
> > > > * netsniff-ng (full packet data)[ OK ]
> > > > * pcap_agent (sguil)[ OK ]
> > > > * snort_agent-1 (sguil)[ OK ]
> > > > * snort_agent-2 (sguil)[ OK ]
> > > > * snort_agent-3 (sguil)[ OK ]
> > > > * snort-1 (alert data)[ OK ]
> > > > * snort-2 (alert data)[ OK ]
> > > > * snort-3 (alert data)[ OK ]
> > > > * barnyard2-1 (spooler, unified2 format)[ OK ]
> > > > * barnyard2-2 (spooler, unified2 format)[ OK ]
> > > > * barnyard2-3 (spooler, unified2 format)[ OK ]
> > > > * prads (sessions/assets)[ OK ]
> > > > * sancp_agent (sguil)[ OK ]
> > > > * pads_agent (sguil)[ OK ]
> > > > * argus[ OK ]
> > > > * http_agent (sguil)[ OK ]
> > > >
> > > >
> =========================================================================
> > > > Interface Status
> > > >
> =========================================================================
> > > > eth0 Link encap:Ethernet HWaddr 00:50:45:5d:0e:2c
> > > > inet addr:NOPE Bcast:NOPE Mask:NOPE
> > > > inet6 addr: NOPE Scope:Link
> > > > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> > > > RX packets:191679 errors:0 dropped:0 overruns:0 frame:0
> > > > TX packets:25413 errors:0 dropped:0 overruns:0 carrier:0
> > > > collisions:0 txqueuelen:1000
> > > > RX bytes:19550240 (19.5 MB) TX bytes:2977185 (2.9 MB)
> > > > Interrupt:27
> > > >
> > > > eth1 Link encap:Ethernet HWaddr NOPE
> > > > UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500
> > > > Metric:1
> > > > RX packets:2286985 errors:0 dropped:0 overruns:0 frame:0
> > > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > > > collisions:0 txqueuelen:1000
> > > > RX bytes:1468904635 (1.4 GB) TX bytes:0 (0.0 B)
> > > > Interrupt:27
> > > >
> > > > lo Link encap:Local Loopback
> > > > inet addr:NOPE Mask:NOPE
> > > > inet6 addr: NOPE Scope:Host
> > > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > > RX packets:56157 errors:0 dropped:0 overruns:0 frame:0
> > > > TX packets:56157 errors:0 dropped:0 overruns:0 carrier:0
> > > > collisions:0 txqueuelen:0
> > > > RX bytes:53418305 (53.4 MB) TX bytes:53418305 (53.4 MB)
> > > >
> > > >
> > > >
> =========================================================================
> > > > Disk Usage
> > > >
> =========================================================================
> > > > Filesystem Size Used Avail Use% Mounted on
> > > > /dev/sda1 935G 772G 116G 87% /
> > > > udev 3.9G 4.0K 3.9G 1% /dev
> > > > tmpfs 1.6G 860K 1.6G 1% /run
> > > > none 5.0M 0 5.0M 0% /run/lock
> > > > none 3.9G 0 3.9G 0% /run/shm
> > > >
> > > >
> =========================================================================
> > > > Network Sockets
> > > >
> =========================================================================
> > > >
> > > > [Skipping this because I do not think it is important. There were no
> > > > errors or anything in this part]
> > > >
> > > >
> =========================================================================
> > > > IDS Rules Update
> > > >
> =========================================================================
> > > > Mon Mar 25 07:01:01 UTC 2013
> > > > Backing up current downloaded.rules file before it gets overwritten.
> > > > Cleaning up downloaded.rules backup files older than 30 days.
> > > > Running PulledPork.
> > > > http://code.google.com/p/pulledpork/
> > > > _____ ____
> > > > `----,\ )
> > > > `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
> > > > `--==\\/
> > > > .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
> > > > @_/ / 66\_ cummingsj@gmail.com
> > > > > \ \ _(")
> > > > \ /-| ||'--' Rules give me wings!
> > > > \_\ \_\\
> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > Checking latest MD5 for emerging.rules.tar.gz....
> > > > They Match
> > > > Done!
> > > > Prepping rules from emerging.rules.tar.gz for work....
> > > > Done!
> > > > Reading rules...
> > > > Generating Stub Rules....
> > > > Done
> > > > Reading rules...
> > > > Reading rules...
> > > > Reading rules...
> > > > Processing /etc/nsm/pulledpork/enablesid.conf....
> > > > Modified 0 rules
> > > > Done
> > > > Processing /etc/nsm/pulledpork/dropsid.conf....
> > > > Modified 0 rules
> > > > Done
> > > > Processing /etc/nsm/pulledpork/disablesid.conf....
> > > > Modified 0 rules
> > > > Done
> > > > Modifying Sids....
> > > > Done!
> > > > Setting Flowbit State....
> > > > Enabled 11 flowbits
> > > > Done
> > > > Writing /etc/nsm/rules/downloaded.rules....
> > > > Done
> > > > Writing /etc/nsm/rules/so_rules.rules....
> > > > Done
> > > > Generating sid-msg.map....
> > > > Done
> > > > Writing /etc/nsm/rules/sid-msg.map....
> > > > Done
> > > > Writing /var/log/sid_changes.log....
> > > > Done
> > > > Rule Stats....
> > > > New:-------0
> > > > Deleted:---0
> > > > Enabled Rules:----13845
> > > > Dropped Rules:----0
> > > > Disabled Rules:---3208
> > > > Total Rules:------17053
> > > > Done
> > > > Please review /var/log/sid_changes.log for additional details
> > > > Fly Piggy Fly!
> > > > Restarting Barnyard2.
> > > > Restarting: winning-eth0
> > > > * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> > > > * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> > > > * stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
> > > > * starting: barnyard2-2 (spooler, unified2 format)[ OK ]
> > > > * stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
> > > > * starting: barnyard2-3 (spooler, unified2 format)[ OK ]
> > > > Restarting: winning-eth1
> > > > * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> > > > * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> > > > * stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
> > > > * starting: barnyard2-2 (spooler, unified2 format)[ OK ]
> > > > * stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
> > > > * starting: barnyard2-3 (spooler, unified2 format)[ OK ]
> > > > Restarting IDS Engine.
> > > > Restarting: winning-eth0
> > > > * stopping: snort-1 (alert data)[ OK ]
> > > > * starting: snort-1 (alert data)[ OK ]
> > > > * stopping: snort-2 (alert data)[ OK ]
> > > > * starting: snort-2 (alert data)[ OK ]
> > > > * stopping: snort-3 (alert data)[ OK ]
> > > > * starting: snort-3 (alert data)[ OK ]
> > > > Restarting: winning-eth1
> > > > * stopping: snort-1 (alert data)[ OK ]
> > > > * starting: snort-1 (alert data)[ OK ]
> > > > * stopping: snort-2 (alert data)[ OK ]
> > > > * starting: snort-2 (alert data)[ OK ]
> > > > * stopping: snort-3 (alert data)[ OK ]
> > > > * starting: snort-3 (alert data)[ OK ]
> > > >
> > > >
> =========================================================================
> > > > CPU Usage
> > > >
> =========================================================================
> > > > top - 21:16:22 up 1:22, 2 users, load average: 10.47, 10.93, 11.52
> > > > Tasks: 205 total, 11 running, 194 sleeping, 0 stopped, 0 zombie
> > > > Cpu(s): 25.1%us, 52.3%sy, 5.0%ni, 12.1%id, 5.0%wa, 0.1%hi, 0.5%si,
> > > > 0.0%st
> > > > Mem: 8178204k total, 7765188k used, 413016k free, 436188k
> buffers
> > > > Swap: 12474632k total, 7828k used, 12466804k free, 3618300k cached
> > > >
> > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> > > > 14227 root 25 5 82004 20m 892 R 33 0.3 19:05.23 bro
> > > > 19789 root 25 5 153m 20m 920 R 31 0.3 6:10.10 bro
> > > > 14728 root 20 0 287m 105m 70m S 22 1.3 15:03.66 bro
> > > > 19838 root 25 5 65616 19m 820 S 22 0.2 5:38.00 bro
> > > > 14729 root 20 0 288m 107m 71m R 20 1.3 14:44.39 bro
> > > > 19918 root 20 0 205m 95m 68m S 20 1.2 5:05.09 bro
> > > > 19921 root 20 0 286m 104m 70m S 20 1.3 5:10.17 bro
> > > > 14726 root 20 0 206m 95m 68m R 16 1.2 14:59.93 bro
> > > > 19919 root 20 0 277m 95m 68m S 16 1.2 4:57.49 bro
> > > > 19929 root 25 5 130m 83m 64m R 16 1.1 3:21.29 bro
> > > > 14727 root 20 0 278m 95m 68m S 14 1.2 14:56.62 bro
> > > > 19920 root 20 0 285m 104m 70m R 14 1.3 5:08.26 bro
> > > > 20010 root 25 5 130m 83m 64m R 12 1.1 3:11.31 bro
> > > > 14732 root 25 5 129m 83m 64m S 10 1.0 11:03.68 bro
> > > > 14737 root 25 5 129m 83m 64m S 10 1.0 11:38.42 bro
> > > > 19924 root 25 5 130m 83m 64m S 10 1.1 3:20.51 bro
> > > > 19990 root 25 5 130m 83m 64m S 10 1.1 3:24.35 bro
> > > > 14745 root 25 5 129m 83m 64m R 8 1.0 11:29.13 bro
> > > > 14752 root 25 5 129m 83m 64m S 8 1.0 11:05.62 bro
> > > > 14168 root 20 0 281m 26m 3932 S 4 0.3 1:14.69 bro
> > > > 21012 sguil 20 0 539m 214m 10m S 4 2.7 1:05.61 snort
> > > > 21158 sguil 20 0 540m 216m 10m S 4 2.7 1:04.54 snort
> > > > 15 root 20 0 0 0 0 S 2 0.0 0:43.15
> ksoftirqd/2
> > > > 1400 mysql 20 0 1562m 244m 8068 S 2 3.1 5:47.58 mysqld
> > > > 13450 root 20 0 17468 1276 868 R 2 0.0 0:00.01 top
> > > > 19781 root 20 0 1577m 26m 3932 R 2 0.3 0:28.37 bro
> > > > 19833 root 20 0 205m 22m 3916 R 2 0.3 0:26.95 bro
> > > > 21097 sguil 20 0 538m 212m 10m S 2 2.7 0:55.58 snort
> > > > 1 root 20 0 24588 2048 1296 S 0 0.0 0:00.90 init
> > > > 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
> > > > 3 root 20 0 0 0 0 S 0 0.0 0:32.40
> ksoftirqd/0
> > > > 4 root 20 0 0 0 0 S 0 0.0 0:01.57
> kworker/0:0
> > > > 6 root RT 0 0 0 0 S 0 0.0 0:00.11
> migration/0
> > > > 7 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/0
> > > > 8 root RT 0 0 0 0 S 0 0.0 0:00.10
> migration/1
> > > > 10 root 20 0 0 0 0 S 0 0.0 0:33.77
> ksoftirqd/1
> > > > 12 root RT 0 0 0 0 S 0 0.0 0:00.01 watchdog/1
> > > > 13 root RT 0 0 0 0 S 0 0.0 0:00.10
> migration/2
> > > > 16 root RT 0 0 0 0 S 0 0.0 0:00.27 watchdog/2
> > > > 17 root RT 0 0 0 0 S 0 0.0 0:00.29
> migration/3
> > > > 19 root 20 0 0 0 0 S 0 0.0 0:45.20
> ksoftirqd/3
> > > > 20 root RT 0 0 0 0 S 0 0.0 0:00.01 watchdog/3
> > > > 21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
> > > > 22 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
> > > > 23 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
> > > > 24 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
> > > > 25 root 20 0 0 0 0 S 0 0.0 0:00.04
> kworker/u:1
> > > > 26 root 20 0 0 0 0 S 0 0.0 0:00.00
> sync_supers
> > > > 27 root 20 0 0 0 0 S 0 0.0 0:00.00
> bdi-default
> > > > 28 root 0 -20 0 0 0 S 0 0.0 0:00.00
> kintegrityd
> > > > 29 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
> > > > 30 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
> > > > 31 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
> > > > 32 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
> > > > 33 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
> > > > 34 root 20 0 0 0 0 S 0 0.0 0:06.52 kswapd0
> > > > 35 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google
> Groups
> > > > "security-onion" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send
> an
> > > > email to security-onion+unsubscribe@googlegroups.com.
> > > > To post to this group, send email to security-onion@googlegroups.com.
> > > > Visit this group at
> > > > http://groups.google.com/group/security-onion?hl=en-US.
> > > > For more options, visit https://groups.google.com/groups/opt_out.
> > > >
> > > >
> > >
> > >
> > > --
> > > Doug Burks
> > > http://securityonion.blogspot.com
> > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> Groups
> > > "security-onion" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> an
> > > email to security-onion+unsubscribe@googlegroups.com.
> > > To post to this group, send email to security-onion@googlegroups.com.
> > > Visit this group at
> > > http://groups.google.com/group/security-onion?hl=en-US.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > >
> >
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at
> http://groups.google.com/group/security-onion?hl=en-US.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #3 (text/html)]
That fixed it. Thanks you guys.<br><br><div class="gmail_quote">On Tue, Mar 26, 2013 \
at 4:27 PM, Doug Burks <span dir="ltr"><<a href="mailto:doug.burks@gmail.com" \
target="_blank">doug.burks@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi Cody,<br> <br>
Based on the following snippet:<br>
<div class="im">Out of resources when opening file<br>
'./securityonion_db/event_winning@002dossec_20130301.MYD' (Errcode:<br>
24)<br>
<br>
</div>please see:<br>
<a href="https://code.google.com/p/security-onion/wiki/FAQ#I_get_periodic_MySQL_crashes_and/or_error_code_24_" \
target="_blank">https://code.google.com/p/security-onion/wiki/FAQ#I_get_periodic_MySQL_crashes_and/or_error_code_24_</a>"out_of_r<br>
<br>
Thanks,<br>
Doug<br>
<div class="HOEnZb"><div class="h5"><br>
On Tue, Mar 26, 2013 at 1:41 PM, Cody Sapp <<a \
href="mailto:tgq714@mocs.utc.edu">tgq714@mocs.utc.edu</a>> wrote:<br> > Here it \
is:<br> ><br>
> 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:<br>
> ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS Changed Asset - domain||1<br>
> 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:<br>
> ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS New Asset - domain||1<br>
> 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:<br>
> ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS Changed Asset - smtp||1<br>
> 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:<br>
> ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS New Asset - smtp||1<br>
> 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:<br>
> ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS Changed Asset - ssh||1<br>
> 2013-03-26 17:39:49 pid(30942) Adding AutoCat Rule:<br>
> ||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^PADS New Asset - ssh||1<br>
> 2013-03-26 17:39:49 pid(30942) Email Configuration:<br>
> 2013-03-26 17:39:49 pid(30942) Config file: /etc/sguild/sguild.email<br>
> 2013-03-26 17:39:49 pid(30942) Enabled: No<br>
> 2013-03-26 17:39:49 pid(30942) Connecting to localhost on 3306 as sguil<br>
> 2013-03-26 17:39:49 pid(30942) MySQL Version: version<br>
> 5.5.29-0ubuntu0.12.04.2<br>
> 2013-03-26 17:39:49 pid(30942) SguilDB Version: 0.13<br>
> 2013-03-26 17:39:49<br>
> *************************************************************<br>
><br>
> ERROR: You appear to be using an old version of<br>
> the<br>
> sguil database schema that does not support the MERGE tables<br>
> Please use the migrate_event.tcl script and see the CHANGES<br>
> document for more information<br>
><br>
> . Table event returned status => event {} {} {} {} {} {} {} {} {} {} {} \
{}<br> > {} {} {} {} {Out of resources when opening file<br>
> './securityonion_db/event_winning@002dossec_20130301.MYD' (Errcode: \
24)}<br> > *************************************************************<br>
><br>
> SGUILD: Exiting...<br>
> ~<br>
><br>
><br>
> On Mon, Mar 25, 2013 at 6:19 PM, Doug Burks <<a \
href="mailto:doug.burks@gmail.com">doug.burks@gmail.com</a>> wrote:<br> \
>><br> >> Answered you in your first email.<br>
>> Doug<br>
>><br>
>><br>
>> On Monday, March 25, 2013, Cody Sapp wrote:<br>
>>><br>
>>> Here is the output from sostat:<br>
>>> =========================================================================<br>
>>> Service Status<br>
>>> =========================================================================<br>
>>> Status: securityonion<br>
>>> * sguil server[ FAIL ]<br>
>>> Status: HIDS<br>
>>> * ossec_agent (sguil)[ OK ]<br>
>>> Status: Bro<br>
>>> Name Type Host Status Pid Peers Started<br>
>>> manager manager NOPE running 19781 ??? 25 Mar<br>
>>> 20:48:23<br>
>>> proxy proxy NOPE running 19833 ??? 25 Mar<br>
>>> 20:48:25<br>
>>> winning-eth0-1 worker NOPE running 19919 ??? 25 Mar<br>
>>> 20:48:27<br>
>>> winning-eth0-2 worker NOPE running 19918 ??? 25 Mar<br>
>>> 20:48:27<br>
>>> winning-eth1-1 worker NOPE running 19920 ??? 25 Mar<br>
>>> 20:48:27<br>
>>> winning-eth1-2 worker NOPE running 19921 ??? 25 Mar<br>
>>> 20:48:27<br>
>>> Status: winning-eth0<br>
>>> * netsniff-ng (full packet data)[ OK ]<br>
>>> * pcap_agent (sguil)[ OK ]<br>
>>> * snort_agent-1 (sguil)[ OK ]<br>
>>> * snort_agent-2 (sguil)[ OK ]<br>
>>> * snort_agent-3 (sguil)[ OK ]<br>
>>> * snort-1 (alert data)[ OK ]<br>
>>> * snort-2 (alert data)[ OK ]<br>
>>> * snort-3 (alert data)[ OK ]<br>
>>> * barnyard2-1 (spooler, unified2 format)[ OK ]<br>
>>> * barnyard2-2 (spooler, unified2 format)[ OK ]<br>
>>> * barnyard2-3 (spooler, unified2 format)[ OK ]<br>
>>> * prads (sessions/assets)[ OK ]<br>
>>> * sancp_agent (sguil)[ OK ]<br>
>>> * pads_agent (sguil)[ OK ]<br>
>>> * argus[ OK ]<br>
>>> * http_agent (sguil)[ OK ]<br>
>>> Status: winning-eth1<br>
>>> * netsniff-ng (full packet data)[ OK ]<br>
>>> * pcap_agent (sguil)[ OK ]<br>
>>> * snort_agent-1 (sguil)[ OK ]<br>
>>> * snort_agent-2 (sguil)[ OK ]<br>
>>> * snort_agent-3 (sguil)[ OK ]<br>
>>> * snort-1 (alert data)[ OK ]<br>
>>> * snort-2 (alert data)[ OK ]<br>
>>> * snort-3 (alert data)[ OK ]<br>
>>> * barnyard2-1 (spooler, unified2 format)[ OK ]<br>
>>> * barnyard2-2 (spooler, unified2 format)[ OK ]<br>
>>> * barnyard2-3 (spooler, unified2 format)[ OK ]<br>
>>> * prads (sessions/assets)[ OK ]<br>
>>> * sancp_agent (sguil)[ OK ]<br>
>>> * pads_agent (sguil)[ OK ]<br>
>>> * argus[ OK ]<br>
>>> * http_agent (sguil)[ OK ]<br>
>>><br>
>>> =========================================================================<br>
>>> Interface Status<br>
>>> =========================================================================<br>
>>> eth0 Link encap:Ethernet HWaddr 00:50:45:5d:0e:2c<br>
>>> inet addr:NOPE Bcast:NOPE Mask:NOPE<br>
>>> inet6 addr: NOPE Scope:Link<br>
>>> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1<br>
>>> RX packets:191679 errors:0 dropped:0 overruns:0 frame:0<br>
>>> TX packets:25413 errors:0 dropped:0 overruns:0 carrier:0<br>
>>> collisions:0 txqueuelen:1000<br>
>>> RX bytes:19550240 (19.5 MB) TX bytes:2977185 (2.9 MB)<br>
>>> Interrupt:27<br>
>>><br>
>>> eth1 Link encap:Ethernet HWaddr NOPE<br>
>>> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500<br>
>>> Metric:1<br>
>>> RX packets:2286985 errors:0 dropped:0 overruns:0 frame:0<br>
>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
>>> collisions:0 txqueuelen:1000<br>
>>> RX bytes:1468904635 (1.4 GB) TX bytes:0 (0.0 B)<br>
>>> Interrupt:27<br>
>>><br>
>>> lo Link encap:Local Loopback<br>
>>> inet addr:NOPE Mask:NOPE<br>
>>> inet6 addr: NOPE Scope:Host<br>
>>> UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
>>> RX packets:56157 errors:0 dropped:0 overruns:0 frame:0<br>
>>> TX packets:56157 errors:0 dropped:0 overruns:0 carrier:0<br>
>>> collisions:0 txqueuelen:0<br>
>>> RX bytes:53418305 (53.4 MB) TX bytes:53418305 (53.4 MB)<br>
>>><br>
>>><br>
>>> =========================================================================<br>
>>> Disk Usage<br>
>>> =========================================================================<br>
>>> Filesystem Size Used Avail Use% Mounted on<br>
>>> /dev/sda1 935G 772G 116G 87% /<br>
>>> udev 3.9G 4.0K 3.9G 1% /dev<br>
>>> tmpfs 1.6G 860K 1.6G 1% /run<br>
>>> none 5.0M 0 5.0M 0% /run/lock<br>
>>> none 3.9G 0 3.9G 0% /run/shm<br>
>>><br>
>>> =========================================================================<br>
>>> Network Sockets<br>
>>> =========================================================================<br>
>>><br>
>>> [Skipping this because I do not think it is important. There were \
no<br> >>> errors or anything in this part]<br>
>>><br>
>>> =========================================================================<br>
>>> IDS Rules Update<br>
>>> =========================================================================<br>
>>> Mon Mar 25 07:01:01 UTC 2013<br>
>>> Backing up current downloaded.rules file before it gets overwritten.<br>
>>> Cleaning up downloaded.rules backup files older than 30 days.<br>
>>> Running PulledPork.<br>
>>> <a href="http://code.google.com/p/pulledpork/" \
target="_blank">http://code.google.com/p/pulledpork/</a><br> >>> _____ \
____<br> >>> `----,\ )<br>
>>> `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~<br>
>>> `--==\\/<br>
>>> .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings<br>
>>> @_/ / 66\_ <a \
href="mailto:cummingsj@gmail.com">cummingsj@gmail.com</a><br> >>> | \ \
\ _(")<br> >>> \ /-| ||'--' Rules give me wings!<br>
>>> \_\ \_\\<br>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
>>> Checking latest MD5 for emerging.rules.tar.gz....<br>
>>> They Match<br>
>>> Done!<br>
>>> Prepping rules from emerging.rules.tar.gz for work....<br>
>>> Done!<br>
>>> Reading rules...<br>
>>> Generating Stub Rules....<br>
>>> Done<br>
>>> Reading rules...<br>
>>> Reading rules...<br>
>>> Reading rules...<br>
>>> Processing /etc/nsm/pulledpork/enablesid.conf....<br>
>>> Modified 0 rules<br>
>>> Done<br>
>>> Processing /etc/nsm/pulledpork/dropsid.conf....<br>
>>> Modified 0 rules<br>
>>> Done<br>
>>> Processing /etc/nsm/pulledpork/disablesid.conf....<br>
>>> Modified 0 rules<br>
>>> Done<br>
>>> Modifying Sids....<br>
>>> Done!<br>
>>> Setting Flowbit State....<br>
>>> Enabled 11 flowbits<br>
>>> Done<br>
>>> Writing /etc/nsm/rules/downloaded.rules....<br>
>>> Done<br>
>>> Writing /etc/nsm/rules/so_rules.rules....<br>
>>> Done<br>
>>> Generating sid-msg.map....<br>
>>> Done<br>
>>> Writing /etc/nsm/rules/sid-msg.map....<br>
>>> Done<br>
>>> Writing /var/log/sid_changes.log....<br>
>>> Done<br>
>>> Rule Stats....<br>
>>> New:-------0<br>
>>> Deleted:---0<br>
>>> Enabled Rules:----13845<br>
>>> Dropped Rules:----0<br>
>>> Disabled Rules:---3208<br>
>>> Total Rules:------17053<br>
>>> Done<br>
>>> Please review /var/log/sid_changes.log for additional details<br>
>>> Fly Piggy Fly!<br>
>>> Restarting Barnyard2.<br>
>>> Restarting: winning-eth0<br>
>>> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]<br>
>>> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]<br>
>>> * stopping: barnyard2-2 (spooler, unified2 format)[ OK ]<br>
>>> * starting: barnyard2-2 (spooler, unified2 format)[ OK ]<br>
>>> * stopping: barnyard2-3 (spooler, unified2 format)[ OK ]<br>
>>> * starting: barnyard2-3 (spooler, unified2 format)[ OK ]<br>
>>> Restarting: winning-eth1<br>
>>> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]<br>
>>> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]<br>
>>> * stopping: barnyard2-2 (spooler, unified2 format)[ OK ]<br>
>>> * starting: barnyard2-2 (spooler, unified2 format)[ OK ]<br>
>>> * stopping: barnyard2-3 (spooler, unified2 format)[ OK ]<br>
>>> * starting: barnyard2-3 (spooler, unified2 format)[ OK ]<br>
>>> Restarting IDS Engine.<br>
>>> Restarting: winning-eth0<br>
>>> * stopping: snort-1 (alert data)[ OK ]<br>
>>> * starting: snort-1 (alert data)[ OK ]<br>
>>> * stopping: snort-2 (alert data)[ OK ]<br>
>>> * starting: snort-2 (alert data)[ OK ]<br>
>>> * stopping: snort-3 (alert data)[ OK ]<br>
>>> * starting: snort-3 (alert data)[ OK ]<br>
>>> Restarting: winning-eth1<br>
>>> * stopping: snort-1 (alert data)[ OK ]<br>
>>> * starting: snort-1 (alert data)[ OK ]<br>
>>> * stopping: snort-2 (alert data)[ OK ]<br>
>>> * starting: snort-2 (alert data)[ OK ]<br>
>>> * stopping: snort-3 (alert data)[ OK ]<br>
>>> * starting: snort-3 (alert data)[ OK ]<br>
>>><br>
>>> =========================================================================<br>
>>> CPU Usage<br>
>>> =========================================================================<br>
>>> top - 21:16:22 up 1:22, 2 users, load average: 10.47, 10.93, \
11.52<br> >>> Tasks: 205 total, 11 running, 194 sleeping, 0 stopped, 0 \
zombie<br> >>> Cpu(s): 25.1%us, 52.3%sy, 5.0%ni, 12.1%id, 5.0%wa, 0.1%hi, \
0.5%si,<br> >>> 0.0%st<br>
>>> Mem: 8178204k total, 7765188k used, 413016k free, 436188k \
buffers<br> >>> Swap: 12474632k total, 7828k used, 12466804k free, \
3618300k cached<br> >>><br>
>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND<br>
>>> 14227 root 25 5 82004 20m 892 R 33 0.3 19:05.23 bro<br>
>>> 19789 root 25 5 153m 20m 920 R 31 0.3 6:10.10 bro<br>
>>> 14728 root 20 0 287m 105m 70m S 22 1.3 15:03.66 bro<br>
>>> 19838 root 25 5 65616 19m 820 S 22 0.2 5:38.00 bro<br>
>>> 14729 root 20 0 288m 107m 71m R 20 1.3 14:44.39 bro<br>
>>> 19918 root 20 0 205m 95m 68m S 20 1.2 5:05.09 bro<br>
>>> 19921 root 20 0 286m 104m 70m S 20 1.3 5:10.17 bro<br>
>>> 14726 root 20 0 206m 95m 68m R 16 1.2 14:59.93 bro<br>
>>> 19919 root 20 0 277m 95m 68m S 16 1.2 4:57.49 bro<br>
>>> 19929 root 25 5 130m 83m 64m R 16 1.1 3:21.29 bro<br>
>>> 14727 root 20 0 278m 95m 68m S 14 1.2 14:56.62 bro<br>
>>> 19920 root 20 0 285m 104m 70m R 14 1.3 5:08.26 bro<br>
>>> 20010 root 25 5 130m 83m 64m R 12 1.1 3:11.31 bro<br>
>>> 14732 root 25 5 129m 83m 64m S 10 1.0 11:03.68 bro<br>
>>> 14737 root 25 5 129m 83m 64m S 10 1.0 11:38.42 bro<br>
>>> 19924 root 25 5 130m 83m 64m S 10 1.1 3:20.51 bro<br>
>>> 19990 root 25 5 130m 83m 64m S 10 1.1 3:24.35 bro<br>
>>> 14745 root 25 5 129m 83m 64m R 8 1.0 11:29.13 bro<br>
>>> 14752 root 25 5 129m 83m 64m S 8 1.0 11:05.62 bro<br>
>>> 14168 root 20 0 281m 26m 3932 S 4 0.3 1:14.69 bro<br>
>>> 21012 sguil 20 0 539m 214m 10m S 4 2.7 1:05.61 snort<br>
>>> 21158 sguil 20 0 540m 216m 10m S 4 2.7 1:04.54 snort<br>
>>> 15 root 20 0 0 0 0 S 2 0.0 0:43.15 \
ksoftirqd/2<br> >>> 1400 mysql 20 0 1562m 244m 8068 S 2 3.1 \
5:47.58 mysqld<br> >>> 13450 root 20 0 17468 1276 868 R 2 0.0 \
0:00.01 top<br> >>> 19781 root 20 0 1577m 26m 3932 R 2 0.3 \
0:28.37 bro<br> >>> 19833 root 20 0 205m 22m 3916 R 2 0.3 \
0:26.95 bro<br> >>> 21097 sguil 20 0 538m 212m 10m S 2 2.7 \
0:55.58 snort<br> >>> 1 root 20 0 24588 2048 1296 S 0 0.0 \
0:00.90 init<br> >>> 2 root 20 0 0 0 0 S 0 0.0 \
0:00.00 kthreadd<br> >>> 3 root 20 0 0 0 0 S 0 0.0 \
0:32.40 ksoftirqd/0<br> >>> 4 root 20 0 0 0 0 S 0 \
0.0 0:01.57 kworker/0:0<br> >>> 6 root RT 0 0 0 0 S \
0 0.0 0:00.11 migration/0<br> >>> 7 root RT 0 0 0 0 \
S 0 0.0 0:00.02 watchdog/0<br> >>> 8 root RT 0 0 0 \
0 S 0 0.0 0:00.10 migration/1<br> >>> 10 root 20 0 0 \
0 0 S 0 0.0 0:33.77 ksoftirqd/1<br> >>> 12 root RT 0 \
0 0 0 S 0 0.0 0:00.01 watchdog/1<br> >>> 13 root RT 0 \
0 0 0 S 0 0.0 0:00.10 migration/2<br> >>> 16 root RT 0 \
0 0 0 S 0 0.0 0:00.27 watchdog/2<br> >>> 17 root RT 0 \
0 0 0 S 0 0.0 0:00.29 migration/3<br> >>> 19 root 20 0 \
0 0 0 S 0 0.0 0:45.20 ksoftirqd/3<br> >>> 20 root RT 0 \
0 0 0 S 0 0.0 0:00.01 watchdog/3<br> >>> 21 root 0 -20 \
0 0 0 S 0 0.0 0:00.00 cpuset<br> >>> 22 root 0 -20 \
0 0 0 S 0 0.0 0:00.00 khelper<br> >>> 23 root 20 0 \
0 0 0 S 0 0.0 0:00.00 kdevtmpfs<br> >>> 24 root 0 -20 \
0 0 0 S 0 0.0 0:00.00 netns<br> >>> 25 root 20 0 0 \
0 0 S 0 0.0 0:00.04 kworker/u:1<br> >>> 26 root 20 0 \
0 0 0 S 0 0.0 0:00.00 sync_supers<br> >>> 27 root 20 0 \
0 0 0 S 0 0.0 0:00.00 bdi-default<br> >>> 28 root 0 -20 \
0 0 0 S 0 0.0 0:00.00 kintegrityd<br> >>> 29 root 0 -20 \
0 0 0 S 0 0.0 0:00.00 kblockd<br> >>> 30 root 0 -20 \
0 0 0 S 0 0.0 0:00.00 ata_sff<br> >>> 31 root 20 0 \
0 0 0 S 0 0.0 0:00.00 khubd<br> >>> 32 root 0 -20 0 \
0 0 S 0 0.0 0:00.00 md<br> >>> 33 root 20 0 0 0 \
0 S 0 0.0 0:00.00 khungtaskd<br> >>> 34 root 20 0 0 0 \
0 S 0 0.0 0:06.52 kswapd0<br> >>> 35 root 25 5 0 0 \
0 S 0 0.0 0:00.00 ksmd<br> >>><br>
>>> --<br>
>>> You received this message because you are subscribed to the Google \
Groups<br> >>> "security-onion" group.<br>
>>> To unsubscribe from this group and stop receiving emails from it, send \
an<br> >>> email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
>>> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
>>> Visit this group at<br>
>>> <a href="http://groups.google.com/group/security-onion?hl=en-US" \
target="_blank">http://groups.google.com/group/security-onion?hl=en-US</a>.<br> \
>>> For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> >>><br>
>>><br>
>><br>
>><br>
>> --<br>
>> Doug Burks<br>
>> <a href="http://securityonion.blogspot.com" \
target="_blank">http://securityonion.blogspot.com</a><br> >><br>
>><br>
>> --<br>
>> You received this message because you are subscribed to the Google \
Groups<br> >> "security-onion" group.<br>
>> To unsubscribe from this group and stop receiving emails from it, send \
an<br> >> email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
>> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
>> Visit this group at<br>
>> <a href="http://groups.google.com/group/security-onion?hl=en-US" \
target="_blank">http://groups.google.com/group/security-onion?hl=en-US</a>.<br> \
>> For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> >><br>
>><br>
><br>
><br>
> --<br>
> You received this message because you are subscribed to the Google Groups<br>
> "security-onion" group.<br>
> To unsubscribe from this group and stop receiving emails from it, send an<br>
> email to <a href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
> Visit this group at <a \
href="http://groups.google.com/group/security-onion?hl=en-US" \
target="_blank">http://groups.google.com/group/security-onion?hl=en-US</a>.<br> > \
For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
><br>
<br>
<br>
<br>
--<br>
Doug Burks<br>
<a href="http://securityonion.blogspot.com" \
target="_blank">http://securityonion.blogspot.com</a><br> <br>
--<br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
Visit this group at <a href="http://groups.google.com/group/security-onion?hl=en-US" \
target="_blank">http://groups.google.com/group/security-onion?hl=en-US</a>.<br> For \
more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> <br>
<br>
</div></div></blockquote></div><br>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to \
security-onion+unsubscribe@googlegroups.com.<br /> To post to this group, send email \
to security-onion@googlegroups.com.<br /> Visit this group at <a \
href="http://groups.google.com/group/security-onion?hl=en-US">http://groups.google.com/group/security-onion?hl=en-US</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/> <br />
<br />
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic