[prev in list] [next in list] [prev in thread] [next in thread]
List: sguil-devel
Subject: Re: [Sguil-devel] Sguild-0.7.0 patch for correct
From: Robin Gruyters <r.gruyters () yirdis ! nl>
Date: 2007-10-18 18:44:34
Message-ID: 20071018184434.GA60340 () server ! yirdis ! net
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Thu, Oct 18, 2007 at 08:31:53AM -0600, Bamm Visscher wrote:
> Okay, I am confused. Your sensor is named "monitor" and it's on the
> net "yardis". Alerts should show up with the sensor name (monitor)
> associated with them, not with the net name. I think there you have a
> config issue. Is this screen shot w/or w/o your patches applied?
>
Then I'm confused aswell. I though the idea of each net_name is to distict
each sensor from each other, even when they are running on the same host.
So basically, if understand your explanation, hostname is the sensor name
(same way with 0.6.x), but what is the point of using the net_name?
In my case, I have multiple sensors running on a single host. In this case I
have a sensor called 'yirdis' running host 'monitor'. (For test purposes, I
have only one sensor currently running in our test environment)
The screenshot showing was without the patches that I have created.
So why does Sguil show a new alert coming from a net_name (yirdis), but
when I restart Sguild it shows the sensor name? (or in this case the
hostname, monitor)
Kind regards,
--
Robin Gruyters
Network and Security Engineer
YIRDIS - Betronic Services
I: http://yirdis.com
I: http://betronic.nl
P: +31 (0)20 5659191
F: +31 (0)20 5659190
> On 10/17/07, R. Gruyters <r.gruyters@yirdis.nl> wrote:
> > > -----Original Message-----
> > > From: sguil-devel-bounces@lists.sourceforge.net
> > > [mailto:sguil-devel-bounces@lists.sourceforge.net] On Behalf
> > > Of Bamm Visscher
> > > Sent: woensdag 17 oktober 2007 21:51
> > > To: sguil-devel@lists.sourceforge.net
> > > Subject: Re: [Sguil-devel] Sguild-0.7.0 patch for correct
> > > hostname <->net_name retrieval
> > >
> > > Okay, I think there is a misconfig going on here. Can you run
> > > these two mysql commands:
> > >
> > > SELECT * FROM sensor;
> > >
> > mysql> SELECT * FROM sensor;
> > +-----+----------+------------+----------+-----------+-------------+------------
> > +---------------------+--------+------+------------+
> > | sid | hostname | agent_type | net_name | interface | description | bpf_filter
> > | updated | active | ip | public_key |
> > +-----+----------+------------+----------+-----------+-------------+------------
> > +---------------------+--------+------+------------+
> > | 1 | monitor | sancp | yirdis | NULL | NULL | NULL
> > | 2007-10-02 15:40:08 | Y | NULL | NULL |
> > | 2 | monitor | snort | yirdis | NULL | NULL | NULL
> > | 2007-10-03 11:55:34 | Y | NULL | NULL |
> > | 3 | monitor | pcap | yirdis | NULL | NULL | NULL
> > | 2007-10-03 12:14:57 | Y | NULL | NULL |
> > +-----+----------+------------+----------+-----------+-------------+------------
> > +---------------------+--------+------+------------+
> > 3 rows in set (0.00 sec)
> >
> >
> > > SELECT DISTINCT sid FROM event;
> > >
> > mysql> SELECT DISTINCT sid FROM event;
> > +-----+
> > | sid |
> > +-----+
> > | 2 |
> > +-----+
> > 1 row in set (0.00 sec)
> >
> >
> > Kind regards,
> >
> > Robin Gruyters
> > Network and Security Engineer
> > YIRDIS - Betronic Services
> > I: http://yirdis.nl
> > I: http://betronic.nl
> > P: +31(0)20 5659193
> > F: +31(0)20 5659190
> >
> >
> > >
> > > Bammkkkk
> > >
> > >
> > > On 10/17/07, Robin Gruyters <r.gruyters@yirdis.nl> wrote:
> > > > On Wed, Oct 17, 2007 at 08:31:07AM -0600, Bamm Visscher wrote:
> > > > > Robin,
> > > > >
> > > > > Can you provide more detail on the problems these patches "fix"?
> > > > >
> > > > Sure, but my previous message was rejected, which explained
> > > my problem.
> > > >
> > > > Here is another go.
> > > >
> > > > Yesterday I got the following popup message when trying to update
> > > > status on a alert entry:
> > > >
> > > > ERROR: Some events may not have been updated. Event(s) may
> > > be missing
> > > > from DB. See Sguild output for more information.
> > > >
> > > > When I check the sguild message(s) in syslog, I noticed the
> > > following
> > > > message:
> > > >
> > > > [..]
> > > > Oct 16 13:19:59 monitor SGUILD: DB Error during: UPDATE
> > > > `event_monitor_20071009` SET status=1, last_modified='2007-10-16
> > > > 11:19:59', last_uid='2' WHERE sid=2 AND cid IN (54) : mysqlexec/db
> > > > server: Table 'sguildb.event_monitor_20071009' doesn't exist
> > > >
> > > > Oct 16 13:19:59 monitor SGUILD: ERROR: Number of updates mismatched
> > > > number of events. Number of EVENTS: 1 Number of UPDATES:
> > > 0 Update
> > > > List: 2.54
> > > >
> > > > [..]
> > > >
> > > > Which is true, due to a fact that there is no sensor named
> > > 'monitor',
> > > > though sguild runs on our monitor server. I noticed this
> > > only when I
> > > > restart sguild. When the snort_agent sends an alert, it
> > > comes up with
> > > > the correct sensor name. (in this case yirdis)
> > > >
> > > > To see my problem, check the following URL where a
> > > screenshot is located:
> > > > http://groovebasement.com/files/sguil-0.7.jpg
> > > >
> > > > As you can see the 'old' alerts (located in the second pane) have
> > > > sensor name 'monitor' which isn't true. These alerts where before I
> > > > restarted the Sguild daemon, and before they showed up as
> > > sensor name "yirdis".
> > > > The alert located in the first pane is after the sguild
> > > restart, which
> > > > shows the correct sensor name.
> > > >
> > > > Aswell, I noticed in the "Snort Statistics" pane, that
> > > sensor name is
> > > > still showing my hostname, not the actual sensor. (or in
> > > Sguil case,
> > > > net_group)
> > > >
> > > > Hope it will explains my problem. If not, let me know.
> > > >
> > > > Kind regards,
> > > > --
> > > > Robin Gruyters
> > > > Network and Security Engineer
> > > > YIRDIS - Betronic Services
> > > > I: http://yirdis.com
> > > > I: http://betronic.nl
> > > > P: +31 (0)20 5659191
> > > > F: +31 (0)20 5659190
> > > >
> > > > > Bammkkkk
> > > > >
> > > > >
> > > > > On 10/17/07, R. Gruyters <r.gruyters@yirdis.nl> wrote:
> > > > > > Hi ya,
> > > > > >
> > > > > > Here is an small patch for fixing my last issue when
> > > restarting the Sguild daemon. Aswell, fix sensor name in the
> > > "Snort statistics" pane.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Kind regards,
> > > > > >
> > > > > > Robin Gruyters
> > > > > > Network and Security Engineer
> > > > > > YIRDIS - Betronic Services
> > > > > > I: http://yirdis.nl
> > > > > > I: http://betronic.nl
> > > > > > P: +31(0)20 5659193
> > > > > > F: +31(0)20 5659190
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > ------------------------------------------------------------------
> > > > > > ------- This SF.net email is sponsored by: Splunk Inc.
> > > > > > Still grepping through log files to find problems? Stop.
> > > > > > Now Search log events and configuration files using
> > > AJAX and a browser.
> > > > > > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > > > > > _______________________________________________
> > > > > > Sguil-devel mailing list
> > > > > > Sguil-devel@lists.sourceforge.net
> > > > > > https://lists.sourceforge.net/lists/listinfo/sguil-devel
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > sguil - The Analyst Console for NSM
> > > > > http://sguil.sf.net
> > > > >
> > > > >
> > > --------------------------------------------------------------------
> > > > > ----- This SF.net email is sponsored by: Splunk Inc.
> > > > > Still grepping through log files to find problems? Stop.
> > > > > Now Search log events and configuration files using AJAX
> > > and a browser.
> > > > > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > > > > _______________________________________________
> > > > > Sguil-devel mailing list
> > > > > Sguil-devel@lists.sourceforge.net
> > > > > https://lists.sourceforge.net/lists/listinfo/sguil-devel
> > > >
> > > >
> > > ----------------------------------------------------------------------
> > > > --- This SF.net email is sponsored by: Splunk Inc.
> > > > Still grepping through log files to find problems? Stop.
> > > > Now Search log events and configuration files using AJAX
> > > and a browser.
> > > > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > > > _______________________________________________
> > > > Sguil-devel mailing list
> > > > Sguil-devel@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/sguil-devel
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > sguil - The Analyst Console for NSM
> > > http://sguil.sf.net
> > >
> > > --------------------------------------------------------------
> > > -----------
> > > This SF.net email is sponsored by: Splunk Inc.
> > > Still grepping through log files to find problems? Stop.
> > > Now Search log events and configuration files using AJAX and
> > > a browser.
> > > Download your FREE copy of Splunk now >>
> > > http://get.splunk.com/ _______________________________________________
> > > Sguil-devel mailing list
> > > Sguil-devel@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/sguil-devel
> > >
> >
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems? Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > _______________________________________________
> > Sguil-devel mailing list
> > Sguil-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sguil-devel
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Sguil-devel mailing list
> Sguil-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-devel
[Attachment #5 (application/pgp-signature)]
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Sguil-devel mailing list
Sguil-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic