Transcript generation

Question

Transcript generation

Closed this issue 10 years ago · 2 comments

Clicking on EVENT ID starts to infinite processes (version 1.4.0):
www-data 22640 0.0 0.0 4296 604 ? S 10:03 0:00 sh -c ../.scripts/cliscript.tcl "htamme" "00-00-00-00-00-00" "2014-10-17 09:52:55" 2 192.168.xx.xx 192.168.yy.yy 54332 80
www-data 22641 0.4 0.0 35824 5248 ? S 10:03 0:00 /usr/local/bin/tclsh ../.scripts/cliscript.tcl htamme 00-00-00-00-00-00 2014-10-17 09:52:55 2 192.168.xx.xx 192.168.yy.yy 54332 80

Sguild daemon logs:
2014-10-17 07:03:55 pid(22414) Client Connect: 192.168.zz.zz 35681 sock105061b0
2014-10-17 07:03:55 pid(22414) Validating client access: 192.168.zz.zz
2014-10-17 07:03:55 pid(22414) Valid client access: 192.168.zz.zz
2014-10-17 07:03:55 pid(22414) Sending sock105061b0: SGUIL-0.9.0 OPENSSL ENABLED
2014-10-17 07:03:55 pid(22414) Client Command Received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}
2014-10-17 07:03:56 pid(22414) Client Command Received: PING
2014-10-17 07:03:56 pid(22414) Client Command Received: ValidateUser htamme ********
2014-10-17 07:03:56 pid(22414) Sending sock105061b0: UserID 2
2014-10-17 07:03:56 pid(22414) Sending sock104afd00: InsertSystemInfoMsg sguild {User htamme logged in from 192.168.zz.zz}
2014-10-17 07:03:56 pid(22414) Client Command Received: CliScript {"00-00-00-00-00-00" "2014-10-17 09:52:55" 2 192.168.xx.xx 192.168.yy.yy 54332 80}
2014-10-17 07:03:56 pid(22414) Unrecognized command from sock105061b0: CliScript {"00-00-00-00-00-00" "2014-10-17 09:52:55" 2 192.168.xx.xx 192.168.yy.yy 54332 80}

Same request from sguil client succeeds (sguild daemon log):
2014-10-17 07:07:20 pid(22414) Client Command Received: XscriptRequest 00-00-00-00-00-00 2 .00-00-00-00-00-00_314115 {2014-10-17 09:52:40} 192.168.uu.uu 80 192.168.xx.xx 52120 1
2014-10-17 07:07:20 pid(22414) Sending 00-00-00-00-00-00: RawDataRequest 2 00-00-00-00-00-00 2014-10-17 09:52:40 192.168.uu.uu 192.168.xx.xx 52120 6 192.168.xx.xx:52120_192.168.uu.uu:80-6.raw xscript
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Raw data request sent to 00-00-00-00-00-00.}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: XscriptDebugMsg 2 {Making a list of local log files.}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Making a list of local log files.}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: XscriptDebugMsg 2 {Looking in /var/log/tap/00-00-00-00-00-00/dailylogs/2014-10-17.}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Looking in /var/log/tap/00-00-00-00-00-00/dailylogs/2014-10-17.}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: XscriptDebugMsg 2 {Making a list of local log files in /var/log/tap/00-00-00-00-00-00/dailylogs/2014-10-17.}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Making a list of local log files in /var/log/tap/00-00-00-00-00-00/dailylogs/2014-10-17.}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: XscriptDebugMsg 2 {Available log files:}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Available log files:}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: XscriptDebugMsg 2 {1413529627 1413529201 1413528930 1413528689 1413528503 1413528172 1413527708 1413527278 1413526808 1413526426 1413526122 1413525602 1413525382 1413524867 1413524002 1413522928 1413522001 1413518401 1413514802 1413511201 1413507601 1413504002}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {1413529627 1413529201 1413528930 1413528689 1413528503 1413528172 1413527708 1413527278 1413526808 1413526426 1413526122 1413525602 1413525382 1413524867 1413524002 1413522928 1413522001 1413518401 1413514802 1413511201 1413507601 1413504002}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: XscriptDebugMsg 2 {Creating unique data file: /usr/sbin/tcpdump -r /var/log/tap/00-00-00-00-00-00/dailylogs/2014-10-17/snort.log.1413529627 -w /tmp/192.168.xx.xx:52120_192.168.uu.uu:80-6.raw (ip and host 192.168.uu.uu and host 192.168.xx.xx and port 80 and port 52120 and proto 6) or (vlan and host 192.168.uu.uu and host 192.168.xx.xx and port 80 and port 52120 and proto 6)}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Creating unique data file: /usr/sbin/tcpdump -r /var/log/tap/00-00-00-00-00-00/dailylogs/2014-10-17/snort.log.1413529627 -w /tmp/192.168.xx.xx:52120_192.168.uu.uu:80-6.raw (ip and host 192.168.uu.uu and host 192.168.xx.xx and port 80 and port 52120 and proto 6) or (vlan and host 192.168.uu.uu and host 192.168.xx.xx and port 80 and port 52120 and proto 6)}
2014-10-17 07:07:20 pid(22414) Sensor agent connect from 127.0.0.1:47057 sock10505ae0
2014-10-17 07:07:20 pid(22414) Validating sensor access: 127.0.0.1 :
2014-10-17 07:07:20 pid(22414) Valid sensor agent: 127.0.0.1
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: RegisterAgent data 00-00-00-00-00-00 00-00-00-00-00-00
2014-10-17 07:07:20 pid(22414) Sensor Data Rcvd: RawDataFile 192.168.xx.xx:52120_192.168.uu.uu:80-6.raw 2 24
2014-10-17 07:07:20 pid(22414) Receiving rawdata file 192.168.xx.xx:52120_192.168.uu.uu:80-6.raw.
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptDebugMsg .00-00-00-00-00-00_314115 {Receiving raw file from sensor.}
DEBUG #### callback -> GenerateXscript /var/log/sguild/archive/2014-10-17/00-00-00-00-00-00/192.168.xx.xx:52120_192.168.uu.uu:80-6.raw sock104afd00 .00-00-00-00-00-00_314115 2
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 HDR
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Sensor Name: 00-00-00-00-00-00}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Timestamp: 2014-10-17 09:52:40}
2014-10-17 07:07:20 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Connection ID: .00-00-00-00-00-00_314115}
2014-10-17 07:07:25 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Src IP: 192.168.xx.xx (Unknown)}
2014-10-17 07:07:30 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Dst IP: 192.168.uu.uu (Unknown)}
2014-10-17 07:07:30 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Src Port: 52120}
2014-10-17 07:07:30 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {Dst Port: 80}
2014-10-17 07:07:30 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 { }
2014-10-17 07:07:30 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 {No Data Sent.}
2014-10-17 07:07:30 pid(22414) Sending sock104afd00: XscriptMainMsg .00-00-00-00-00-00_314115 DONE

Answer 1 · 2014-10-17T09:52:41.000Z

I think you are just missing the sguild patches.

Take a look here:

https://github.com/int13h/sguil/blob/master/server/lib/SguildTranscript.tcl#L385-L401

and here:

https://github.com/int13h/sguil/blob/master/server/lib/SguildClientCmdRcvd.tcl#L122

I thought these had been merged into sguil base but I guess they haven't yet.

Add those two changes and let me know if it works.

Answer 2 · 2014-10-17T12:15:48.000Z

Hi!
You are correct. Sguild patched.
Everything is working now.

Thank You!