output (so far) from sguild run in foreground
pid(854) Loading access list: ./sguild.access
pid(854) Sensor access list set to ALLOW ANY.
pid(854) Client access list set to ALLOW ANY.
pid(854) Email Configuration:
pid(854) Config file: ./sguild.email
pid(854) Enabled: No
pid(854) Connecting to localhost on 3306 as sguil
pid(854) MySQL Version: version 5.0.9-beta
pid(854) SguilDB Version: 0.11
pid(854) Creating event MERGE table.
pid(854) Creating tcphdr MERGE table.
pid(854) Creating udphdr MERGE table.
pid(854) Creating icmphdr MERGE table.
pid(854) Creating data MERGE table.
pid(856) Queryd Forked
pid(854) Retrieving DB info...
pid(854) SELECT hostname FROM sensor ORDER BY hostname ASC
pid(855) Loaderd Forked
pid(854) SELECT sid FROM sensor WHERE hostname='riffraff'
pid(854) SELECT ip FROM sensor WHERE hostname='riffraff'
pid(854) SELECT MAX(timestamp) FROM event WHERE sid=1
pid(854) Querying DB for archived events...
pid(854) SELECT event.status, event.priority, event.class, sensor.hostname,
event.timestamp, event.sid, event.cid, event.signature,
INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
event.src_port, event.dst_port, event.signature_id, event.signature_rev,
event.unified_event_id, unified_event_ref
FROM event
FORCE INDEX (status)
JOIN sensor ON event.sid=sensor.sid
WHERE event.status=0 ORDER BY event.timestamp ASC
pid(854) Archived Alert: 0 2 misc-attack riffraff {2006-06-20 01:35:09} 1 23181
{MISC UPnP malformed advertisement} 192.168.0.1 239.255.255.250 17 2052 1900 13
84 8 1
(...)
{MISC UPnP malformed advertisement} 192.168.0.1 239.255.255.250 17 2052 1900 13
84 8 20 20
pid(854) Querying DB for escalated events...
pid(854) SELECT event.status, event.priority, event.class, sensor.hostname,
event.timestamp, event.sid, event.cid, event.signature,
INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto,
event.src_port, event.dst_port
FROM event
FORCE INDEX (status)
JOIN sensor ON event.sid=sensor.sid
WHERE event.sid=sensor.sid AND event.status=2 ORDER BY event.timestamp ASC
pid(854) Retrieving DB info...
pid(854) Getting a list of tables.
pid(854) ...Getting info on data.
pid(854) ...Getting info on event.
pid(854) ...Getting info on history.
pid(854) ...Getting info on icmphdr.
pid(854) ...Getting info on nessus.
pid(854) ...Getting info on nessus_data.
pid(854) ...Getting info on portscan.
pid(854) ...Getting info on sancp.
pid(854) ...Getting info on sensor.
pid(854) ...Getting info on sessions.
pid(854) ...Getting info on status.
pid(854) ...Getting info on tcphdr.
pid(854) ...Getting info on udphdr.
pid(854) ...Getting info on user_info.
pid(854) ...Getting info on version.
pid(854) Sguild Initialized.
pid(854) Sensor agent connect from 127.0.0.1:53761 sock13
pid(854) Validating sensor access: 127.0.0.1 :
pid(854) Valid sensor agent: 127.0.0.1
pid(854) Sensor Data Rcvd: AgentInit riffraff 1
pid(854) No clients to send info msg to.
pid(854) Sent sock13: SensorID 1
pid(854) Sensor Data Rcvd: PONG
pid(854) Sensor Data Rcvd: BYEventRcvd sock5 0 1 23201 riffraff 21 21 {2006-06-20 01:49:41} 1 1384 8 {MISC
UPnP malformed advertisement} {2006-06-20 01:49:41} 2 misc-attack 3232235521 192.168.0.1 4026531834 239.255.
255.250 17 4 5 0 346 0 2 0 4 50415 {} {} {} {} {} 2052 1900 {} {} {} {} {} {} {} {} 326 7990 4E4F54494659202
A20485454502F312E310D0A484F53543A203233392E3235352E3235352E3235303A313930300D0A43414348452D434F4E54524F4C3A2
06D61782D6167653D313830300D0A4C4F434154494F4E3A20687474703A2F2F3139322E3136382E302E313A35323836392F676174656
46573632E786D6C0D0A4E543A2075706E703A726F6F746465766963650D0A4E54533A20737364703A616C6976650D0A5345525645523
A204C696E75782F322E342E31375F6D766C32312D6D616C74612D6D6970735F66705F6C652C2055506E502F312E302C20496E74656C2
053444B20666F722055506E502064657669636573202F312E320D0A55534E3A20757569643A31363061303230302D616339302D34623
0352D386164662D6635636363356135656261613A3A75706E703A726F6F746465766963650D0A0D0A
pid(854) Alert Received: 0 2 misc-attack riffraff {2006-06-20 01:49:41} 1 23201 {MISC UPnP malformed advert
isement} 192.168.0.1 239.255.255.250 17 2052 1900 1384 8 21 21
(...)
pid(854) Sending sock14: IncrEvent 1.25161 19 2
pid(854) Sent sock13: Confirm sock5 25179
pid(854) Sensor Data Rcvd: BYEventRcvd sock5 0 1 25180 riffraff 2000 2000 {2006-06-21 01:33:56} 1 1384 8 {M
ISC UPnP malformed advertisement} {2006-06-21 01:33:56} 2 misc-attack 3232235521 192.168.0.1 4026531834 239.
255.255.250 17 4 5 0 408 0 2 0 4 50353 {} {} {} {} {} 2052 1900 {} {} {} {} {} {} {} {} 388 21319 4E4F544946
59202A20485454502F312E310D0A484F53543A203233392E3235352E3235352E3235303A313930300D0A43414348452D434F4E54524F
4C3A206D61782D6167653D313830300D0A4C4F434154494F4E3A20687474703A2F2F3139322E3136382E302E313A35323836392F6761
7465646573632E786D6C0D0A4E543A2075726E3A736368656D61732D75706E702D6F72673A736572766963653A57414E4950436F6E6E
656374696F6E3A310D0A4E54533A20737364703A616C6976650D0A5345525645523A204C696E75782F322E342E31375F6D766C32312D
6D616C74612D6D6970735F66705F6C652C2055506E502F312E302C20496E74656C2053444B20666F722055506E502064657669636573
202F312E320D0A55534E3A20757569643A36303830303763322D636437612D343234322D383061322D6563326161623364333336393A
3A75726E3A736368656D61732D75706E702D6F72673A736572766963653A57414E4950436F6E6E656374696F6E3A310D0A0D0A
pid(854) Alert Received: 0 2 misc-attack riffraff {2006-06-21 01:33:56} 1 25180 {MISC UPnP malformed advert
isement} 192.168.0.1 239.255.255.250 17 2052 1900 1384 8 2000 2000
pid(854) Sending sock14: IncrEvent 1.25161 20 2
pid(854) Sent sock13: Confirm sock5 25180
pid(854) Client Command Received: SendClientSensorStatusInfo
pid(854) Sending sock14: SensorStatusUpdate {riffraff {1 {2006-06-21 01:33:56} 1 1 Unknown}}
posted by JD at
6:37 PM
0 Comments:
Post a Comment
<< Home