Re: [security-onion] Re: sguil.tk cannot connect to local host on 7734
1,336 views
Skip to first unread message
Ryan Luke
Jul 10, 2012, 2:20:55 PM7/10/12
to securit...@googlegroups.com
Not sure what happened but now the sguil server won't start:(
Status: securityonion
* sguil server [ FAIL ]
Status: securityonion-eth1
* pcap_agent (sguil) [ FAIL ]
* sancp_agent (sguil) [ OK ]
* snort_agent (sguil) [ FAIL ]
* pads_agent (sguil) [ OK ]
* snort (alert data) [ OK ]
* barnyard2 (spooler, unified2 format) [ OK ]
* sancp (session data) [ OK ]
* pads (asset info) [ OK ]
* daemonlogger (full packet data) [ OK ]
* argus [ OK ]
* http_agent (sguil) [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 2647 0 10 Jul 17:47:09
--
:)Ryan(:
Status: securityonion
* sguil server [ FAIL ]
Status: securityonion-eth1
* pcap_agent (sguil) [ FAIL ]
* sancp_agent (sguil) [ OK ]
* snort_agent (sguil) [ FAIL ]
* pads_agent (sguil) [ OK ]
* snort (alert data) [ OK ]
* barnyard2 (spooler, unified2 format) [ OK ]
* sancp (session data) [ OK ]
* pads (asset info) [ OK ]
* daemonlogger (full packet data) [ OK ]
* argus [ OK ]
* http_agent (sguil) [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 2647 0 10 Jul 17:47:09
On Tue, Jul 10, 2012 at 11:44 AM, Ryan Luke <ryan...@googlemail.com> wrote:
On Tuesday, July 10, 2012 11:26:48 AM UTC-6, Ryan Luke wrote:> tclsh 3800 root 39u IPv4 782017 0t0 TCP 127.0.0.1:43068->127.0.0.1:7736 (CLOSE_WAIT)
> Hello,
>
> I tried the steps in the FAQ and I am still unable to connect to the sguil database. I can authenticate to squert with no issues. On the latest version of SO.
>
>
> **********************************************
> * Upgrading from 20120511 to 20120518.
> **********************************************
> * Downloading securityonion-reassembler_20120518_i386.deb...OK
> * Installing downloaded packages...Selecting previously deselected package securityonion-reassembler.
> (Reading database ... 227849 files and directories currently installed.)
> Unpacking securityonion-reassembler (from securityonion-reassembler_20120518_i386.deb) ...
> Setting up securityonion-reassembler (20120518) ...
> OK
> * Upgrade to 20120518 complete.
>
>Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
> 7734/tcp ALLOW Anywhere
> 7736/tcp ALLOW Anywhere
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...
Tried the commands to revert the tcl back and none of the commands worked as expected.
--
:)Ryan(:
Doug Burks
Jul 10, 2012, 3:03:31 PM7/10/12
to securit...@googlegroups.com
Hi Ryan,
The Sguil server won't start because somehow the threaded tcl package
got installed and Sguild requires the non-threaded tcl package.
Did you follow the Installation guide?
http://code.google.com/p/security-onion/wiki/Installation
Did you install any additional software?
Have you seen this page?
http://code.google.com/p/security-onion/wiki/tcl
If all else fails, you can perform a fresh installation and everything
should work fine.
Hope that helps!
Thanks,
Doug
--
Doug Burks
http://securityonion.blogspot.com
The Sguil server won't start because somehow the threaded tcl package
got installed and Sguild requires the non-threaded tcl package.
Did you follow the Installation guide?
http://code.google.com/p/security-onion/wiki/Installation
Did you install any additional software?
Have you seen this page?
http://code.google.com/p/security-onion/wiki/tcl
If all else fails, you can perform a fresh installation and everything
should work fine.
Hope that helps!
Thanks,
Doug
Doug Burks
http://securityonion.blogspot.com
Ryan Luke
Jul 10, 2012, 3:07:43 PM7/10/12
to securit...@googlegroups.com
I did try all the above and it still won't work. I did install vnc4server but I had it installed before and Sguil worked fine. Can I just rerun the setup script on the Ubuntu desktop and reconfigure the server that way?--
:)Ryan(:
:)Ryan(:
Doug Burks
Jul 10, 2012, 3:16:17 PM7/10/12
to securit...@googlegroups.com
No, the Setup script will not fix the tcl packages.
What is the output of the following?
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
Thanks,
Doug
What is the output of the following?
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
Thanks,
Doug
Ryan Luke
Jul 10, 2012, 3:19:42 PM7/10/12
to securit...@googlegroups.com
rluke@securityonion:/usr/local/bin$ dpkg -l |grep tk8
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run- time files
rluke@securityonion:/usr/local/bin$ dpkg -l |grep itk
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-ti me files
rluke@securityonion:/usr/local/bin$ dpkg -l |grep tcl
hc itcl3 3.4~b1- 2 [incr Tcl] OOP extension for Tcl - run- time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.d fsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-1 4 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19- 4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-df sg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- Tc lX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:/usr/local/bin$ dpkg -l |grep iwidgets
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collecti on - man pages
Thanks--
:)Ryan(:
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run- time files
rluke@securityonion:/usr/local/bin$ dpkg -l |grep itk
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-ti me files
rluke@securityonion:/usr/local/bin$ dpkg -l |grep tcl
hc itcl3 3.4~b1- 2 [incr Tcl] OOP extension for Tcl - run- time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.d fsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-1 4 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19- 4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-df sg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- Tc lX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:/usr/local/bin$ dpkg -l |grep iwidgets
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collecti on - man pages
Thanks
:)Ryan(:
Doug Burks
Jul 10, 2012, 3:29:50 PM7/10/12
to securit...@googlegroups.com
Looks like your version number for tk8.5 is 8.5.8-1 when it should be 8.5.8-2.
Are you sure you followed the instructions here?
http://code.google.com/p/security-onion/wiki/tcl
It should have installed version 8.5.8-2. Please try following those
steps again and report any errors.
Thanks,
Doug
Are you sure you followed the instructions here?
http://code.google.com/p/security-onion/wiki/tcl
It should have installed version 8.5.8-2. Please try following those
steps again and report any errors.
Thanks,
Doug
Ryan Luke
Jul 10, 2012, 3:41:24 PM7/10/12
to securit...@googlegroups.com
The link to sourceforge is no longer available.
--
:)Ryan(:
:)Ryan(:
Doug Burks
Jul 10, 2012, 3:48:21 PM7/10/12
to securit...@googlegroups.com
The link appears to be correct, but I think the wiki may have some
extraneous character encoding.
Try this (works for me):
wget http://sourceforge.net/projects/security-onion/files/20110607/tcl8.5_8.5.8-2_i386.deb
Doug
extraneous character encoding.
Try this (works for me):
wget http://sourceforge.net/projects/security-onion/files/20110607/tcl8.5_8.5.8-2_i386.deb
Doug
Ryan Luke
Jul 10, 2012, 3:52:58 PM7/10/12
to securit...@googlegroups.com
I manually downloaded the package earlier and ran it.
rluke@securityonion:~$ ls tcl8.5_8.5.8-2_i386.deb
tcl8.5_8.5.8-2_i386.deb
rluke@securityonion:~$ dpkg -i tcl8.5_8.5.8-2_i386.deb
dpkg: requested operation requires superuser privilege
rluke@securityonion:~$ sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
(Reading database ... 224592 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Do I now run the resto fo the commands. It seems like the package does not install.--
:)Ryan(:
rluke@securityonion:~$ ls tcl8.5_8.5.8-2_i386.deb
tcl8.5_8.5.8-2_i386.deb
rluke@securityonion:~$ dpkg -i tcl8.5_8.5.8-2_i386.deb
dpkg: requested operation requires superuser privilege
rluke@securityonion:~$ sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
(Reading database ... 224592 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Do I now run the resto fo the commands. It seems like the package does not install.
:)Ryan(:
Doug Burks
Jul 10, 2012, 3:56:58 PM7/10/12
to securit...@googlegroups.com
sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
(Reading database ... 224592 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
This looks like it did install correctly. Can you confirm with the
(Reading database ... 224592 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
following command?
dpkg -l |grep tcl
If it shows the correct version (8.5.8-2), then proceed with the rest
of the steps.
Thanks,
Doug
Ryan Luke
Jul 10, 2012, 4:00:06 PM7/10/12
to securit...@googlegroups.com
rluke@securityonion:~$ dpkg -l |grep tcl
hc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
--
:)Ryan(:
hc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:02:50 PM7/10/12
to securit...@googlegroups.com
tcl8.5 is showing version number 8.5.8-2, so this looks good.
Doug
Doug
Ryan Luke
Jul 10, 2012, 4:02:04 PM7/10/12
to securit...@googlegroups.com
Thanks for responding so quickly I have been battling this server all day :(
Here is the output of all the commands I ran from the FAQ.
rluke@securityonion:~$ sudo dpkg -r tcl tcl8.3-dev tk8.4 itcl3 itk3 iwidgets4
dpkg: warning: ignoring request to remove tcl which isn't installed.
dpkg: warning: ignoring request to remove tcl8.3-dev which isn't installed.
dpkg: warning: ignoring request to remove tk8.4 which isn't installed.
dpkg: warning: ignoring request to remove itcl3, only the config
files of which are on the system. Use --purge to remove them too.
dpkg: warning: ignoring request to remove itk3, only the config
files of which are on the system. Use --purge to remove them too.
dpkg: warning: ignoring request to remove iwidgets4 which isn't installed.
rluke@securityonion:~$ sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
(Reading database ... 224592 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
rluke@securityonion:~$ sudo apt-get -y install tk8.5 itcl3 itk3 iwidgets4 expect
Reading package lists... Done
Building dependency tree
Reading state information... Done
tk8.5 is already the newest version.
expect is already the newest version.
You might want to run `apt-get -f install' to correct these:
The following packages have unmet dependencies:
libbreakpoint-ruby1.8: Depends: ruby but it is not going to be installed
libmmap-ruby1.8: Depends: ruby but it is not going to be installed
E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).
rluke@securityonion:~$ sudo update-alternatives --set tclsh /usr/bin/tclsh8.5
rluke@securityonion:~$ sudo wajig hold tcl8.5 tk8.5 tcl8.4 itcl3 itk3 iwidgets4
The following packages are on hold:
itcl3
itk3
tcl8.3
tcl8.4
tcl8.5
tclx8.3
tk8.5--
:)Ryan(:
Here is the output of all the commands I ran from the FAQ.
rluke@securityonion:~$ sudo dpkg -r tcl tcl8.3-dev tk8.4 itcl3 itk3 iwidgets4
dpkg: warning: ignoring request to remove tcl which isn't installed.
dpkg: warning: ignoring request to remove tcl8.3-dev which isn't installed.
dpkg: warning: ignoring request to remove tk8.4 which isn't installed.
dpkg: warning: ignoring request to remove itcl3, only the config
files of which are on the system. Use --purge to remove them too.
dpkg: warning: ignoring request to remove itk3, only the config
files of which are on the system. Use --purge to remove them too.
dpkg: warning: ignoring request to remove iwidgets4 which isn't installed.
rluke@securityonion:~$ sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
(Reading database ... 224592 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
tk8.5 is already the newest version.
expect is already the newest version.
You might want to run `apt-get -f install' to correct these:
The following packages have unmet dependencies:
libbreakpoint-ruby1.8: Depends: ruby but it is not going to be installed
libmmap-ruby1.8: Depends: ruby but it is not going to be installed
E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).
rluke@securityonion:~$ sudo update-alternatives --set tclsh /usr/bin/tclsh8.5
rluke@securityonion:~$ sudo wajig hold tcl8.5 tk8.5 tcl8.4 itcl3 itk3 iwidgets4
The following packages are on hold:
itcl3
itk3
tcl8.3
tcl8.4
tcl8.5
tclx8.3
tk8.5
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:09:39 PM7/10/12
to securit...@googlegroups.com
So does Sguil start now?
Doug
Doug
Ryan Luke
Jul 10, 2012, 4:14:24 PM7/10/12
to securit...@googlegroups.com
Nope:(
rluke@securityonion:/var/log/nsm/securityonion$ ls
sguild.log sguild.log.20120710152606 sguild.log.20120710165507 sguild.log.20120710180051 sguild.log.20120710182316 sguild.log.20120710201320
sguild.log.20120709204217 sguild.log.20120710153459 sguild.log.20120710174031 sguild.log.20120710180449 sguild.log.20120710182405
rluke@securityonion:/var/log/nsm/securityonion$ tail sguild.log
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...
--
:)Ryan(:
rluke@securityonion:/var/log/nsm/securityonion$ ls
sguild.log sguild.log.20120710152606 sguild.log.20120710165507 sguild.log.20120710180051 sguild.log.20120710182316 sguild.log.20120710201320
sguild.log.20120709204217 sguild.log.20120710153459 sguild.log.20120710174031 sguild.log.20120710180449 sguild.log.20120710182405
rluke@securityonion:/var/log/nsm/securityonion$ tail sguild.log
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:17:15 PM7/10/12
to securit...@googlegroups.com
What is the output of the following now?
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
Ryan Luke
Jul 10, 2012, 4:22:51 PM7/10/12
to securit...@googlegroups.com
I just rebooted the server and the same error came up when I ran the command.
rluke@securityonion:~$ sudo service nsm restart
Restarting: securityonion
cat: /var/run/nsm/securityonion/sguild.pid: No such file or directory
* stopping: sguil server (not running) [ WARN ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
* starting: sguil server [ FAIL ]
- check /var/log/nsm/securityonion/sguild.log for error messages
Restarting: securityonion-eth1
* stopping: pcap_agent (sguil) [ OK ]
* starting: pcap_agent (sguil) [ OK ]
* stopping: sancp_agent (sguil) [ OK ]
* starting: sancp_agent (sguil) [ OK ]
* stopping: snort_agent (sguil) [ OK ]
* starting: snort_agent (sguil) [ OK ]
* stopping: snort (alert data) [ OK ]
* starting: snort (alert data) [ OK ]
* stopping: barnyard2 (spooler, unified2 format) [ OK ]
* starting: barnyard2 (spooler, unified2 format) [ OK ]
* stopping: sancp (session data) [ OK ]
* starting: sancp (session data) [ OK ]
* stopping: pads (asset info) [ OK ]
* starting: pads (asset info) [ OK ]
* stopping: pads_agent (sguil) [ OK ]
* starting: pads_agent (sguil) [ OK ]
* restarting with overlap: daemonlogger (full packet data)
* starting: daemonlogger (full packet data) [ OK ]
- stopping old process: daemonlogger (full packet data) [ OK ]
* stopping: argus [ OK ]
* starting: argus [ OK ]
* stopping: http_agent (sguil) [ OK ]
* starting: http_agent (sguil) [ OK ]
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
Restarting: Bro
stopping bro ...
starting bro ...--
:)Ryan(:
rluke@securityonion:~$ sudo service nsm restart
Restarting: securityonion
cat: /var/run/nsm/securityonion/sguild.pid: No such file or directory
* stopping: sguil server (not running) [ WARN ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
* starting: sguil server [ FAIL ]
- check /var/log/nsm/securityonion/sguild.log for error messages
Restarting: securityonion-eth1
* stopping: pcap_agent (sguil) [ OK ]
* starting: pcap_agent (sguil) [ OK ]
* stopping: sancp_agent (sguil) [ OK ]
* starting: sancp_agent (sguil) [ OK ]
* stopping: snort_agent (sguil) [ OK ]
* starting: snort_agent (sguil) [ OK ]
* stopping: snort (alert data) [ OK ]
* starting: snort (alert data) [ OK ]
* stopping: barnyard2 (spooler, unified2 format) [ OK ]
* starting: barnyard2 (spooler, unified2 format) [ OK ]
* stopping: sancp (session data) [ OK ]
* starting: sancp (session data) [ OK ]
* stopping: pads (asset info) [ OK ]
* starting: pads (asset info) [ OK ]
* stopping: pads_agent (sguil) [ OK ]
* starting: pads_agent (sguil) [ OK ]
* restarting with overlap: daemonlogger (full packet data)
* starting: daemonlogger (full packet data) [ OK ]
- stopping old process: daemonlogger (full packet data) [ OK ]
* stopping: argus [ OK ]
* starting: argus [ OK ]
* stopping: http_agent (sguil) [ OK ]
* starting: http_agent (sguil) [ OK ]
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
Restarting: Bro
stopping bro ...
starting bro ...
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:24:41 PM7/10/12
to securit...@googlegroups.com
What is the output of the following now?
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
Ryan Luke
Jul 10, 2012, 4:26:52 PM7/10/12
to securit...@googlegroups.com
could the issue with the packages be related to the ruby dependencies mentioned when I run the following.
rluke@securityonion:~$ sudo apt-get update && sudo apt-get dist-upgrade
Hit http://inundator.sourceforge.net all/ Release.gpg
Ign http://inundator.sourceforge.net/repo/ all/ Translation-en_US
Hit http://inundator.sourceforge.net all/ Release
Ign http://www.geekconnection.org karmic/ Release.gpg
Get:1 http://us.archive.ubuntu.com lucid Release.gpg [189B]
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US
Get:2 http://us.archive.ubuntu.com lucid-updates Release.gpg [198B]
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US
Ign http://www.geekconnection.org/remastersys/repository/ karmic/ Translation-en_US
Get:3 http://security.ubuntu.com lucid-security Release.gpg [198B]
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US
Ign http://inundator.sourceforge.net all/ Packages
Ign http://www.geekconnection.org karmic/ Release
Get:4 http://us.archive.ubuntu.com lucid Release [57.2kB]
Ign http://inundator.sourceforge.net all/ Packages
Hit http://widehat.opensuse.org ./ Release.gpg
Ign http://widehat.opensuse.org/repositories/home:/pstavirs:/ostinato/xUbuntu_10.04/ ./ Translation-en_US
Ign http://www.geekconnection.org karmic/ Packages
Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US
Get:5 http://security.ubuntu.com lucid-security Release [57.3kB]
Hit http://inundator.sourceforge.net all/ Packages
Ign http://www.geekconnection.org karmic/ Packages
Hit http://widehat.opensuse.org ./ Release
Hit http://www.geekconnection.org karmic/ Packages
Get:6 http://us.archive.ubuntu.com lucid-updates Release [57.3kB]
Ign http://widehat.opensuse.org ./ Packages
Get:7 http://us.archive.ubuntu.com lucid/main Packages [1,386kB]
Ign http://widehat.opensuse.org ./ Packages
Get:8 http://security.ubuntu.com lucid-security/main Packages [419kB]
Hit http://widehat.opensuse.org ./ Packages
Get:9 http://us.archive.ubuntu.com lucid/restricted Packages [6,208B]
Get:10 http://us.archive.ubuntu.com lucid/main Sources [659kB]
Get:11 http://us.archive.ubuntu.com lucid/restricted Sources [3,775B]
Get:12 http://us.archive.ubuntu.com lucid/universe Packages [5,448kB]
Get:13 http://security.ubuntu.com lucid-security/restricted Packages [2,855B]
Get:14 http://security.ubuntu.com lucid-security/main Sources [125kB]
Get:15 http://security.ubuntu.com lucid-security/restricted Sources [1,259B]
Get:16 http://security.ubuntu.com lucid-security/universe Packages [131kB]
Get:17 http://security.ubuntu.com lucid-security/universe Sources [40.8kB]
Get:18 http://security.ubuntu.com lucid-security/multiverse Packages [5,370B]
Get:19 http://security.ubuntu.com lucid-security/multiverse Sources [2,316B]
Get:20 http://us.archive.ubuntu.com lucid/universe Sources [3,165kB]
Get:21 http://us.archive.ubuntu.com lucid/multiverse Packages [180kB]
Get:22 http://us.archive.ubuntu.com lucid/multiverse Sources [119kB]
Get:23 http://us.archive.ubuntu.com lucid-updates/main Packages [619kB]
Get:24 http://us.archive.ubuntu.com lucid-updates/restricted Packages [4,617B]
Get:25 http://us.archive.ubuntu.com lucid-updates/main Sources [224kB]
Get:26 http://us.archive.ubuntu.com lucid-updates/restricted Sources [2,194B]
Get:27 http://us.archive.ubuntu.com lucid-updates/universe Packages [270kB]
Get:28 http://us.archive.ubuntu.com lucid-updates/universe Sources [101kB]
Get:29 http://us.archive.ubuntu.com lucid-updates/multiverse Packages [11.5kB]
Get:30 http://us.archive.ubuntu.com lucid-updates/multiverse Sources [5,818B]
Fetched 13.1MB in 13s (959kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run `apt-get -f install' to correct these.
The following packages have unmet dependencies:
libbreakpoint-ruby1.8: Depends: ruby but it is not installed
libmmap-ruby1.8: Depends: ruby but it is not installed
E: Unmet dependencies. Try using -f.--
:)Ryan(:
rluke@securityonion:~$ sudo apt-get update && sudo apt-get dist-upgrade
Hit http://inundator.sourceforge.net all/ Release.gpg
Ign http://inundator.sourceforge.net/repo/ all/ Translation-en_US
Hit http://inundator.sourceforge.net all/ Release
Ign http://www.geekconnection.org karmic/ Release.gpg
Get:1 http://us.archive.ubuntu.com lucid Release.gpg [189B]
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US
Get:2 http://us.archive.ubuntu.com lucid-updates Release.gpg [198B]
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US
Ign http://www.geekconnection.org/remastersys/repository/ karmic/ Translation-en_US
Get:3 http://security.ubuntu.com lucid-security Release.gpg [198B]
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US
Ign http://inundator.sourceforge.net all/ Packages
Ign http://www.geekconnection.org karmic/ Release
Get:4 http://us.archive.ubuntu.com lucid Release [57.2kB]
Ign http://inundator.sourceforge.net all/ Packages
Hit http://widehat.opensuse.org ./ Release.gpg
Ign http://widehat.opensuse.org/repositories/home:/pstavirs:/ostinato/xUbuntu_10.04/ ./ Translation-en_US
Ign http://www.geekconnection.org karmic/ Packages
Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US
Get:5 http://security.ubuntu.com lucid-security Release [57.3kB]
Hit http://inundator.sourceforge.net all/ Packages
Ign http://www.geekconnection.org karmic/ Packages
Hit http://widehat.opensuse.org ./ Release
Hit http://www.geekconnection.org karmic/ Packages
Get:6 http://us.archive.ubuntu.com lucid-updates Release [57.3kB]
Ign http://widehat.opensuse.org ./ Packages
Get:7 http://us.archive.ubuntu.com lucid/main Packages [1,386kB]
Ign http://widehat.opensuse.org ./ Packages
Get:8 http://security.ubuntu.com lucid-security/main Packages [419kB]
Hit http://widehat.opensuse.org ./ Packages
Get:9 http://us.archive.ubuntu.com lucid/restricted Packages [6,208B]
Get:10 http://us.archive.ubuntu.com lucid/main Sources [659kB]
Get:11 http://us.archive.ubuntu.com lucid/restricted Sources [3,775B]
Get:12 http://us.archive.ubuntu.com lucid/universe Packages [5,448kB]
Get:13 http://security.ubuntu.com lucid-security/restricted Packages [2,855B]
Get:14 http://security.ubuntu.com lucid-security/main Sources [125kB]
Get:15 http://security.ubuntu.com lucid-security/restricted Sources [1,259B]
Get:16 http://security.ubuntu.com lucid-security/universe Packages [131kB]
Get:17 http://security.ubuntu.com lucid-security/universe Sources [40.8kB]
Get:18 http://security.ubuntu.com lucid-security/multiverse Packages [5,370B]
Get:19 http://security.ubuntu.com lucid-security/multiverse Sources [2,316B]
Get:20 http://us.archive.ubuntu.com lucid/universe Sources [3,165kB]
Get:21 http://us.archive.ubuntu.com lucid/multiverse Packages [180kB]
Get:22 http://us.archive.ubuntu.com lucid/multiverse Sources [119kB]
Get:23 http://us.archive.ubuntu.com lucid-updates/main Packages [619kB]
Get:24 http://us.archive.ubuntu.com lucid-updates/restricted Packages [4,617B]
Get:25 http://us.archive.ubuntu.com lucid-updates/main Sources [224kB]
Get:26 http://us.archive.ubuntu.com lucid-updates/restricted Sources [2,194B]
Get:27 http://us.archive.ubuntu.com lucid-updates/universe Packages [270kB]
Get:28 http://us.archive.ubuntu.com lucid-updates/universe Sources [101kB]
Get:29 http://us.archive.ubuntu.com lucid-updates/multiverse Packages [11.5kB]
Get:30 http://us.archive.ubuntu.com lucid-updates/multiverse Sources [5,818B]
Fetched 13.1MB in 13s (959kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have unmet dependencies:
libmmap-ruby1.8: Depends: ruby but it is not installed
E: Unmet dependencies. Try using -f.
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:29:24 PM7/10/12
to securit...@googlegroups.com
I don't think so since Sguil doesn't use Ruby. I've asked a couple of
times now, but I'll ask again: What is the output of the following
times now, but I'll ask again: What is the output of the following
now?
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
Doug
dpkg -l |grep tk8
dpkg -l |grep itk
dpkg -l |grep tcl
dpkg -l |grep iwidgets
Ryan Luke
Jul 10, 2012, 4:31:13 PM7/10/12
to securit...@googlegroups.com
I appoligize the commands you wanted me to run were truncated in the email.
rluke@securityonion:~$ dpkg -l |grep tk8
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run-time files
rluke@securityonion:~$ dpkg -l |grep itk
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-time files
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
rluke@securityonion:~$--
:)Ryan(:
rluke@securityonion:~$ dpkg -l |grep tk8
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run-time files
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-time files
rluke@securityonion:~$ dpkg -l |grep tcl
hc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:~$ dpkg -l |grep iwidgetshc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
:)Ryan(:
Ryan Luke
Jul 10, 2012, 4:32:38 PM7/10/12
to securit...@googlegroups.com
rluke@securityonion:~$ dpkg -l |grep iwidgets
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
rluke@securityonion:~$ ^Cii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
rluke@securityonion:~$ sudo aptitude search iwidgets4
pi iwidgets4 - [incr Widgets] Tk-based widget collection - run-time files
i iwidgets4-doc - [incr Widgets] Tk-based widget collection - man pages
rluke@securityonion:~$ sudo aptitude install iwidgets4
Reading package lists... Done
Building dependency tree
Reading state information... Done
Initializing package states... Done
Writing extended state information... Done
The following packages are BROKEN:
iwidgets4 libbreakpoint-ruby1.8 libmmap-ruby1.8
The following partially installed packages will be configured:
libruby1.8-extras
0 packages upgraded, 1 newly installed, 0 to remove and 62 not upgraded.
Need to get 0B/279kB of archives. After unpacking 1,602kB will be used.
The following packages have unmet dependencies:
iwidgets4: Depends: itk3 but it is not installable
libbreakpoint-ruby1.8: Depends: ruby but it is not installable
The following actions will resolve these dependencies:
Install the following packages:
itcl3 [3.4~b1-2 (lucid, now)]
itk3 [3.3-2 (lucid, now)]
ruby [4.2 (lucid)]
Score is 23
Accept this solution? [Y/n/q/?]
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:42:28 PM7/10/12
to securit...@googlegroups.com
I think if you install the stock Ubuntu ruby package (as requested by
aptitude), then you're going to have problems with Snorby.
Where did libmmap-ruby and libbreakpoint-ruby come from? Can you remove them?
Doug
aptitude), then you're going to have problems with Snorby.
Where did libmmap-ruby and libbreakpoint-ruby come from? Can you remove them?
Doug
Ryan Luke
Jul 10, 2012, 4:48:41 PM7/10/12
to securit...@googlegroups.com
rluke@securityonion:~$ sudo aptitude remove libmmap-ruby1.8
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
The following packages will be REMOVED:
libmmap-ruby1.8
0 packages upgraded, 0 newly installed, 1 to remove and 62 not upgraded.
Need to get 0B of archives. After unpacking 86.0kB will be freed.
The following packages have unmet dependencies:
libbreakpoint-ruby1.8: Depends: ruby but it is not installable
libruby1.8-extras: Depends: libmmap-ruby1.8 but it is not installable
The following actions will resolve these dependencies:
Remove the following packages:
libbreakpoint-ruby1.8
libruby1.8-extras
Score is 188
Accept this solution? [Y/n/q/?] Y
The following packages will be REMOVED:
libbreakpoint-ruby1.8{a} libmmap-ruby1.8 libruby1.8-extras{a} rubygems1.8{u}
0 packages upgraded, 0 newly installed, 4 to remove and 62 not upgraded.
Need to get 0B of archives. After unpacking 1,081kB will be freed.
Do you want to continue? [Y/n/?] y
Writing extended state information... Done
(Reading database ... 224591 files and directories currently installed.)
Removing libruby1.8-extras ...
Removing libbreakpoint-ruby1.8 ...
Removing libmmap-ruby1.8 ...
Removing rubygems1.8 ...
Processing triggers for man-db ...
--
:)Ryan(:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
The following packages are BROKEN:
libbreakpoint-ruby1.8 libruby1.8-extrasThe following packages will be REMOVED:
libmmap-ruby1.8
0 packages upgraded, 0 newly installed, 1 to remove and 62 not upgraded.
Need to get 0B of archives. After unpacking 86.0kB will be freed.
The following packages have unmet dependencies:
libruby1.8-extras: Depends: libmmap-ruby1.8 but it is not installable
The following actions will resolve these dependencies:
libbreakpoint-ruby1.8
libruby1.8-extras
Score is 188
Accept this solution? [Y/n/q/?] Y
The following packages will be REMOVED:
libbreakpoint-ruby1.8{a} libmmap-ruby1.8 libruby1.8-extras{a} rubygems1.8{u}
0 packages upgraded, 0 newly installed, 4 to remove and 62 not upgraded.
Need to get 0B of archives. After unpacking 1,081kB will be freed.
Do you want to continue? [Y/n/?] y
Writing extended state information... Done
Removing libruby1.8-extras ...
Removing libbreakpoint-ruby1.8 ...
Removing libmmap-ruby1.8 ...
Removing rubygems1.8 ...
Processing triggers for man-db ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
Current status: 0 broken [-2].Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
:)Ryan(:
Doug Burks
Jul 10, 2012, 4:52:04 PM7/10/12
to securit...@googlegroups.com
Since that appears to be fixed, please try the tcl fixes again:
http://code.google.com/p/security-onion/wiki/tcl
Then list out the packages as before.
Thanks,
Doug
http://code.google.com/p/security-onion/wiki/tcl
Then list out the packages as before.
Thanks,
Doug
Ryan Luke
Jul 10, 2012, 5:06:56 PM7/10/12
to securit...@googlegroups.com
It looks like iwidgets4 is not installed. I tried to install it multiple times.
--
:)Ryan(:
On Tue, Jul 10, 2012 at 3:06 PM, Ryan Luke <ryan...@googlemail.com> wrote:
Thank you for your excellent level of support:) Here is the output of the commands after I ran the updates.
rluke@securityonion:~$ dpkg -l |grep tk8
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run-time files
rluke@securityonion:~$ dpkg -l |grep itk
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-time files
rluke@securityonion:~$ dpkg -l |grep tcl
hc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:~$ dpkg -l |grep iwidgets
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
--
:)Ryan(:
--
:)Ryan(:
Ryan Luke
Jul 10, 2012, 5:06:19 PM7/10/12
to securit...@googlegroups.com
Thank you for your excellent level of support:) Here is the output of the commands after I ran the updates.
rluke@securityonion:~$ dpkg -l |grep tk8
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run-time files
rluke@securityonion:~$ dpkg -l |grep itk
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-time files
rluke@securityonion:~$ dpkg -l |grep tcl
hc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:~$ dpkg -l |grep iwidgets
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
hi tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run-time files
rluke@securityonion:~$ dpkg -l |grep itk
hc itk3 3.3-2 [incr Tk] OOP extension for Tk - run-time files
rluke@securityonion:~$ dpkg -l |grep tcl
hc itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:~$ dpkg -l |grep iwidgets
ii iwidgets4-doc 4.0.1-5 [incr Widgets] Tk-based widget collection - man pages
:)Ryan(:
Doug Burks
Jul 10, 2012, 7:52:19 PM7/10/12
to securit...@googlegroups.com
What does it say when you try to install it?
Ryan Luke
Jul 11, 2012, 10:55:35 AM7/11/12
to securit...@googlegroups.com
rluke@securityonion:~$ sudo su
[sudo] password for rluke:
root@securityonion:/home/rluke# aptitude install iwidgets4
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
The following packages are BROKEN:
iwidgets4
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/279kB of archives. After unpacking 1,602kB will be used.
The following packages have unmet dependencies:
Accept this solution? [Y/n/q/?]--
:)Ryan(:
[sudo] password for rluke:
root@securityonion:/home/rluke# aptitude install iwidgets4
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
The following packages are BROKEN:
iwidgets4
Need to get 0B/279kB of archives. After unpacking 1,602kB will be used.
The following packages have unmet dependencies:
iwidgets4: Depends: itk3 but it is not installable
The following actions will resolve these dependencies:
Install the following packages:
itcl3 [3.4~b1-2 (lucid, now)]
itk3 [3.3-2 (lucid, now)]
Score is 32Install the following packages:
itcl3 [3.4~b1-2 (lucid, now)]
itk3 [3.3-2 (lucid, now)]
Accept this solution? [Y/n/q/?]
:)Ryan(:
Ryan Luke
Jul 11, 2012, 10:57:41 AM7/11/12
to securit...@googlegroups.com
root@securityonion:/home/rluke# sudo service nsm restart
* starting: ossec_agent (sguil)/usr/local/lib/nsmnow/lib-nsm-common-utils: line 966: 1830 Aborted eval exec $APP $APP_OPTIONS >> $LOG_FILE 2>&1
[ FAIL ]
- check /var/log/nsm/ossec_agent.log for error messages
Restarting: Bro
stopping bro ...
.
starting bro ...
.--
:)Ryan(:
[ FAIL ]
- check /var/log/nsm/ossec_agent.log for error messages
Restarting: Bro
stopping bro ...
starting bro ...
.
:)Ryan(:
Doug Burks
Jul 11, 2012, 11:02:35 AM7/11/12
to securit...@googlegroups.com
Did you accept the solution and install itcl3 and itk3?
Ryan Luke
Jul 11, 2012, 11:22:36 AM7/11/12
to securit...@googlegroups.com
I did not until I got the go ahead from you:)--
:)Ryan(:
:)Ryan(:
Doug Burks
Jul 11, 2012, 11:32:19 AM7/11/12
to securit...@googlegroups.com
OK, so now that you've installed itcl3 and itk3, what does your tcl/tk
package list look like?
What happens when you try to start Sguild?
sudo nsm_server_ps-start
Are there errors in the Sguild log file?
tail -100 /var/log/nsm/securityonion/sguild.log
package list look like?
What happens when you try to start Sguild?
sudo nsm_server_ps-start
Are there errors in the Sguild log file?
tail -100 /var/log/nsm/securityonion/sguild.log
Ryan Luke
Jul 11, 2012, 11:44:31 AM7/11/12
to securit...@googlegroups.com
root@securityonion:/usr/local/bin# dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
root@securityonion:/usr/local/bin# sudo nsm_server_ps-start
Starting: securityonion
* starting: sguil server [ FAIL ]
- check /var/log/nsm/securityonion/sguild.log for error messages
root@securityonion:/var/log/nsm/securityonion# tail sguild.log
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...
--
:)Ryan(:
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hi tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
Starting: securityonion
* starting: sguil server [ FAIL ]
- check /var/log/nsm/securityonion/sguild.log for error messages
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
ERROR: This version of tcl was compile with threading enabled. Sguil is NOT compatible with threading.
SGUILD: Exiting...
:)Ryan(:
Doug Burks
Jul 11, 2012, 11:53:42 AM7/11/12
to securit...@googlegroups.com
OK, package configuration looks correct. I wonder if you have a
symlink pointing to the wrong tclsh somewhere. Run the following
commands and see what kind of output you get.
doug@doug-desktop:~$ which tclsh
/usr/bin/tclsh
doug@doug-desktop:~$ ls -alh /usr/bin/tclsh
lrwxrwxrwx 1 root root 23 2012-04-13 11:36 /usr/bin/tclsh ->
/etc/alternatives/tclsh
doug@doug-desktop:~$ ls -alh /etc/alternatives/tclsh
lrwxrwxrwx 1 root root 17 2012-04-13 11:34 /etc/alternatives/tclsh ->
/usr/bin/tclsh8.5
symlink pointing to the wrong tclsh somewhere. Run the following
commands and see what kind of output you get.
doug@doug-desktop:~$ which tclsh
/usr/bin/tclsh
doug@doug-desktop:~$ ls -alh /usr/bin/tclsh
lrwxrwxrwx 1 root root 23 2012-04-13 11:36 /usr/bin/tclsh ->
/etc/alternatives/tclsh
doug@doug-desktop:~$ ls -alh /etc/alternatives/tclsh
lrwxrwxrwx 1 root root 17 2012-04-13 11:34 /etc/alternatives/tclsh ->
/usr/bin/tclsh8.5
Ryan Luke
Jul 11, 2012, 12:00:07 PM7/11/12
to securit...@googlegroups.com
root@securityonion:/usr/local/bin# which tclsh
/usr/bin/tclsh
root@securityonion:/usr/local/bin# ls -alh /usr/bin/tclsh
lrwxrwxrwx 1 root root 23 2012-04-19 23:29 /usr/bin/tclsh -> /etc/alternatives/tclsh
root@securityonion:/usr/local/bin# ls -alh /etc/alternatives/tclsh
lrwxrwxrwx 1 root root 17 2012-04-19 23:26 /etc/alternatives/tclsh -> /usr/bin/tclsh8.5--
:)Ryan(:
/usr/bin/tclsh
root@securityonion:/usr/local/bin# ls -alh /usr/bin/tclsh
lrwxrwxrwx 1 root root 23 2012-04-19 23:29 /usr/bin/tclsh -> /etc/alternatives/tclsh
root@securityonion:/usr/local/bin# ls -alh /etc/alternatives/tclsh
lrwxrwxrwx 1 root root 17 2012-04-19 23:26 /etc/alternatives/tclsh -> /usr/bin/tclsh8.5
:)Ryan(:
Doug Burks
Jul 11, 2012, 12:08:50 PM7/11/12
to securit...@googlegroups.com
Try the following commands:
tclsh
% info exists ::tcl_platform(threaded)
0
% exit
md5sum /usr/bin/tclsh8.5
f778330a9d012a8a64af18c37ec3b2b4 /usr/bin/tclsh8.5
tclsh
% info exists ::tcl_platform(threaded)
0
% exit
md5sum /usr/bin/tclsh8.5
f778330a9d012a8a64af18c37ec3b2b4 /usr/bin/tclsh8.5
Ryan Luke
Jul 11, 2012, 12:40:55 PM7/11/12
to securit...@googlegroups.com
root@securityonion:/usr/local/bin# tclsh
% info exists ::tcl_platform(threaded)
1
% exit
root@securityonion:/usr/local/bin# md5sum /usr/bin/tclsh8.5
6b4a8dc56384c28ce7f07d0820431038 /usr/bin/tclsh8.5
root@securityonion:/usr/local/bin#
:)Ryan(:
Doug Burks
Jul 11, 2012, 1:14:34 PM7/11/12
to securit...@googlegroups.com
Your system still has the wrong tclsh8.5. Let's go through the tcl
fix steps again, but let's be a little more invasive this time.
sudo apt-get update
sudo wajig unhold tcl8.5 tk8.5 tcl8.4 tcl8.3 tclx8.3 itcl3 itk3 iwidgets4
sudo dpkg -r tcl8.5 tk8.5 tk8.4 tclx8.4 tcl8.3 tclx8.3 tcl8.3-dev
itcl3 itk3 iwidgets4 expect
sudo bash -c "dpkg -l | grep ^rc | cut -d' ' -f3|xargs dpkg -P"
wget http://sourceforge.net/projects/security-onion/files/20110607/tcl8.5_8.5.8-2_i386.deb
sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
sudo wajig hold tcl8.5 tk8.5 tcl8.4 tcl8.3 tclx8.3 itcl3 itk3 iwidgets4
When done, it should look like this:
UDP sockets for Tcl
fix steps again, but let's be a little more invasive this time.
sudo apt-get update
sudo wajig unhold tcl8.5 tk8.5 tcl8.4 tcl8.3 tclx8.3 itcl3 itk3 iwidgets4
sudo dpkg -r tcl8.5 tk8.5 tk8.4 tclx8.4 tcl8.3 tclx8.3 tcl8.3-dev
itcl3 itk3 iwidgets4 expect
sudo bash -c "dpkg -l | grep ^rc | cut -d' ' -f3|xargs dpkg -P"
wget http://sourceforge.net/projects/security-onion/files/20110607/tcl8.5_8.5.8-2_i386.deb
sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
sudo update-alternatives --set tclsh /usr/bin/tclsh8.5
sudo apt-get install tk8.5 itcl3 itk3 iwidgets4 expect tclx
sudo wajig hold tcl8.5 tk8.5 tcl8.4 tcl8.3 tclx8.3 itcl3 itk3 iwidgets4
When done, it should look like this:
dpkg -l |grep tcl
hi itcl3 3.4~b1-2
[incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5
hi itcl3 3.4~b1-2
[incr Tcl] OOP extension for Tcl - run-time files
UDP sockets for Tcl
ii mysqltcl 3.05-3
Interface to the MySQL database for the Tcl
language
ii tcl-tls 1.5.0.dfsg-9
the TLS OpenSSL extension to Tcl
hc tcl8.3 8.3.5-14
Interface to the MySQL database for the Tcl
language
ii tcl-tls 1.5.0.dfsg-9
the TLS OpenSSL extension to Tcl
Tcl (the Tool Command Language) v8.3 - run-time
files
hi tcl8.4 8.4.19-4
Tcl (the Tool Command Language) v8.4 - run-time
files
hi tcl8.5 8.5.8-2
Tcl (the Tool Command Language) v8.5 - run-time
files
ii tcllib 1.12-dfsg-2
the Standard Tcl Library
hc tclx8.3 8.3.5-6
files
hi tcl8.4 8.4.19-4
Tcl (the Tool Command Language) v8.4 - run-time
files
hi tcl8.5 8.5.8-2
Tcl (the Tool Command Language) v8.5 - run-time
files
ii tcllib 1.12-dfsg-2
the Standard Tcl Library
Extended Tcl (TclX) version 8.3.5 -- TclX runtime
package
ii tclx8.4 8.4.0-3
Extended Tcl (TclX) - shared library
package
ii tclx8.4 8.4.0-3
Extended Tcl (TclX) - shared library
tclsh
% info exists ::tcl_platform(threaded)
0
% exit
md5sum /usr/bin/tclsh8.5
f778330a9d012a8a64af18c37ec3b2b4 /usr/bin/tclsh8.5
% info exists ::tcl_platform(threaded)
0
% exit
md5sum /usr/bin/tclsh8.5
f778330a9d012a8a64af18c37ec3b2b4 /usr/bin/tclsh8.5
Ryan Luke
Jul 11, 2012, 1:35:52 PM7/11/12
to securit...@googlegroups.com
--2012-07-11 17:34:35-- (try: 8) http://sourceforge.net/projects/security-onion/files/20110607/tcl8.5_8.5.8-2_i386.deb
Connecting to sourceforge.net|216.34.181.60|:80... failed: Connection timed out.
Retrying.
:)Ryan(:
Doug Burks
Jul 11, 2012, 1:38:22 PM7/11/12
to securit...@googlegroups.com
It works for me. Didn't you download that file yesterday? You can
use your previously downloaded copy if necessary.
use your previously downloaded copy if necessary.
Ryan Luke
Jul 11, 2012, 1:45:35 PM7/11/12
to securit...@googlegroups.com
I tried to run the file saved to my home directory and got.
root@securityonion:/home/rluke# sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
Selecting previously deselected package tcl8.5.
(Reading database ... 224196 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@securityonion:/home/rluke# sudo update-alternatives --set tclsh /usr/bin/tc lsh8.5
root@securityonion:/home/rluke# sudo apt-get install tk8.5 itcl3 itk3 iwidgets4 expect tclx
Reading package lists... Done
Building dependency tree
Reading state information... Done
itcl3 set to manually installed.
itk3 is already the newest version.
itk3 set to manually installed.
iwidgets4 is already the newest version.
expect is already the newest version.
Note, selecting tclx8.4 instead of tclx
Suggested packages:
tclx8.4-doc
The following NEW packages will be installed:
tclx8.4
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 97.8kB of archives.
After this operation, 336kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
tclx8.4
Install these packages without verification [y/N]? y
Err http://us.archive.ubuntu.com/ubuntu/ lucid/universe tclx8.4 8.4.0-3
Could not connect to us.archive.ubuntu.com:80 (91.189.91.13). - connect (110: Connection timed out) [IP: 91.189.91.13 80]
Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/universe/t/tclx8.4/tclx 8.4_8.4.0-3_i386.deb Could not connect to us.archive.ubuntu.com:80 (91.189.91.1 3). - connect (110: Connection timed out) [IP: 91.189.91.13 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-mis sing?
root@securityonion:/home/rluke# sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
Selecting previously deselected package tcl8.5.
(Reading database ... 224196 files and directories currently installed.)
Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
Unpacking replacement tcl8.5 ...
Setting up tcl8.5 (8.5.8-2) ...
Processing triggers for man-db ...
Processing triggers for menu ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@securityonion:/home/rluke# sudo apt-get install tk8.5 itcl3 itk3 iwidgets4 expect tclx
Reading package lists... Done
Building dependency tree
Reading state information... Done
tk8.5 is already the newest version.
itcl3 is already the newest version.itcl3 set to manually installed.
itk3 is already the newest version.
itk3 set to manually installed.
iwidgets4 is already the newest version.
expect is already the newest version.
Suggested packages:
tclx8.4-doc
The following NEW packages will be installed:
tclx8.4
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 97.8kB of archives.
After this operation, 336kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
tclx8.4
Install these packages without verification [y/N]? y
Err http://us.archive.ubuntu.com/ubuntu/ lucid/universe tclx8.4 8.4.0-3
Could not connect to us.archive.ubuntu.com:80 (91.189.91.13). - connect (110: Connection timed out) [IP: 91.189.91.13 80]
Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/universe/t/tclx8.4/tclx 8.4_8.4.0-3_i386.deb Could not connect to us.archive.ubuntu.com:80 (91.189.91.1 3). - connect (110: Connection timed out) [IP: 91.189.91.13 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-mis sing?
Ryan Luke
Jul 11, 2012, 1:46:26 PM7/11/12
to securit...@googlegroups.com
The following packages are on hold:
itcl3
itk3
iwidgets4itcl3
itk3
tcl8.4
tcl8.5
tk8.5
root@securityonion:/home/rluke# dpkg -l |grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
:)Ryan(:
Ryan Luke
Jul 11, 2012, 1:52:48 PM7/11/12
to securit...@googlegroups.com
Here is my /etc/network/interfaces file. It is not configured but the interfaces are static.
root@securityonion:/var/log/nsm/securityonion# /etc/init.d/networking restart
* Reconfiguring network interfaces... Ignoring unknown interface eth0=eth0.
Ignoring unknown interface eth1=eth1.
[ OK ]
root@securityonion:/var/log/nsm/securityonion# vi /etc/network/interfaces
auto lo
iface lo inet loopback--
:)Ryan(:
root@securityonion:/var/log/nsm/securityonion# /etc/init.d/networking restart
* Reconfiguring network interfaces... Ignoring unknown interface eth0=eth0.
Ignoring unknown interface eth1=eth1.
[ OK ]
root@securityonion:/var/log/nsm/securityonion# vi /etc/network/interfaces
auto lo
iface lo inet loopback
:)Ryan(:
Ryan Luke
Jul 11, 2012, 1:53:37 PM7/11/12
to securit...@googlegroups.com
root@securityonion:/var/log/nsm/securityonion# ps -aef | grep sguil
rluke 13129 13119 0 15:40 ? 00:00:09 wish /usr/local/bin/sguil.tk
sguil 22909 1 13 17:46 pts/0 00:00:52 snort -u sguil -g sguil -c /etc/nsm/securityonion-eth1/snort.conf --daq afpacket -i eth1 -F /etc/nsm/securityonion-eth1/bpf.conf -l /nsm/sensor_data/securityonion-eth1 -U -m 112
sguil 22994 1 0 17:46 pts/0 00:00:01 sancp -d /nsm/sensor_data/securityonion-eth1/sancp -i eth1 -c /etc/nsm/securityonion-eth1/sancp.conf -u sguil -g sguil
sguil 23033 1 0 17:46 pts/0 00:00:02 pads -i eth1 -c /etc/nsm/securityonion-eth1/pads.conf -u sguil -g sguil
sguil 23100 1 1 17:46 pts/0 00:00:04 daemonlogger -u sguil -g sguil -i eth1 -f /etc/nsm/securityonion-eth1/bpf.conf -l /nsm/sensor_data/securityonion-eth1/dailylogs/2012-07-11 -n snort.log -s 134217728
sguil 23143 1 0 17:46 pts/0 00:00:03 argus -P0 -u sguil -g sguil -i eth1 -w /nsm/sensor_data/securityonion-eth1/argus/2012-07-11.log--
:)Ryan(:
rluke 13129 13119 0 15:40 ? 00:00:09 wish /usr/local/bin/sguil.tk
sguil 22909 1 13 17:46 pts/0 00:00:52 snort -u sguil -g sguil -c /etc/nsm/securityonion-eth1/snort.conf --daq afpacket -i eth1 -F /etc/nsm/securityonion-eth1/bpf.conf -l /nsm/sensor_data/securityonion-eth1 -U -m 112
sguil 22994 1 0 17:46 pts/0 00:00:01 sancp -d /nsm/sensor_data/securityonion-eth1/sancp -i eth1 -c /etc/nsm/securityonion-eth1/sancp.conf -u sguil -g sguil
sguil 23033 1 0 17:46 pts/0 00:00:02 pads -i eth1 -c /etc/nsm/securityonion-eth1/pads.conf -u sguil -g sguil
sguil 23100 1 1 17:46 pts/0 00:00:04 daemonlogger -u sguil -g sguil -i eth1 -f /etc/nsm/securityonion-eth1/bpf.conf -l /nsm/sensor_data/securityonion-eth1/dailylogs/2012-07-11 -n snort.log -s 134217728
sguil 23143 1 0 17:46 pts/0 00:00:03 argus -P0 -u sguil -g sguil -i eth1 -w /nsm/sensor_data/securityonion-eth1/argus/2012-07-11.log
:)Ryan(:
Doug Burks
Jul 11, 2012, 2:05:20 PM7/11/12
to securit...@googlegroups.com
Replies inline.
On Wed, Jul 11, 2012 at 1:45 PM, Ryan Luke <ryan...@googlemail.com> wrote:
> I tried to run the file saved to my home directory and got.
>
> root@securityonion:/home/rluke# sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
> Selecting previously deselected package tcl8.5.
> (Reading database ... 224196 files and directories currently installed.)
>
> Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
> Unpacking replacement tcl8.5 ...
> Setting up tcl8.5 (8.5.8-2) ...
>
> Processing triggers for man-db ...
> Processing triggers for menu ...
> Processing triggers for libc-bin ...
> ldconfig deferred processing now taking place
> root@securityonion:/home/rluke# sudo update-alternatives --set tclsh
> /usr/bin/tc
> lsh8.5
Formatting of this command looks strange. Bad copy/paste?
> root@securityonion:/home/rluke# sudo apt-get install tk8.5 itcl3 itk3
> iwidgets4
> expect tclx
>
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> tk8.5 is already the newest version.
> itcl3 is already the newest version.
> itcl3 set to manually installed.
> itk3 is already the newest version.
> itk3 set to manually installed.
> iwidgets4 is already the newest version.
>
> expect is already the newest version.
If these packages are "already the newest version", then that would
suggest that the earlier "dpkg -r" command didn't successfully remove
these packages.
> Note, selecting tclx8.4 instead of tclx
> Suggested packages:
> tclx8.4-doc
> The following NEW packages will be installed:
> tclx8.4
>
> 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
> Need to get 97.8kB of archives.
> After this operation, 336kB of additional disk space will be used.
> WARNING: The following packages cannot be authenticated!
> tclx8.4
> Install these packages without verification [y/N]? y
> Err http://us.archive.ubuntu.com/ubuntu/ lucid/universe tclx8.4 8.4.0-3
> Could not connect to us.archive.ubuntu.com:80 (91.189.91.13). - connect
> (110:
> Connection timed out) [IP: 91.189.91.13 80]
> Failed to fetch
> http://us.archive.ubuntu.com/ubuntu/pool/universe/t/tclx8.4/tclx
> 8.4_8.4.0-3_i386.deb Could not connect to us.archive.ubuntu.com:80
> (91.189.91.1
> 3). - connect (110: Connection timed out) [IP: 91.189.91.13 80]
> E: Unable to fetch some archives, maybe run apt-get update or try with
> --fix-mis
> sing?
What happened to your network connection? Wasn't it working yesterday?
At this point, we've both spent a lot of time troubleshooting this
issue and we don't seem to be making any progress. I'll go back to my
original recommendation of performing a fresh installation. Please
make sure you follow the Installation guide:
http://code.google.com/p/security-onion/wiki/Installation
To avoid tcl/tk issues in the future, please be careful about
installing third-party software that may change the tcl/tk
configuration.
Hope that helps!
Thanks,
On Wed, Jul 11, 2012 at 1:45 PM, Ryan Luke <ryan...@googlemail.com> wrote:
> I tried to run the file saved to my home directory and got.
>
> root@securityonion:/home/rluke# sudo dpkg -i tcl8.5_8.5.8-2_i386.deb
> Selecting previously deselected package tcl8.5.
> (Reading database ... 224196 files and directories currently installed.)
>
> Preparing to replace tcl8.5 8.5.8-2 (using tcl8.5_8.5.8-2_i386.deb) ...
> Unpacking replacement tcl8.5 ...
> Setting up tcl8.5 (8.5.8-2) ...
>
> Processing triggers for man-db ...
> Processing triggers for menu ...
> Processing triggers for libc-bin ...
> ldconfig deferred processing now taking place
> root@securityonion:/home/rluke# sudo update-alternatives --set tclsh
> /usr/bin/tc
> lsh8.5
> root@securityonion:/home/rluke# sudo apt-get install tk8.5 itcl3 itk3
> iwidgets4
> expect tclx
>
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> tk8.5 is already the newest version.
> itcl3 is already the newest version.
> itcl3 set to manually installed.
> itk3 is already the newest version.
> itk3 set to manually installed.
> iwidgets4 is already the newest version.
>
> expect is already the newest version.
suggest that the earlier "dpkg -r" command didn't successfully remove
these packages.
> Note, selecting tclx8.4 instead of tclx
> Suggested packages:
> tclx8.4-doc
> The following NEW packages will be installed:
> tclx8.4
>
> 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
> Need to get 97.8kB of archives.
> After this operation, 336kB of additional disk space will be used.
> WARNING: The following packages cannot be authenticated!
> tclx8.4
> Install these packages without verification [y/N]? y
> Err http://us.archive.ubuntu.com/ubuntu/ lucid/universe tclx8.4 8.4.0-3
> Could not connect to us.archive.ubuntu.com:80 (91.189.91.13). - connect
> (110:
> Connection timed out) [IP: 91.189.91.13 80]
> Failed to fetch
> http://us.archive.ubuntu.com/ubuntu/pool/universe/t/tclx8.4/tclx
> 8.4_8.4.0-3_i386.deb Could not connect to us.archive.ubuntu.com:80
> (91.189.91.1
> 3). - connect (110: Connection timed out) [IP: 91.189.91.13 80]
> E: Unable to fetch some archives, maybe run apt-get update or try with
> --fix-mis
> sing?
At this point, we've both spent a lot of time troubleshooting this
issue and we don't seem to be making any progress. I'll go back to my
original recommendation of performing a fresh installation. Please
make sure you follow the Installation guide:
http://code.google.com/p/security-onion/wiki/Installation
To avoid tcl/tk issues in the future, please be careful about
installing third-party software that may change the tcl/tk
configuration.
Hope that helps!
Thanks,
Ryan Luke
Jul 11, 2012, 3:56:08 PM7/11/12
to securit...@googlegroups.com
Network connections fixed and all commands have ran successfully. I am so close I can taste it. Thank you thank you thank you for all your help Doug!
rluke@securityonion:/usr/local/bin$ dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5 UDP sockets for Tcl
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
ii tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B of archives. After unpacking 336kB will be freed.
Writing extended state information... Done
(Reading database ... 224354 files and directories currently installed.)
Removing tclx8.4 ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
rluke@securityonion:/usr/local/bin$ sudo aptitude search tclx8.3
rluke@securityonion:/usr/local/bin$ sudo aptitude search tclx
v tclx -
v tclx-doc -
c tclx8.4 - Extended Tcl (TclX) - shared library
p tclx8.4-dev - Extended Tcl (TclX) - development package
p tclx8.4-doc - Extended Tcl (TclX) - manpages
p tclxapian - Xapian search engine interface for Tcl
p tclxml - Tcl library for XML parsing
This package below is not available in the repository so it installed tclx8.4 instead
hc tclx8.3 8.3.5-6--
:)Ryan(:
rluke@securityonion:/usr/local/bin$ dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5 UDP sockets for Tcl
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
rluke@securityonion:/usr/local/bin$ sudo aptitude remove tclx8.4Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Initializing package states... Done
The following packages will be REMOVED:
tclx8.40 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B of archives. After unpacking 336kB will be freed.
Writing extended state information... Done
Removing tclx8.4 ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
rluke@securityonion:/usr/local/bin$ sudo aptitude search tclx8.3Initializing package states... Done
Writing extended state information... Done
rluke@securityonion:/usr/local/bin$ sudo aptitude search tclx8.3
rluke@securityonion:/usr/local/bin$ sudo aptitude search tclx
v tclx -
v tclx-doc -
c tclx8.4 - Extended Tcl (TclX) - shared library
p tclx8.4-dev - Extended Tcl (TclX) - development package
p tclx8.4-doc - Extended Tcl (TclX) - manpages
p tclxapian - Xapian search engine interface for Tcl
p tclxml - Tcl library for XML parsing
This package below is not available in the repository so it installed tclx8.4 instead
hc tclx8.3 8.3.5-6
:)Ryan(:
Ryan Luke
Jul 11, 2012, 4:16:04 PM7/11/12
to securit...@googlegroups.com
Ok so I am right where we left off last. I need to get this working I have too much time invested to start over. I need to access the sguil DB for forensic analysis. Please send any other commands you think will fix the issue.
rluke@securityonion:~/Desktop$ dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5 UDP sockets for Tcl
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
ii tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
ii tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package--
:)Ryan(:
rluke@securityonion:~/Desktop$ dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5 UDP sockets for Tcl
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
ii tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
:)Ryan(:
Doug Burks
Jul 12, 2012, 6:26:20 AM7/12/12
to securit...@googlegroups.com
Here are some things you can try:
- go back through your command history to see if you can determine
what third-party software was installed that broke tcl/tk in the first
place
- go step-by-step through the last reinstallation of tcl/tk, but
confirm the md5sum of /usr/bin/tclsh8.5 at every step to see where
it's changing. It should be as follows:
md5sum /usr/bin/tclsh8.5
f778330a9d012a8a64af18c37ec3b2b4 /usr/bin/tclsh8.5
- create a virtual machine and install Security Onion, install all
updates, use it as a side-by-side comparison to your broken system to
help you pinpoint what's broken
Hope that helps!
Doug
- go back through your command history to see if you can determine
what third-party software was installed that broke tcl/tk in the first
place
- go step-by-step through the last reinstallation of tcl/tk, but
confirm the md5sum of /usr/bin/tclsh8.5 at every step to see where
it's changing. It should be as follows:
md5sum /usr/bin/tclsh8.5
f778330a9d012a8a64af18c37ec3b2b4 /usr/bin/tclsh8.5
- create a virtual machine and install Security Onion, install all
updates, use it as a side-by-side comparison to your broken system to
help you pinpoint what's broken
Hope that helps!
Doug
Ryan Luke
Jul 12, 2012, 2:23:07 PM7/12/12
to securit...@googlegroups.com
Got Sguil to start but now barnyard is not starting. I found a few old threads on the topic for the following missing shared library.
./barnyard2: error while loading shared libraries: libtcl8.5.so.0: cannot open shared object file: No such file or directory
Do you have any ideas what would cause this. I searched for the library and the binary is missing from the following location.
/usr/lib/libtcl8.5.so.0
I appreciate all your help on this:)--
:)Ryan(:
./barnyard2: error while loading shared libraries: libtcl8.5.so.0: cannot open shared object file: No such file or directory
Do you have any ideas what would cause this. I searched for the library and the binary is missing from the following location.
/usr/lib/libtcl8.5.so.0
I appreciate all your help on this:)
:)Ryan(:
Doug Burks
Jul 12, 2012, 2:44:12 PM7/12/12
to securit...@googlegroups.com
/usr/lib/libtcl8.5.so.0 is part of the tcl8.5 package. Did you remove
the tcl8.5 package? If so, you need to re-install it.
Doug
the tcl8.5 package? If so, you need to re-install it.
Doug
Ryanluke1
Jul 12, 2012, 2:54:14 PM7/12/12
to securit...@googlegroups.com
No I did not remove it the package is still installed. The error prompted me to ask the question. I will dig deeper thanks again:-)
Sent from my Samsung Epic™ 4G
Sent from my Samsung Epic™ 4G
Ryan Luke
Jul 16, 2012, 1:29:07 PM7/16/12
to securit...@googlegroups.com
My sguil server was working last week. When I came in this morning Snort had all 0's on the dashboard and the sguil server was in failed status. The error log says
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
can't read "0": no such variable
while executing
"exec /usr/bin/tclsh8.3 "$0" "$@""
(file "/usr/local/bin/sguild" line 4)--
:)Ryan(:
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
while executing
"exec /usr/bin/tclsh8.3 "$0" "$@""
(file "/usr/local/bin/sguild" line 4)
:)Ryan(:
Doug Burks
Jul 16, 2012, 1:48:32 PM7/16/12
to securit...@googlegroups.com
I haven't seen that particular error before, but it references
tclsh8.3 instead of our normal tclsh8.5. Is tclsh8.5 still installed?
Perhaps you need to use the update-alternatives command to set
tclsh8.5 as the default?
Doug
tclsh8.3 instead of our normal tclsh8.5. Is tclsh8.5 still installed?
Perhaps you need to use the update-alternatives command to set
tclsh8.5 as the default?
Doug
Ryan Luke
Jul 16, 2012, 2:02:12 PM7/16/12
to securit...@googlegroups.com
The variable in the config file was set to a static binary of tclsh. My coworker has is running now and it is parsing all the events.--
:)Ryan(:
:)Ryan(:
Ryan Luke
Jul 17, 2012, 1:52:26 PM7/17/12
to securit...@googlegroups.com
Doug,
Can you help me out real quick and tell me what the configuration is for the sguild file. I am having issues with the sguild starting again. The tcl packages are a paint in the butt:( It seems to work then stops. I am not sure what the below set and exec paths should be.
Here is the first few lines where the sguild fails and exits.
#!/bin/sh
# Run tcl from users PATH \
set tclsh='/usr/bin/tclsh8.5'
exec /usr/bin/tclsh8.5 "$0" "$@"
exec tclsh "$0" "$@"
path to the file I am referring to /usr/local/bin/sguild--
:)Ryan(:
Can you help me out real quick and tell me what the configuration is for the sguild file. I am having issues with the sguild starting again. The tcl packages are a paint in the butt:( It seems to work then stops. I am not sure what the below set and exec paths should be.
Here is the first few lines where the sguild fails and exits.
#!/bin/sh
# Run tcl from users PATH \
set tclsh='/usr/bin/tclsh8.5'
exec /usr/bin/tclsh8.5 "$0" "$@"
exec tclsh "$0" "$@"
path to the file I am referring to /usr/local/bin/sguild
:)Ryan(:
Ryan Luke
Jul 17, 2012, 2:01:46 PM7/17/12
to securit...@googlegroups.com
Error that prompted my question.
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
can't read "0": no such variable
while executing
"exec /usr/bin/tclsh8.5 "$0" "$@""
(file "/usr/local/bin/sguild" line 4)
I don't know what path sguild wants to use to open the tcl ports package
Thanks again I love SO if I can get it working again.--
:)Ryan(:
Executing: sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
can't read "0": no such variable
while executing
(file "/usr/local/bin/sguild" line 4)
I don't know what path sguild wants to use to open the tcl ports package
Thanks again I love SO if I can get it working again.
:)Ryan(:
Ryan Luke
Jul 17, 2012, 2:28:05 PM7/17/12
to securit...@googlegroups.com
TCL packages and shared libraries.
@securityonion:/var/log/nsm/securityonion$ dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5 UDP sockets for Tcl
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.3 8.3.5-14 Tcl (the Tool Command Language) v8.3 - run-time files
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
hc tclx8.3 8.3.5-6 Extended Tcl (TclX) version 8.3.5 -- TclX runtime package
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
/usr/bin
lrwxrwxrwx 1 root root 23 2012-07-17 17:33 tclsh -> /etc/alternatives/tclsh
-rwxr-xr-x 1 root root 5496 2009-04-29 18:22 tclsh8.3
-rwxr-xr-x 1 root root 5492 2009-11-06 11:49 tclsh8.4
-rwxr-xr-x 1 root root 5424 2011-06-07 10:20 tclsh8.5
/usr/lib
-rw-r--r-- 1 root root 656648 2009-04-29 18:22 libtcl8.3.so.1
-rw-r--r-- 1 root root 743020 2009-11-06 11:49 libtcl8.4.so.0
-rw-r--r-- 1 root root 1034892 2011-06-07 10:20 libtcl8.5.so.0
-rw-r--r-- 1 root root 145828 2010-01-22 17:11 libtclx8.4.so.0
-rw-r--r-- 1 root root 1138888 2009-12-01 00:15 libtk8.5.so.0--
:)Ryan(:
@securityonion:/var/log/nsm/securityonion$ dpkg -l | grep tcl
hi itcl3 3.4~b1-2 [incr Tcl] OOP extension for Tcl - run-time files
ii libudp-tcl 1.0.8-5 UDP sockets for Tcl
ii mysqltcl 3.05-3 Interface to the MySQL database for the Tcl language
ii tcl-tls 1.5.0.dfsg-9 the TLS OpenSSL extension to Tcl
hi tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files
hi tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files
ii tcllib 1.12-dfsg-2 the Standard Tcl Library
ii tclx8.4 8.4.0-3 Extended Tcl (TclX) - shared library
lrwxrwxrwx 1 root root 23 2012-07-17 17:33 tclsh -> /etc/alternatives/tclsh
-rwxr-xr-x 1 root root 5496 2009-04-29 18:22 tclsh8.3
-rwxr-xr-x 1 root root 5492 2009-11-06 11:49 tclsh8.4
-rwxr-xr-x 1 root root 5424 2011-06-07 10:20 tclsh8.5
/usr/lib
-rw-r--r-- 1 root root 656648 2009-04-29 18:22 libtcl8.3.so.1
-rw-r--r-- 1 root root 743020 2009-11-06 11:49 libtcl8.4.so.0
-rw-r--r-- 1 root root 1034892 2011-06-07 10:20 libtcl8.5.so.0
-rw-r--r-- 1 root root 145828 2010-01-22 17:11 libtclx8.4.so.0
-rw-r--r-- 1 root root 1138888 2009-12-01 00:15 libtk8.5.so.0
:)Ryan(:
Doug Burks
Jul 17, 2012, 3:44:14 PM7/17/12
to securit...@googlegroups.com
Hi Ryan,
As I suggested previously, you should install Security Onion in a VM
and use it as a side-by-side comparison with your broken installation.
Thanks,
Doug
> --
As I suggested previously, you should install Security Onion in a VM
and use it as a side-by-side comparison with your broken installation.
Thanks,
Doug
Ryan Luke
Jul 17, 2012, 4:52:42 PM7/17/12
to securit...@googlegroups.com
I checked the default sguild script and it only calls the single tclsh binary. I will see if I can replicate the issue per your instructions. I just figured you would have an idea on what tcl binary to use.
Thanks.
--
:)Ryan(:
Thanks.
--
--
:)Ryan(:
Reply all
Reply to author
Forward
0 new messages