Re: [security-onion] soup not working
58 views
Skip to first unread message
Wes Lambert
Jul 30, 2019, 7:57:29 AM7/30/19
to securit...@googlegroups.com
Hi Monah,
I've not experienced any issue running soup lately. Are you still having an issue?
Thanks,
Wes
On Mon, Jul 29, 2019 at 11:38 AM Monah Baki <mona...@gmail.com> wrote:
In my distributed architecture, I am trying to run "sudo soup" on the manager, and it just sits idle at "Checking for updates" and I waited 10 min till I ctrl-C
I ran tcpdump on port 443 and saw the following:
15:36:51.124339 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [S], seq 2521175337, win 29200, options [mss 1460,sackOK,TS val 142653075 ecr 0,nop,wscale 9], length 0
15:36:51.157069 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [S.], seq 4248423357, ack 2521175338, win 28960, options [mss 1380,sackOK,TS val 2348992079 ecr 142653075,nop,wscale 8], length 0
15:36:51.157089 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 1, win 58, options [nop,nop,TS val 142653107 ecr 2348992079], length 0
15:36:51.188385 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [P.], seq 1:244, ack 1, win 58, options [nop,nop,TS val 142653139 ecr 2348992079], length 243
15:36:51.267947 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], ack 244, win 118, options [nop,nop,TS val 2348992085 ecr 142653139], length 0
15:36:51.268230 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 1:2737, ack 244, win 118, options [nop,nop,TS val 2348992086 ecr 142653139], length 2736
15:36:51.268269 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 2737, win 68, options [nop,nop,TS val 142653218 ecr 2348992086], length 0
15:36:51.268675 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 2737:4105, ack 244, win 118, options [nop,nop,TS val 2348992086 ecr 142653139], length 1368
15:36:51.268706 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 4105, win 74, options [nop,nop,TS val 142653219 ecr 2348992086], length 0
15:36:51.268819 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 4105:5473, ack 244, win 118, options [nop,nop,TS val 2348992086 ecr 142653139], length 1368
15:36:51.268836 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 5473, win 80, options [nop,nop,TS val 142653219 ecr 2348992086], length 0
15:36:51.268920 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [P.], seq 5473:5758, ack 244, win 118, options [nop,nop,TS val 2348992086 ecr 142653139], length 285
15:36:51.268937 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 5758, win 85, options [nop,nop,TS val 142653219 ecr 2348992086], length 0
15:36:51.272057 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [P.], seq 244:319, ack 5758, win 85, options [nop,nop,TS val 142653222 ecr 2348992086], length 75
15:36:51.286987 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], ack 319, win 118, options [nop,nop,TS val 2348992094 ecr 142653222], length 0
15:36:51.287022 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [P.], seq 319:370, ack 5758, win 85, options [nop,nop,TS val 142653237 ecr 2348992094], length 51
15:36:51.292641 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], ack 370, win 118, options [nop,nop,TS val 2348992095 ecr 142653237], length 0
15:36:51.293221 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [P.], seq 5758:6000, ack 370, win 118, options [nop,nop,TS val 2348992095 ecr 142653237], length 242
15:36:51.296140 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [P.], seq 370:625, ack 6000, win 90, options [nop,nop,TS val 142653246 ecr 2348992095], length 255
15:36:51.302791 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [P.], seq 6000:6531, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 531
15:36:51.303200 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 6531:9267, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 2736
15:36:51.303231 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 9267, win 106, options [nop,nop,TS val 142653253 ecr 2348992096], length 0
15:36:51.303257 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 9267:14739, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 5472
15:36:51.303271 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 14739, win 128, options [nop,nop,TS val 142653253 ecr 2348992096], length 0
15:36:51.305406 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 14739:17475, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 2736
15:36:51.305437 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 17475, win 138, options [nop,nop,TS val 142653256 ecr 2348992096], length 0
15:36:51.307630 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 17475:18843, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 1368
15:36:51.308128 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 18843:20211, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 1368
15:36:51.308159 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 20211, win 150, options [nop,nop,TS val 142653258 ecr 2348992096], length 0
15:36:51.310102 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 20211:22947, ack 625, win 122, options [nop,nop,TS val 2348992096 ecr 142653246], length 2736
15:36:51.310133 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 22947, win 160, options [nop,nop,TS val 142653260 ecr 2348992096], length 0
15:36:51.310815 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 22947:25683, ack 625, win 122, options [nop,nop,TS val 2348992097 ecr 142653246], length 2736
15:36:51.310847 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 25683, win 171, options [nop,nop,TS val 142653261 ecr 2348992097], length 0
15:36:51.311307 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 25683:27051, ack 625, win 122, options [nop,nop,TS val 2348992097 ecr 142653253], length 1368
15:36:51.311818 IP server-99-84-104-129.iad79.r.cloudfront.net.https > SOManager.53486: Flags [.], seq 27051:32523, ack 625, win 122, options [nop,nop,TS val 2348992097 ecr 142653253], length 5472
15:36:51.311850 IP SOManager.53486 > server-99-84-104-129.iad79.r.cloudfront.net.https: Flags [.], ack 32523, win 198, options [nop,nop,TS val 142653262 ecr 2348992097], length 0
Also
telnet server-99-84-216-49.iad79.r.cloudfront.net 443
Trying 99.84.216.49...
Connected to server-99-84-216-49.iad79.r.cloudfront.net.
Escape character is '^]'.
Our firewall engineer said no changes have been made.
Thanks
Monah
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
Aaron Myers
Jul 30, 2019, 8:55:10 AM7/30/19
to security-onion
I'm not using a distributed architecture and my system is also sitting on "Checking for updates...".
If you want a pcap or something, happy to provide it.
Aaron
> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
If you want a pcap or something, happy to provide it.
Aaron
Aaron Myers
Jul 30, 2019, 8:57:59 AM7/30/19
to security-onion
Aaron
Monah Baki
Jul 30, 2019, 9:25:29 AM7/30/19
to security-onion
On Tuesday, July 30, 2019 at 7:57:29 AM UTC-4, Wes wrote:
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
Hi Wes,
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
Yes still having issues
Monah Baki
Jul 30, 2019, 9:31:54 AM7/30/19
to security-onion
On Tuesday, July 30, 2019 at 7:57:29 AM UTC-4, Wes wrote:
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
Wes,
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
I finally received this after 20 minutes of waiting for "sudo soup"
Checking for kernels that can be removed...
No kernels are eligible for removal
Checking for updates...
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security Release' does not have a Release file.
E: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/xenial-updates/main/i18n/Translation-en Could not open file /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_xenial-updates_main_i18(13: Permission denied) [IP: 91.189.91.26 80]
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-amd64/Packages Connection failed [IP: 91.189.88.162 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.
It does detect packages for upgrade:
Synchronizing state of mysql.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install enable mysql
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
linux-headers-4.15.0-51 linux-headers-4.15.0-51-generic linux-image-4.15.0-51-generic linux-modules-4.15.0-51-generic linux-modules-extra-4.15.0-51-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
mysql-client-5.7
Suggested packages:
mailx tinyca
The following packages will be upgraded:
mysql-client-5.7 mysql-server mysql-server-5.7 mysql-server-core-5.7
4 upgraded, 0 newly installed, 0 to remove and 49 not upgraded.
Need to get 1,815 kB/12.2 MB of archives.
After this operation, 207 kB of additional disk space will be used.
Get:1 http://security.ubuntu.com/ubuntu xenial-security/main amd64 mysql-client-5.7 amd64 5.7.27-0ubuntu0.16.04.1 [1,815 kB]
Fetched 1,815 kB in 1s (1,043 kB/s)
(Reading database ... 177027 files and directories currently installed.)
Preparing to unpack .../mysql-client-5.7_5.7.27-0ubuntu0.16.04.1_amd64.deb ...
Unpacking mysql-client-5.7 (5.7.27-0ubuntu0.16.04.1) over (5.7.26-0ubuntu0.16.04.1) ...
Preparing to unpack .../mysql-server-5.7_5.7.27-0ubuntu0.16.04.1_amd64.deb ...
Unpacking mysql-server-5.7 (5.7.27-0ubuntu0.16.04.1) over (5.7.26-0ubuntu0.16.04.1) ...
Preparing to unpack .../mysql-server-core-5.7_5.7.27-0ubuntu0.16.04.1_amd64.deb ...
Unpacking mysql-server-core-5.7 (5.7.27-0ubuntu0.16.04.1) over (5.7.26-0ubuntu0.16.04.1) ...
Preparing to unpack .../mysql-server_5.7.27-0ubuntu0.16.04.1_all.deb ...
Unpacking mysql-server (5.7.27-0ubuntu0.16.04.1) over (5.7.26-0ubuntu0.16.04.1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for ureadahead (0.100.0-19.1) ...
ureadahead will be reprofiled on next reboot
Processing triggers for systemd (229-4ubuntu21.21) ...
Setting up mysql-client-5.7 (5.7.27-0ubuntu0.16.04.1) ...
Setting up mysql-server-core-5.7 (5.7.27-0ubuntu0.16.04.1) ...
Setting up mysql-server-5.7 (5.7.27-0ubuntu0.16.04.1) ...
Checking if update is needed.
Checking server version.
Running queries to upgrade MySQL server.
Upgrade process completed successfully.
Checking if update is needed.
Setting up mysql-server (5.7.27-0ubuntu0.16.04.1) ...
Reading package lists...
Building dependency tree...
Reading state information...
securityonion-pfring-module is already the newest version (20121107-0ubuntu0securityonion31).
The following packages were automatically installed and are no longer required:
linux-headers-4.15.0-51 linux-headers-4.15.0-51-generic
linux-image-4.15.0-51-generic linux-modules-4.15.0-51-generic
linux-modules-extra-4.15.0-51-generic
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 49 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages were automatically installed and are no longer required:
linux-headers-4.15.0-51 linux-headers-4.15.0-51-generic
linux-headers-4.15.0-54 linux-headers-4.15.0-54-generic
linux-image-4.15.0-51-generic linux-image-4.15.0-54-generic
linux-modules-4.15.0-51-generic linux-modules-4.15.0-54-generic
linux-modules-extra-4.15.0-51-generic linux-modules-extra-4.15.0-54-generic
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
linux-headers-4.15.0-55 linux-headers-4.15.0-55-generic
linux-image-4.15.0-55-generic linux-modules-4.15.0-55-generic
linux-modules-extra-4.15.0-55-generic
The following packages will be upgraded:
apport aptdaemon aptdaemon-data bash bzip2 friendly-recovery gvfs
gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-libs libbz2-1.0
libexiv2-14 libglib2.0-0 libglib2.0-bin libglib2.0-data libmspack0
libmysqlclient20 libnss-myhostname libnss3 libnss3-1d libnss3-nssdb
libpam-systemd libsystemd0 libudev1 libzmq5 linux-firmware
linux-generic-hwe-16.04 linux-headers-generic-hwe-16.04
linux-image-generic-hwe-16.04 linux-libc-dev mysql-client
mysql-client-core-5.7 mysql-common patch python3-apport python3-aptdaemon
python3-aptdaemon.gtk3widgets python3-aptdaemon.pkcompat
python3-problem-report redis-server redis-tools securityonion-rule-update
securityonion-sostat systemd systemd-sysv tzdata udev
49 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 135 MB of archives.
After this operation, 335 MB of additional disk space will be used.
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
WARNING: The following packages cannot be authenticated!
systemd-sysv libpam-systemd libsystemd0 libnss-myhostname systemd udev
libudev1 friendly-recovery linux-firmware python3-aptdaemon.pkcompat
aptdaemon-data python3-aptdaemon.gtk3widgets aptdaemon python3-aptdaemon
###########################################################################
But after a reboot, and running "sudo soup" on the sensor, it says:
Checking to see if the master server has already been updated, please wait...
The master server reports that it has 54 update(s) available for installation.
We highly recommend updating the master server before updating this sensor.
Recommendation: Press Ctrl-c now and then update your master server.
If you really want to continue updating this sensor (may cause issues), press Enter.
Monah Baki
Jul 31, 2019, 7:35:22 AM7/31/19
to security-onion
On Tuesday, July 30, 2019 at 7:57:29 AM UTC-4, Wes wrote:
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
Hi Wes,
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/fe3ab4f6-7cdb-48b1-b667-f30ba14b14cc%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
Running dmesg on the master, I see the following:
[81618.949726] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=28830 DF PROTO=TCP SPT=80 DPT=54060 WINDOW=58 RES=0x00 ACK FIN URGP=0
[81619.311761] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55940 DF PROTO=TCP SPT=80 DPT=60698 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81625.669049] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=28831 DF PROTO=TCP SPT=80 DPT=54060 WINDOW=58 RES=0x00 ACK FIN URGP=0
[81626.031010] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55941 DF PROTO=TCP SPT=80 DPT=60698 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81639.469663] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55942 DF PROTO=TCP SPT=80 DPT=60698 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81666.346978] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55943 DF PROTO=TCP SPT=80 DPT=60698 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81733.118335] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7784 DF PROTO=TCP SPT=80 DPT=56922 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81733.522296] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33447 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81733.958332] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7785 DF PROTO=TCP SPT=80 DPT=56922 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81734.362240] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33448 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81735.638101] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7786 DF PROTO=TCP SPT=80 DPT=56922 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81736.042051] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33449 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81738.997799] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7787 DF PROTO=TCP SPT=80 DPT=56922 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81739.401708] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33450 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81745.717041] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7788 DF PROTO=TCP SPT=80 DPT=56922 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81746.121098] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33451 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81759.559730] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33452 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81786.437055] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33453 DF PROTO=TCP SPT=80 DPT=52802 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81853.280390] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=37395 DF PROTO=TCP SPT=80 DPT=54138 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81853.620368] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.162 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=32676 DF PROTO=TCP SPT=80 DPT=53256 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81854.120306] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=37396 DF PROTO=TCP SPT=80 DPT=54138 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81859.159842] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=37398 DF PROTO=TCP SPT=80 DPT=54138 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81879.657789] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.162 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=32681 DF PROTO=TCP SPT=80 DPT=53256 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81906.535109] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.162 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=32682 DF PROTO=TCP SPT=80 DPT=53256 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81975.702239] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=58434 DF PROTO=TCP SPT=80 DPT=54162 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81979.061915] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=58435 DF PROTO=TCP SPT=80 DPT=54162 WINDOW=50 RES=0x00 ACK FIN URGP=0
[81985.781246] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=58436 DF PROTO=TCP SPT=80 DPT=54162 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82001.703693] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.24 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33021 DF PROTO=TCP SPT=80 DPT=49178 WINDOW=117 RES=0x00 ACK FIN URGP=0
[82001.911620] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.24 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=33022 DF PROTO=TCP SPT=80 DPT=49178 WINDOW=117 RES=0x00 ACK FIN URGP=0
[82026.097224] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=58438 DF PROTO=TCP SPT=80 DPT=54162 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82124.929361] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25864 DF PROTO=TCP SPT=80 DPT=57056 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82128.289434] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25865 DF PROTO=TCP SPT=80 DPT=57056 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82148.447063] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.26 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25867 DF PROTO=TCP SPT=80 DPT=57056 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82243.347641] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=52801 DF PROTO=TCP SPT=80 DPT=60892 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82245.027489] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=52802 DF PROTO=TCP SPT=80 DPT=60892 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82248.387134] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=52803 DF PROTO=TCP SPT=80 DPT=60892 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82268.545248] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.31 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=52805 DF PROTO=TCP SPT=80 DPT=60892 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82323.801625] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=62422 DF PROTO=TCP SPT=80 DPT=52996 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82323.801641] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29121 DF PROTO=TCP SPT=80 DPT=54284 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82324.221592] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=62423 DF PROTO=TCP SPT=80 DPT=52996 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82324.221611] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29122 DF PROTO=TCP SPT=80 DPT=54284 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82325.061505] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=62424 DF PROTO=TCP SPT=80 DPT=52996 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82325.061527] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29123 DF PROTO=TCP SPT=80 DPT=54284 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82326.741357] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29124 DF PROTO=TCP SPT=80 DPT=54284 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82326.741358] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.88.149 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=62425 DF PROTO=TCP SPT=80 DPT=52996 WINDOW=50 RES=0x00 ACK FIN URGP=0
[82350.259020] [UFW BLOCK] IN=eno1 OUT= MAC=6c:2b:59:89:38:dd:00:d7:8f:95:8d:f9:08:00 SRC=91.189.91.23 DST=172.16.64.82 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29127 DF PROTO=TCP SPT=80 DPT=54284 WINDOW=50 RES=0x00 ACK FIN URGP=0
I went and sudo ufw disable, and that did not resolve the issue.
Wes Lambert
Jul 31, 2019, 8:24:06 AM7/31/19
to securit...@googlegroups.com
Hi Monah,
Have you modified /etc/apt/sources.list?
You may want to check for clues/errors there and do something like:
sudo rm /var/lib/apt/lists/*
sudo soup
On Tue, Jul 30, 2019 at 9:24 AM Monah Baki <mona...@gmail.com> wrote:
Hi all,
On my distributed architecture trying to run "sudo soup" on my manager and it just sits idle for more than 20 min, then I get:
Press Enter to continue or Ctrl-C to cancel.
Checking for kernels that can be removed...
No kernels are eligible for removal
Checking for updates...
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security Release' does not have a Release file.
E: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/xenial-updates/main/i18n/Translation-en Could not open file /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_xenial-updates_main_i18(13: Permission denied) [IP: 91.189.91.26 80]
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-amd64/Packages Connection failed [IP: 91.189.88.162 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.
Checking Security Onion Docker image status...
Tagging securityonionsolutions/so-curator@sha256:b64960cfdf850229f10e86b43605f71985101bdbaf8cdbbd27a3cc1cbf1537a8 as securityonionsolutions/so-curator:latest
so-curator image is up to date.
Tagging securityonionsolutions/so-domainstats@sha256:8103e1df04a25ef1b60e1e0ddbef7205a1dbf7d38e588558b5117fd8120fac58 as securityonionsolutions/so-domainstats:latest
so-domainstats image is up to date.
Tagging securityonionsolutions/so-elastalert@sha256:f9534a2ee7ba9905cc93a0f65716d8c54ca9c75ddf552d418cd84dcb102e934f as securityonionsolutions/so-elastalert:latest
so-elastalert image is up to date.
Tagging securityonionsolutions/so-elasticsearch@sha256:69b1c2bb2cac5029028005a2d149cf5ca3bca84e8f9bc6c9f692a90955d67526 as securityonionsolutions/so-elasticsearch:latest
so-elasticsearch image is up to date.
Tagging securityonionsolutions/so-freqserver@sha256:9ef9ba027d7454be3c94faef66a0d42e732792f837c7ae18a01a20e715afaa9a as securityonionsolutions/so-freqserver:latest
so-freqserver image is up to date.
Tagging securityonionsolutions/so-kibana@sha256:4b6aa49660248ade74ca1bd5d10112c0177582ed70b0d53ff754453bd3e19689 as securityonionsolutions/so-kibana:latest
so-kibana image is up to date.
Tagging securityonionsolutions/so-logstash@sha256:0db6c21c22f65651692dc3440dc42fe702868a6a278bdfa2fbf994cd90627148 as securityonionsolutions/so-logstash:latest
so-logstash image is up to date.
###########################################################################
New mysql-server packages available. Stopping services for clean update.....done.
###########################################################################
Checking system database.
After a lot of "OK" database checkings,
sys.sys_config OK
All updates have been installed.
If this is a distributed deployment, please update the remaining boxes in your deployment to ensure all boxes are running the same updates.
Press Enter to reboot or Ctrl-C to cancel.
Once I login to the sensor and run "sudo soup" I get
Checking to see if the master server has already been updated, please wait...
The master server reports that it has 54 update(s) available for installation.
We highly recommend updating the master server before updating this sensor.
Recommendation: Press Ctrl-c now and then update your master server.
If you really want to continue updating this sensor (may cause issues), press Enter.
Thanks
Monah
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/4193e736-0ca6-43e6-b34b-70e77978ab46%40googlegroups.com.
Steven J
Jul 31, 2019, 11:51:02 AM7/31/19
to securit...@googlegroups.com
@Wes in Monah's other thread, it indicates canonical is being blocked by ufw, which would explain the
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-amd64/Packages Connection failed [IP: 91.189.88.162 80] ?
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-amd64/Packages Connection failed [IP: 91.189.88.162 80] ?
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6E17U65hc6BE0-fixcJNo99VnY7a6kA4yUi9xHZi4Zscg%40mail.gmail.com.
Monah Baki
Aug 12, 2019, 9:50:18 AM8/12/19
to security-onion
So turns out our upstream proxy maintained by centurylink was causing the issue. Apparently something changed on their end and we were not notified. They somehow were able to fix it and now it works.
> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/4193e736-0ca6-43e6-b34b-70e77978ab46%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/4193e736-0ca6-43e6-b34b-70e77978ab46%40googlegroups.com.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
Reply all
Reply to author
Forward
0 new messages