ysrc / yulong-hids-archived Goto Github PK
View Code? Open in Web Editor NEW[archived] 一款实验性质的主机入侵检测系统
License: Other
yulong-hids-archived's Issues
centos kernel panic
centos6 centos7
内核版本
2.6.32-696.23.1.el6.x86_64
3.10.0-693.21.1.el7.x86_64
直接使用的release中的驱动。
安装agent一直报错
在kali上安装
root@kali:/tmp# ./daemon -install -netloc 192.168.84.161:443
2018/05/14 15:40:37 Download Agent
2018/05/14 15:40:46 Install agent error: Agent Download Error
root@kali:/tmp# wget -O /tmp/daemon https://192.168.84.161/json/download?type=daemon\&system=linux\&platform=64\&action=download;chmod +x /tmp/daemon;/tmp/daemon -install -netloc 192.168.84.161:443
--2018-05-14 16:49:05-- https://192.168.84.161/json/download?type=daemon&system=linux&platform=64&action=download
Connecting to 192.168.84.161:443... failed: No route to host.
后来我在本机安装
[root@localhost tmp]# ./daemon -install -netloc 127.0.0.1:443
2018/05/14 00:45:28 Download Agent
2018/05/14 00:45:29 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
2018/05/14 00:46:29 Agent is broken, retry the downloader again
2018/05/14 00:46:29 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
2018/05/14 00:47:29 Agent is broken, retry the downloader again
2018/05/14 00:47:29 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
[root@localhost tmp]# /tmp/daemon -install -netloc 127.0.0.1:443
2018/05/14 00:47:49 Download Agent
2018/05/14 00:47:49 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
2018/05/14 00:48:49 Agent is broken, retry the downloader again
2018/05/14 00:48:49 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
2018/05/14 00:49:49 Agent is broken, retry the downloader again
2018/05/14 00:49:49 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
2018/05/14 00:50:49 Agent is broken, retry the downloader again
2018/05/14 00:50:49 Install agent error: Agent Download Error
找了好久问题还是找不到,服务器是没问题的,能打开啊
服务器能够正常访问,后面显示了这个
2018/05/13 18:37:37 [server.go:2921] [HTTP] http: TLS handshake error from 192.168.84.1:60451: read tcp 192.168.84.161:443->192.168.84.1:60451: read: connection reset by peer
2018/05/13 18:39:38 [h2_bundle.go:4294] [HTTP] http2: server: error reading preface from client 192.168.84.135:36746: remote error: tls: unknown certificate authority
CentOS上安装agent时提示找不到data.zip,Linux包已上传,是什么原因?
Download dependent environment package
Install dependency, service error: open /usr/yulong-hids/data.zip: no such file or directory
Win 32位 agnet 编译出错
C:\Go\src>go build -o yulong-hids\bin\win-32\agent.exe --ldflags="-w -s" yulong
hids\agent\agent.go
yulong-hids/agent/vendor/github.com/akrennmair/gopcap
In file included from C:/WpdPack/Include/pcap/pcap.h:54:0,
from C:/WpdPack/Include/pcap.h:45,
from yulong-hids\agent\vendor\github.com\akrennmair\gopcap\pca
.go:12:
c:\mingw\include\stdio.h:345:12: error: expected '=', ',', ';', 'asm' or 'att
ibute' before '__mingw__snprintf'
extern int mingw_stdio_redirect(snprintf)(char*, size_t, const char*, ...)
^
c:\mingw\include\stdio.h:349:12: error: expected '=', ',', ';', 'asm' or 'att
ibute' before '__mingw__vsnprintf'
extern int mingw_stdio_redirect(vsnprintf)(char*, size_t, const char*, __V
LIST);
^
C:\Go\src>
安装agent后,重启后无法监控进程
正常安装好agent后,此时执行python s5.py在web端看到告警(功能正常),重启后,再次执行命令发现没有告警(功能异常),手动执行agent ip debug,发现出现如下错误:
connect syshook netlink error
此时查看65530端口是open的,通过对比安装完agent和重启后的端口情况发现:重启后agent少开放了一个随机端口
刚安装完agent的端口情况(功能正常):
udp 0 0 127.0.0.1:65530 0.0.0.0:* 1780/agent
udp 0 0 0.0.0.0:59142 0.0.0.0:* 1780/agent
重启后(功能异常):
udp 0 0 127.0.0.1:65530 0.0.0.0:* 1186/agent
此现象在centos7和6.x都存在
白名单没有生效
在告警列表中将一些进程点击加入到白名单中,以为不会在告警了,但之后几天仍然会出现在危险告警中
Windows server.exe error
` C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:535 +0x5a
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoSocket).readLoop(0xc04372e9a0
)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:551 +0x609
created by yulong-hids/server/vendor/gopkg.in/mgo%2ev2.newSocket
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:194 +0x1fc
goroutine 417 [IO wait]:
internal/poll.runtime_pollWait(0x3a80820, 0x72, 0xa16060)
C:/Go/src/runtime/netpoll.go:173 +0x5e
internal/poll.(*pollDesc).wait(0xc0420d6a08, 0x72, 0xc9d400, 0x0, 0x0)
C:/Go/src/internal/poll/fd_poll_runtime.go:85 +0xa2
internal/poll.(*ioSrv).ExecIO(0xcd4c80, 0xc0420d6858, 0x9d7908, 0x3fb, 0xc0423ca
00d, 0xfc)
C:/Go/src/internal/poll/fd_windows.go:223 +0x13a
internal/poll.(*FD).Read(0xc0420d6840, 0xc0423ca000, 0x400, 0x400, 0x0, 0x0, 0x0
)
C:/Go/src/internal/poll/fd_windows.go:484 +0x248
net.(*netFD).Read(0xc0420d6840, 0xc0423ca000, 0x400, 0x400, 0x8, 0x8, 0x3f3)
C:/Go/src/net/fd_windows.go:151 +0x56
net.(*conn).Read(0xc04207c440, 0xc0423ca000, 0x400, 0x400, 0x0, 0x0, 0x0)
C:/Go/src/net/net.go:176 +0x71
crypto/tls.(*block).readFromUntil(0xc04282a990, 0x33a4020, 0xc04207c440, 0x5, 0x
c04207c440, 0x0)
C:/Go/src/crypto/tls/conn.go:493 +0x9d
crypto/tls.(*Conn).readRecord(0xc0423b4700, 0x9d8117, 0xc0423b4820, 0x0)
C:/Go/src/crypto/tls/conn.go:595 +0xe7
crypto/tls.(*Conn).Read(0xc0423b4700, 0xc0423ca400, 0x400, 0x400, 0x0, 0x0, 0x0)
C:/Go/src/crypto/tls/conn.go:1156 +0x107
bufio.(*Reader).Read(0xc04297b680, 0xc0488a6f80, 0xc, 0xc, 0xc042ce7cc8, 0x81bd7
e, 0x90efc0)
C:/Go/src/bufio/bufio.go:216 +0x23f
io.ReadAtLeast(0xa14ba0, 0xc04297b680, 0xc0488a6f80, 0xc, 0xc, 0xc, 0xc0448900fe
, 0x6, 0xbe)
C:/Go/src/io/io.go:309 +0x8d
io.ReadFull(0xa14ba0, 0xc04297b680, 0xc0488a6f80, 0xc, 0xc, 0x0, 0x46bb79, 0x3)
C:/Go/src/io/io.go:327 +0x5f
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0
xc04203c660, 0xa14ba0, 0xc04297b680, 0x0, 0x0)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/m
essage.go:359 +0x78
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest
(0xc0422c4160, 0xa18f80, 0xc04282aae0, 0xa14ba0, 0xc04297b680, 0xa18f80, 0xc0428
2aae0, 0xc0422c4160)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:335 +0x86
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0
xc0422c4160, 0xa1a2c0, 0xc0423b4700)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:258 +0x24f
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).
serveListener
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:189 +0x1e5
goroutine 57002 [semacquire]:
sync.runtime_SemacquireMutex(0xc0488a7524, 0x8dd500)
C:/Go/src/runtime/sema.go:71 +0x44
sync.(*Mutex).Lock(0xc0488a7520)
C:/Go/src/sync/mutex.go:134 +0x10f
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoSocket).SimpleQuery(0xc04215a
000, 0xc04212bce0, 0x5, 0x9badfe, 0x5, 0xc0488a7510, 0xa)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:367 +0x1fd
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*Database).run(0xc0421e53c0, 0xc042
15a000, 0x95a7c0, 0xc043854450, 0x8c6060, 0xc0488a74f8, 0xc0421e53f0, 0xc0438544
50)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/session.go:3261 +0x1
ae
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*Database).Run(0xc0421e53c0, 0x95a7
c0, 0xc043854450, 0x8c6060, 0xc0488a74f8, 0x0, 0x0)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/session.go:656 +0xc2
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*Query).Count(0xc042a27d00, 0x91b06
0, 0xc043854420, 0xc042a27d00)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/session.go:3970 +0x2
6d
yulong-hids/server/action.ResultStat(0xc0488a7470, 0xb, 0xc0488a7480, 0xa, 0xc04
88a7490, 0x5, 0xc04207c3c8, 0x1, 0x1, 0xbeb40f235e5f77ec, ...)
C:/Go/src/yulong-hids/server/action/statistics.go:34 +0x6fe
main.(*Watcher).PutInfo(0xc042008b88, 0xa18f80, 0xc043854390, 0xc0427a9f80, 0xc0
488a74f0, 0x0, 0x0)
C:/Go/src/yulong-hids/server/server.go:44 +0x1d0
reflect.Value.call(0xc0422da180, 0xc0420040a0, 0x13, 0x9baae6, 0x4, 0xc0421b7c50
, 0x4, 0x4, 0xc04699d080, 0x939ae0, ...)
C:/Go/src/reflect/value.go:447 +0x970
reflect.Value.Call(0xc0422da180, 0xc0420040a0, 0x13, 0xc0421b7c50, 0x4, 0x4, 0x8
bde01, 0x8bdea0, 0xc0488a74f0)
C:/Go/src/reflect/value.go:308 +0xab
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*service).call(0xc04
211e550, 0xa18f80, 0xc043854390, 0xc0422da200, 0x8c8160, 0xc0427a9f80, 0x16, 0x8
bdea0, 0xc0488a74f0, 0x16, ...)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
vice.go:315 +0x1bc
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).handleReque
st(0xc0422c4160, 0xa18f80, 0xc043854390, 0xc04214e060, 0x90efc0, 0xc043854330, 0
xa18f80)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:387 +0x3b7
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn.f
unc2(0xc04214e060, 0xa1a2c0, 0xc0420ad500, 0xa18f80, 0xc04211cc90, 0xc0422c4160)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:302 +0x185
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).
serveConn
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:290 +0x4fb
goroutine 11281 [IO wait]:
internal/poll.runtime_pollWait(0x3a80680, 0x72, 0xa16060)
C:/Go/src/runtime/netpoll.go:173 +0x5e
internal/poll.(*pollDesc).wait(0xc042f8d7c8, 0x72, 0xc9d400, 0x0, 0x0)
C:/Go/src/internal/poll/fd_poll_runtime.go:85 +0xa2
internal/poll.(*ioSrv).ExecIO(0xcd4c80, 0xc042f8d618, 0x9d7908, 0x411e72, 0xc046
b5cb60, 0x10)
C:/Go/src/internal/poll/fd_windows.go:223 +0x13a
internal/poll.(*FD).Read(0xc042f8d600, 0xc043d38000, 0x1000, 0x1000, 0x0, 0x0, 0
x0)
C:/Go/src/internal/poll/fd_windows.go:484 +0x248
net.(*netFD).Read(0xc042f8d600, 0xc043d38000, 0x1000, 0x1000, 0x452000, 0xc04213
6a80, 0x4)
C:/Go/src/net/fd_windows.go:151 +0x56
net.(*conn).Read(0xc047917630, 0xc043d38000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
C:/Go/src/net/net.go:176 +0x71
net/http.(*persistConn).Read(0xc047aa6ea0, 0xc043d38000, 0x1000, 0x1000, 0xc0463
b3b98, 0x4035c5, 0xc042044ea0)
C:/Go/src/net/http/transport.go:1453 +0x13d
bufio.(*Reader).fill(0xc04b0b33e0)
C:/Go/src/bufio/bufio.go:100 +0x125
bufio.(*Reader).Peek(0xc04b0b33e0, 0x1, 0x0, 0x0, 0x1, 0xc0422a68a0, 0x0)
C:/Go/src/bufio/bufio.go:132 +0x41
net/http.(*persistConn).readLoop(0xc047aa6ea0)
C:/Go/src/net/http/transport.go:1601 +0x18c
created by net/http.(*Transport).dialConn
C:/Go/src/net/http/transport.go:1237 +0x961
goroutine 11282 [select]:
net/http.(*persistConn).writeLoop(0xc047aa6ea0)
C:/Go/src/net/http/transport.go:1822 +0x152
created by net/http.(*Transport).dialConn
C:/Go/src/net/http/transport.go:1238 +0x986
goroutine 21116 [IO wait, 3 minutes]:
internal/poll.runtime_pollWait(0x3a809c0, 0x72, 0xa16060)
C:/Go/src/runtime/netpoll.go:173 +0x5e
internal/poll.(*pollDesc).wait(0xc042149248, 0x72, 0xc9d400, 0x0, 0x0)
C:/Go/src/internal/poll/fd_poll_runtime.go:85 +0xa2
internal/poll.(*ioSrv).ExecIO(0xcd4c80, 0xc042149098, 0x9d7908, 0x3fb, 0xc0423ca
80d, 0x9a)
C:/Go/src/internal/poll/fd_windows.go:223 +0x13a
internal/poll.(*FD).Read(0xc042149080, 0xc0423ca800, 0x400, 0x400, 0x0, 0x0, 0x0
)
C:/Go/src/internal/poll/fd_windows.go:484 +0x248
net.(*netFD).Read(0xc042149080, 0xc0423ca800, 0x400, 0x400, 0x8, 0x8, 0x3f3)
C:/Go/src/net/fd_windows.go:151 +0x56
net.(*conn).Read(0xc04207c2d8, 0xc0423ca800, 0x400, 0x400, 0x0, 0x0, 0x0)
C:/Go/src/net/net.go:176 +0x71
crypto/tls.(*block).readFromUntil(0xc04ecf3860, 0x33a4020, 0xc04207c2d8, 0x5, 0x
c04207c2d8, 0x0)
C:/Go/src/crypto/tls/conn.go:493 +0x9d
crypto/tls.(*Conn).readRecord(0xc0420ac380, 0x9d8117, 0xc0420ac4a0, 0x0)
C:/Go/src/crypto/tls/conn.go:595 +0xe7
crypto/tls.(*Conn).Read(0xc0420ac380, 0xc0423cb400, 0x400, 0x400, 0x0, 0x0, 0x0)
C:/Go/src/crypto/tls/conn.go:1156 +0x107
bufio.(*Reader).Read(0xc0427a8480, 0xc04caa4450, 0xc, 0xc, 0xc042387cc8, 0x81bd7
e, 0x90efc0)
C:/Go/src/bufio/bufio.go:216 +0x23f
io.ReadAtLeast(0xa14ba0, 0xc0427a8480, 0xc04caa4450, 0xc, 0xc, 0xc, 0xc042838a9e
, 0x6, 0x5c)
C:/Go/src/io/io.go:309 +0x8d
io.ReadFull(0xa14ba0, 0xc0427a8480, 0xc04caa4450, 0xc, 0xc, 0x0, 0x46bb79, 0x2)
C:/Go/src/io/io.go:327 +0x5f
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0
xc04b0b24e0, 0xa14ba0, 0xc0427a8480, 0x0, 0x0)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/m
essage.go:359 +0x78
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest
(0xc0422c4160, 0xa18f80, 0xc04ecf3a70, 0xa14ba0, 0xc0427a8480, 0xa18f80, 0xc04ec
f3a70, 0xc0422c4160)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:335 +0x86
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0
xc0422c4160, 0xa1a2c0, 0xc0420ac380)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:258 +0x24f
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).
serveListener
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:189 +0x1e5
goroutine 57001 [runnable]:
sync.runtime_SemacquireMutex(0xc043872f9c, 0x8dd500)
C:/Go/src/runtime/sema.go:71 +0x44
sync.(*Mutex).Lock(0xc043872f98)
C:/Go/src/sync/mutex.go:134 +0x10f
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoSocket).SimpleQuery(0xc04215a
000, 0xc04212fa40, 0x5, 0x9badfe, 0x5, 0xc043872fa0, 0xa)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:367 +0x1fd
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*Database).run(0xc044d613c0, 0xc042
15a000, 0x95a7c0, 0xc04372bf50, 0x8c6060, 0xc043872f90, 0xc044d613f0, 0xc04372bf
50)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/session.go:3261 +0x1
ae
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*Database).Run(0xc044d613c0, 0x95a7
c0, 0xc04372bf50, 0x8c6060, 0xc043872f90, 0x0, 0x0)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/session.go:656 +0xc2
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*Query).Count(0xc04371e900, 0x91b06
0, 0xc04372bf20, 0xc04371e900)
C:/Go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/session.go:3970 +0x2
6d
yulong-hids/server/action.ResultStat(0xc043872f00, 0xb, 0xc043872f10, 0xa, 0xc04
3872f20, 0x5, 0xc047916270, 0x1, 0x1, 0xbeb40f235e5090b0, ...)
C:/Go/src/yulong-hids/server/action/statistics.go:34 +0x6fe
main.(*Watcher).PutInfo(0xc042008b88, 0xa18f80, 0xc04372be90, 0xc04297a3c0, 0xc0
43872f78, 0x0, 0x0)
C:/Go/src/yulong-hids/server/server.go:44 +0x1d0
reflect.Value.call(0xc0422da180, 0xc0420040a0, 0x13, 0x9baae6, 0x4, 0xc04276bc50
, 0x4, 0x4, 0xc0439c9f00, 0x939ae0, ...)
C:/Go/src/reflect/value.go:447 +0x970
reflect.Value.Call(0xc0422da180, 0xc0420040a0, 0x13, 0xc04276bc50, 0x4, 0x4, 0x8
bde01, 0x8bdea0, 0xc043872f78)
C:/Go/src/reflect/value.go:308 +0xab
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*service).call(0xc04
211e550, 0xa18f80, 0xc04372be90, 0xc0422da200, 0x8c8160, 0xc04297a3c0, 0x16, 0x8
bdea0, 0xc043872f78, 0x16, ...)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
vice.go:315 +0x1bc
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).handleReque
st(0xc0422c4160, 0xa18f80, 0xc04372be90, 0xc04d2f2ba0, 0x90efc0, 0xc04372be30, 0
xa18f80)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:387 +0x3b7
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn.f
unc2(0xc04d2f2ba0, 0xa1a2c0, 0xc0420ad500, 0xa18f80, 0xc04211cc90, 0xc0422c4160)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:302 +0x185
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).
serveConn
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:290 +0x4fb
goroutine 37156 [IO wait]:
internal/poll.runtime_pollWait(0x3a80750, 0x72, 0xa16060)
C:/Go/src/runtime/netpoll.go:173 +0x5e
internal/poll.(*pollDesc).wait(0xc042007d48, 0x72, 0xc9d400, 0x0, 0x0)
C:/Go/src/internal/poll/fd_poll_runtime.go:85 +0xa2
internal/poll.(*ioSrv).ExecIO(0xcd4c80, 0xc042007b98, 0x9d7908, 0x1ffb, 0xc04216
400d, 0xd9)
C:/Go/src/internal/poll/fd_windows.go:223 +0x13a
internal/poll.(*FD).Read(0xc042007b80, 0xc042164000, 0x2000, 0x2000, 0x0, 0x0, 0
x0)
C:/Go/src/internal/poll/fd_windows.go:484 +0x248
net.(*netFD).Read(0xc042007b80, 0xc042164000, 0x2000, 0x2000, 0x8, 0x8, 0x1ff3)
C:/Go/src/net/fd_windows.go:151 +0x56
net.(*conn).Read(0xc0430f0f58, 0xc042164000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
C:/Go/src/net/net.go:176 +0x71
crypto/tls.(*block).readFromUntil(0xc0432e68d0, 0x33a4020, 0xc0430f0f58, 0x5, 0x
c0430f0f58, 0x0)
C:/Go/src/crypto/tls/conn.go:493 +0x9d
crypto/tls.(*Conn).readRecord(0xc0420ac700, 0x9d8117, 0xc0420ac820, 0x0)
C:/Go/src/crypto/tls/conn.go:595 +0xe7
crypto/tls.(*Conn).Read(0xc0420ac700, 0xc047e50000, 0x400, 0x400, 0x0, 0x0, 0x0)
C:/Go/src/crypto/tls/conn.go:1156 +0x107
bufio.(*Reader).Read(0xc045a61c20, 0xc046ca3de0, 0xc, 0xc, 0x60, 0x60, 0x99ec20)
C:/Go/src/bufio/bufio.go:216 +0x23f
io.ReadAtLeast(0xa14ba0, 0xc045a61c20, 0xc046ca3de0, 0xc, 0xc, 0xc, 0xc042ed431e
, 0x6, 0x9b)
C:/Go/src/io/io.go:309 +0x8d
io.ReadFull(0xa14ba0, 0xc045a61c20, 0xc046ca3de0, 0xc, 0xc, 0x81c82a, 0x99ec20,
0xc044f86c00)
C:/Go/src/io/io.go:327 +0x5f
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0
xc044f86c00, 0xa14ba0, 0xc045a61c20, 0x0, 0x0)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/m
essage.go:359 +0x78
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest
(0xc0422c4160, 0xa18f80, 0xc0432e75c0, 0xa14ba0, 0xc045a61c20, 0xa18f80, 0xc0432
e75c0, 0xc0422c4160)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:335 +0x86
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0
xc0422c4160, 0xa1a2c0, 0xc0420ac700)
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:258 +0x24f
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).
serveListener
C:/Go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/ser
ver.go:189 +0x1e5
C:\yulong-hids>
`
运行一会儿就报错了
agent在某时段内存过高引起机器异常
agent在某一时段会dir /proc并发读取打开过高,引起内存异常报警,持续大概5-10分钟左右,根据zabbix监控瞬间占用达3.5个G,应该怎么限制同时读取的并发或者限制agent使用最大使用内存?
主机信息中 userlist 会缺失部分 user
你好, 我新建用户后发现 userlist 中看不到新用户.
reload agent 过了一段时间后仍看不到, 但同时该主机的 crontab/listening/process 信息能正确更新.
我对比了另外一台机器的 /etc/passwd 和web界面中的 userlist, 发现 userlist 少了3个用户.
观察模式如何关闭,不关闭的话告警去哪里查看
如题,测试的话想手工制造一些触发策略的告警,然后看看是否会被记录
首先给这个方案点赞,其次写一些问题
windows:
如下
如何更改agent 监听地址?默认在0.0.0.0 上监听一个随机端口
udp 0 0 0.0.0.0:54632 0.0.0.0:* 30178/agent
你好,客户端启动后默认会对外开放一个随机端口,如何将其限制在内网ip?
web页面点击“统计信息”提示:“服务端响应格式错误,请检查输入是否合理”
打开web页面,登陆后点击“统计信息”提示:“服务端响应格式错误,请检查输入是否合理”。
ubuntu16.04.4 加载syshook_execve后crash
在 agent insmod 引起的
Apr 12 19:25:59 test kernel: [ 148.067042] Start found sys_call_table.
Apr 12 19:25:59 test kernel: [ 148.068545] Found the sys_call_table!!! __NR_close[3] sys_close[ffffffff81210e40]
Apr 12 19:25:59 test kernel: [ 148.068545] __NR_execve[59] sct[__NR_execve][0xffffffff8184f320]
Apr 12 19:25:59 test kernel: [ 148.068602] syshook: create netlink success.
Apr 12 19:25:59 test kernel: [ 148.070779] Loading module monitor_execve, sys_call_table at ffffffff81a00200
Apr 12 19:26:01 test kernel: [ 150.712893] BUG: unable to handle kernel paging request at fffffffdc3bd36a0
Apr 12 19:26:01 test kernel: [ 150.712964] IP: [<ffffffffc06a5881>] monitor_stub_execve_hook+0x21/0x28 [syshook_execve]
Apr 12 19:26:01 test kernel: [ 150.713034] PGD 1e0f067 PUD 0
Apr 12 19:26:01 test kernel: [ 150.713067] Oops: 0000 [#1] SMP
Apr 12 19:26:01 test kernel: [ 150.713100] Modules linked in: syshook_execve(OE) xt_nat xt_tcpudp ipt_MASQUERADE nf_nat_masquerade_ipv4 xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack br_netfilter bridge stp llc aufs nfnetlink_queue nfnetlink_log nfnetlink tcp_diag bluetooth inet_diag vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 snd_ac97_codec gameport snd_rawmidi snd_seq_device ac97_bus snd_pcm snd_timer snd coretemp soundcore joydev input_leds serio_raw parport_pc 8250_fintek parport i2c_piix4 shpchp vmw_vmci mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx ttm drm_kms_helper syscopyarea psmouse sysfillrect sysimgblt fb_sys_fops drm mptspi mptscsih ahci libahci e1000 mptbase scsi_transport_spi pata_acpi fjes
Apr 12 19:26:01 test kernel: [ 150.714242] CPU: 0 PID: 1762 Comm: bash Tainted: G OE 4.4.0-116-generic #140-Ubuntu
Apr 12 19:26:01 test kernel: [ 150.714317] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2014
Apr 12 19:26:01 test kernel: [ 150.714401] task: ffff8800303d4600 ti: ffff880039d80000 task.ti: ffff880039d80000
Apr 12 19:26:01 test kernel: [ 150.714512] RIP: 0010:[<ffffffffc06a5881>] [<ffffffffc06a5881>] monitor_stub_execve_hook+0x21/0x28 [syshook_execve]
Apr 12 19:26:01 test kernel: [ 150.714703] RSP: 0018:ffff880039d83f50 EFLAGS: 00010246
Apr 12 19:26:01 test kernel: [ 150.714751] RAX: ffffffffc06a5860 RBX: 0000000001e0edc8 RCX: 0000000000000598
Apr 12 19:26:01 test kernel: [ 150.714804] RDX: 0000000001dea008 RSI: 0000000001e0ee48 RDI: 0000000001e0edc8
Apr 12 19:26:01 test kernel: [ 150.714857] RBP: 0000000000000001 R08: 00007ffd9af80a90 R09: 0000000000000000
Apr 12 19:26:01 test kernel: [ 150.714910] R10: 0000000000000598 R11: 0000000000000206 R12: 0000000001e0edc8
Apr 12 19:26:01 test kernel: [ 150.714963] R13: 0000000001e0ee48 R14: 0000000001dea008 R15: 0000000001e0ed68
Apr 12 19:26:01 test kernel: [ 150.715017] FS: 00007f98fcd8c700(0000) GS:ffff88003c600000(0000) knlGS:0000000000000000
Apr 12 19:26:01 test kernel: [ 150.716734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 12 19:26:01 test kernel: [ 150.718464] CR2: fffffffdc3bd36a0 CR3: 000000003a000000 CR4: 0000000000360670
Apr 12 19:26:01 test kernel: [ 150.720287] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 12 19:26:01 test kernel: [ 150.722047] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Apr 12 19:26:01 test kernel: [ 150.723165] Stack:
Apr 12 19:26:01 test kernel: [ 150.724100] ffffffff8184efc8 00000000fc2c9fc5 00007f98fc37d0cc 0000000000000001
Apr 12 19:26:01 test kernel: [ 150.725069] 00007f98fcd8e9d8 00007f98fcd8d030 00007f98fc3863c0 0000000000000206
Apr 12 19:26:01 test kernel: [ 150.726000] 0000000000000598 0000000000000000 00007ffd9af80a90 ffffffffffffffda
Apr 12 19:26:01 test kernel: [ 150.726965] Call Trace:
Apr 12 19:26:01 test kernel: [ 150.727879] [<ffffffff8184efc8>] ? entry_SYSCALL_64_fastpath+0x1c/0xbb
Apr 12 19:26:01 test kernel: [ 150.728816] Code: e8 ae bd ae c0 e9 7b ff ff ff 53 57 56 52 51 50 41 50 41 51 41 52 41 53 e8 ad f8 ff ff 41 5b 41 5a 41 59 41 58 58 59 5a 5e 5f 5b <ff> 24 c5 a0 73 6a c0 55 48 8b 3d 08 1b 00 00 48 89 e5 e8 78 d2
Apr 12 19:26:01 test kernel: [ 150.731763] RIP [<ffffffffc06a5881>] monitor_stub_execve_hook+0x21/0x28 [syshook_execve]
Apr 12 19:26:01 test kernel: [ 150.732700] RSP <ffff880039d83f50>
Apr 12 19:26:01 test kernel: [ 150.733621] CR2: fffffffdc3bd36a0
Apr 12 19:26:01 test kernel: [ 150.734541] ---[ end trace 7e834cbd3143b047 ]---
Agent 回传时间间隔没有生效
主机列表中每台主机的最后更新时间总是按1分钟的频率更新, 无论我在设置里将 client 的间隔设置为多少.
忽略
忽略
Agent无法启动, 提示信息: exit status 127
在一台 CentOS 5.4 的机器上成功安装后服务没起来, 手动启动时发现如下提示:
./daemon -netloc xxxx:443
2018/05/15 13:52:35 Start Agent
2018/05/15 13:52:35 Start Agent successful
2018/05/15 13:52:35 Agent to exit: exit status 127
2018/05/15 13:52:35 Start the task listener thread
2018/05/15 13:52:45 Start Agent
2018/05/15 13:52:45 Start Agent successful
2018/05/15 13:52:45 Agent to exit: exit status 127
lsb_release -a
LSB Version: :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.4 (Final)
Release: 5.4
Codename: Final
uname -r
2.6.18-164.el5
Error compile web binary
Hello,
I compile succes, but execute is error:
`./web flag redefined: graceful
panic: ./web flag redefined: graceful
goroutine 1 [running]:
flag.(*FlagSet).Var(0xc420068120, 0xae4860, 0xdf1c91, 0xa6e982, 0x8, 0xa7ff73, 0x21)
/usr/local/go/src/flag/flag.go:810 +0x540
flag.BoolVar(0xdf1c91, 0xa6e982, 0x8, 0xc420190200, 0xa7ff73, 0x21)
/usr/local/go/src/flag/flag.go:589 +0x72
github.com/astaxie/beego/grace.init.0()
/home/exam/src/github.com/astaxie/beego/grace/grace.go:93 +0x60`
啥时候支持es6.x?
如题,es6出来好久了
加载syshook时判断内核版本
加载syshook后出现异常
uname -r
版本为 2.6.32-696.23.1.el6.x86_64
版本与data.zip中编译好的ko并不完全一致,导致异常。编译指南中有说明版本要完全一致,但是不一定每个人都会看。
最好在代码中进行判断,如果版本不完全一致则拒绝加载syshook模块,并给出提示自行编译。
debian9 编译加载sys_hook后异常
debian9 GCE环境
cat /boot/config-uname -r | grep CONFIG_RETPOLINE
CONFIG_RETPOLINE=y
gcc-6 (6.3.0-18+deb9u1)
uname -r
4.9.0-6-amd64
insmod syshook_execve.ko
加载之后执行任意命令都返回
killed
agent安装之后再安装iis服务web标签不能自动记录
环境:win server 2008 r2
先安装了agent,而后安装的iis7.5 出现了w3wp.exe的进程,在主机的详细信息里的进程列表里也出现了w3wp.exe的进程。
但是面板的上没有对这台服务器打上web的标签。我看了下代码,如果不打web标签的话,是不会监控web目录的。
GCE centos7 加载syshook后ssh连接中断
kernel版本
3.10.0-693.21.1.el7.x86_64
运行的命令
insmod syshook_3.10.0-693.ko
可稳定复现
collector没有覆盖ubuntu的crontab
/agent/collect/crontab_linux.go
ubuntu的crontab在/var/spool/cron/crontabs/,这里没有覆盖到。
win10 agent无法安装
在win10上安装agent时提示“此应用无法在您的电脑上运行”
windows - server cert error
C:\hids_server>server -db 10.192.9.231:27017 -es 10.192.9.231:9200
2018/05/08 14:26:04 Get Config
2018/05/08 14:26:05 {true false {[] [] [mssecsvc.exe tasksche.exe] []} {[] []
[] []} -----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDC5AAi+XJE8whsKkB3bO1hPuApgAvvIDodReAO5GbSo73a63rc
EgIGZaWm/3EJIRvG1yXYd0dWsI1NWvuhQPvwWmegkSsvBiSUgiIBn0NxJ4K5UwAs
8ducHQKtgdXaoanOVWBIFBaiYOcsW1iPWLb3HYQgLCLrkR2z7kGFEG4VawIDAQAB
AoGBAIN0YLc2hCIHv92dnkAvo+odC/xSFzqjBS/ritbgro5TzeKVRRiduOnxtAtx
byAWSfMT+b4Jrn/FtHnB7cp117i4/z5Qp0hA/CgQJyP9HOSezHSk/gP8Yekll+dk
AdV6Lz7Hq64m6oLuBqisxgfeINXf2Pzm4SqpOnCaqrvgltG5AkEA5dAz5Rhx0PoT
OIMzkul7Bcmt9ZlAMXUivKFSTC3zANH0IZ8llXC4uVQNPBQiaSJ8S45hr4LD6pQO
I14XilW63wJBANkZFPWQ3EIwJTegOot/dgVFLWKz9aCOGamTMgjghEqu7RfyvkHW
LuoK7QUcMjZQwG0qNrxuwjQsJ8xuxEkjgvUCQEHtjcWuUpCB/VucAAKoanuJlRc9
BLZrhTCaExL5p5nXoXK3xj9t3ACGxVkz6X9BvmiqiwmfuPalzLyGtLghyf8CQQCM
ovHv7qqw+e1yLoseiTCUU28GTNwm6Ub4klFMbN1mYBFZfTgBAFYd6XwH3m8svn0Z
espAoWOPVrdleLARTT7tAkABbp0phHSfuyBweH3rCkupiLXqvsrnD03SPh/kEcz1
Pa+QBLFPmdzaBQJzHuDiAyBNcg22+rpKXPjxY6aTsfdX
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJAMg9QxmYuWArMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTgwNTA4MDI1MTIxWhcNMjgwNTA1MDI1MTIxWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDYXb/rdx5Z+gMK91FvE+hLngP5chvGuuM/Ttxet79mn3vQik6dGGweUyvIFPCj
HO0jh4MuK59rMnMN3h7EBU7PPuqaVAzqqp++UYCoicE8JUn41+AsC78PUiMaCVrs
UzC6neCbdGqNYLfqXKLUC3xjlt4yHB5d846FGPaPfWo37QIDAQABo1AwTjAdBgNV
HQ4EFgQUugEVVgrxDz9kDtjwLIBRRdeeiBUwHwYDVR0jBBgwFoAUugEVVgrxDz9k
DtjwLIBRRdeeiBUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBIEbjX
8J7/zCmY8B6GhZGnB+ioeXYXny8mNhlkxaoyE624VqHtslY9jKl7SxYs1Uas9ZdN
B/4kBixr3PyFc4jYmuL/M4ZxPTIDniqMzED0i3Jg3SD18QPgIEMwHCfoF49Rh3fP
flOQ67BTdEHB2x+ZRA0WYTpJQp+psUUkcpgvgA==
-----END CERTIFICATE----- {false http://127.0.0.1/api/?ip={$ip} http://127.0.0.1
/api/?hash={$hash} black} {false http://127.0.0.1/test/?text={$info} true}}
2018/05/08 14:26:05 Start heartbeat thread
2018/05/08 14:26:05 Start Task Thread
2018/05/08 14:26:05 Start Scan Thread
2018/05/08 14:26:05 Start Health Check Thread
2018/05/08 14:26:05 cert error!
mongodb和es配置应该没问题 web也初始化了 启动server的时候报错
windows 可疑登陆告警信息错误问题
在某些内核版本下加载驱动,会造成系统挂掉
在3.10.0-862.14.4.el7.x86_64 下,因没有驱动所以自行编译驱动并加载后,系统自动重启。编译过程中没有报错
[root@localhost test]# uname -a
Linux localhost 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# gcc -v
使用内建 specs。
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/local/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
目标:x86_64-pc-linux-gnu
配置为:../configure --enable-checking=release --enable-languages=c,c++ --disable-multilib
线程模型:posix
gcc 版本 7.3.0 (GCC)
日志:
Nov 6 16:12:59 localhost kernel: syshook_execve: loading out-of-tree module taints kernel.
Nov 6 16:12:59 localhost kernel: syshook_execve: module verification failed: signature and/or required key missing - tainting kernel
Nov 6 16:12:59 localhost kernel: Start found sys_call_table.
Nov 6 16:12:59 localhost kernel: Found the sys_call_table!!! __NR_close[3] sys_close[ffffffffa7e1e240]#12 __NR_execve[59] sct[__NR_execve][0xffffffffa8325ce0]
Nov 6 16:12:59 localhost kernel: syshook: create netlink success.
Nov 6 16:12:59 localhost kernel: Loading module monitor_execve, sys_call_table at ffffffffa8403300
有时需要安装两次才可以成功安装
只在部分 CentOS 6.5 的机器上观察到这种情况.
第一次安装
/tmp/daemon -install -netloc xxx:443
2018/05/15 13:40:18 Download dependent environment package
2018/05/15 13:40:18 Use syshook_2.6.32-431
2018/05/15 13:40:18 Install dependency, service error: exit status 1
第二次安装
/tmp/daemon -install -netloc xxx:443
2018/05/15 13:40:22 Download Agent
2018/05/15 13:40:53 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f
2018/05/15 13:40:53 Agent download finished, hash check passed
2018/05/15 13:40:53 Copy the daemon to the installation directory
2018/05/15 13:40:53 Start the service
2018/05/15 13:40:53 Installed!
LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.5 (Final)
Release: 6.5
Codename: Final
uname -r
2.6.32-431.11.2.el6.toa.2.x86_64
启动web报错
test
server端总异常崩溃
部署三台agent 两个server端
ES、m都是单台部署的 按说客户端不多日志量应该不至于导致崩溃吧
我查到有其它go程序存在类似问题golang/go#18137
以下为报错日志
fatal error: concurrent map iteration and map write
goroutine 16 [running]:
runtime.throw(0x9bde28, 0x26)
/usr/local/go/src/runtime/panic.go:619 +0x81 fp=0xc420285480 sp=0xc420285460 pc=0x42b2a1
runtime.mapiternext(0xc4200ca300)
/usr/local/go/src/runtime/hashmap.go:747 +0x55c fp=0xc420285510 sp=0xc420285480 pc=0x40a48c
runtime.mapiterinit(0x903420, 0xc42028e0f0, 0xc4200ca300)
/usr/local/go/src/runtime/hashmap.go:737 +0x1f1 fp=0xc420285538 sp=0xc420285510 pc=0x409e41
reflect.mapiterinit(0x903420, 0xc42028e0f0, 0x95)
/usr/local/go/src/runtime/hashmap.go:1217 +0x54 fp=0xc420285568 sp=0xc420285538 pc=0x40b564
reflect.Value.MapKeys(0x903420, 0xc42026c0d0, 0x95, 0x0, 0xc4202856f0, 0x68b1eb)
/usr/local/go/src/reflect/value.go:1114 +0xdd fp=0xc420285610 sp=0xc420285568 pc=0x4abe2d
encoding/json.(*mapEncoder).encode(0xc42000e280, 0xc4201a00b0, 0x903420, 0xc42026c0d0, 0x95, 0x100)
/usr/local/go/src/encoding/json/encode.go:668 +0xad fp=0xc420285770 sp=0xc420285610 pc=0x5f690d
encoding/json.(*mapEncoder).(encoding/json.encode)-fm(0xc4201a00b0, 0x903420, 0xc42026c0d0, 0x95, 0x100)
/usr/local/go/src/encoding/json/encode.go:700 +0x64 fp=0xc4202857b0 sp=0xc420285770 pc=0x6007d4
encoding/json.(*structEncoder).encode(0xc42028e5a0, 0xc4201a00b0, 0x93ac80, 0xc42026c0c0, 0x99, 0x930100)
/usr/local/go/src/encoding/json/encode.go:639 +0x255 fp=0xc420285910 sp=0xc4202857b0 pc=0x5f64d5
encoding/json.(*structEncoder).(encoding/json.encode)-fm(0xc4201a00b0, 0x93ac80, 0xc42026c0c0, 0x99, 0xc420260100)
/usr/local/go/src/encoding/json/encode.go:653 +0x64 fp=0xc420285950 sp=0xc420285910 pc=0x600754
encoding/json.(*encodeState).reflectValue(0xc4201a00b0, 0x93ac80, 0xc42026c0c0, 0x99, 0x100)
/usr/local/go/src/encoding/json/encode.go:325 +0x82 fp=0xc420285988 sp=0xc420285950 pc=0x5f4332
encoding/json.(*encodeState).marshal(0xc4201a00b0, 0x93ac80, 0xc42026c0c0, 0x9b0100, 0x0, 0x0)
/usr/local/go/src/encoding/json/encode.go:298 +0xa5 fp=0xc4202859c0 sp=0xc420285988 pc=0x5f4025
encoding/json.Marshal(0x93ac80, 0xc42026c0c0, 0xc42026c1e0, 0x9b1df7, 0xc, 0x9b3795, 0x10)
/usr/local/go/src/encoding/json/encode.go:161 +0x5f fp=0xc420285a08 sp=0xc4202859c0 pc=0x5f3cbf
yulong-hids/server/vendor/github.com/olivere/elastic.(*Request).setBodyJson(0xc420526000, 0x93ac80, 0xc42026c0c0, 0xc420526000, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/request.go:58 +0x39 fp=0xc420285a68 sp=0xc420285a08 pc=0x788e89
yulong-hids/server/vendor/github.com/olivere/elastic.(*Request).SetBody(0xc420526000, 0x93ac80, 0xc42026c0c0, 0x0, 0xc420526000, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/request.go:51 +0x153 fp=0xc420285ab0 sp=0xc420285a68 pc=0x788df3
yulong-hids/server/vendor/github.com/olivere/elastic.(*Client).PerformRequest(0xc4201b2000, 0xa0d780, 0xc42009a010, 0x9af7b0, 0x4, 0xc420022240, 0x1b, 0xc42026c1b0, 0x93ac80, 0xc42026c0c0, ...)
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/client.go:1257 +0xe76 fp=0xc420285cb8 sp=0xc420285ab0 pc=0x73bc46
yulong-hids/server/vendor/github.com/olivere/elastic.(*IndexService).Do(0xc420285ec0, 0xa0d780, 0xc42009a010, 0xc42026c0c0, 0x0, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/index.go:267 +0x155 fp=0xc420285df0 sp=0xc420285cb8 pc=0x75b005
yulong-hids/server/models.InsertThread()
/usr/local/go/src/yulong-hids/server/models/es.go:240 +0x192 fp=0xc420285fe0 sp=0xc420285df0 pc=0x802ec2
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:2361 +0x1 fp=0xc420285fe8 sp=0xc420285fe0 pc=0x457311
created by main.init.0
/usr/local/go/src/yulong-hids/server/server.go:74 +0x1d5
goroutine 1 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1fd60, 0x72, 0x0)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4201ae918, 0x72, 0xc420072100, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4201ae918, 0xffffffffffffff00, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Accept(0xc4201ae900, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:372 +0x1a8
net.(*netFD).accept(0xc4201ae900, 0x10, 0x0, 0x0)
/usr/local/go/src/net/fd_unix.go:238 +0x42
net.(*TCPListener).accept(0xc42000e218, 0xc4201b41c8, 0xc420287d50, 0x9a8aa0)
/usr/local/go/src/net/tcpsock_posix.go:136 +0x2e
net.(*TCPListener).Accept(0xc42000e218, 0x434544, 0xc420287c98, 0x453d70, 0xc420287cd8)
/usr/local/go/src/net/tcpsock.go:259 +0x49
crypto/tls.(*listener).Accept(0xc42024e640, 0x9cc900, 0xc4201a0160, 0xa0eb40, 0xc4200d4a80)
/usr/local/go/src/crypto/tls/tls.go:52 +0x37
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveListener(0xc4201a0160, 0xa0ce40, 0xc42024e640, 0x9afdb1, 0x6)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:148 +0xca
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).Serve(0xc4201a0160, 0x9af651, 0x3, 0x9afdb1, 0x6, 0x0, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:127 +0xa5
main.main()
/usr/local/go/src/yulong-hids/server/server.go:87 +0x2c1
goroutine 19 [select]:
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoCluster).syncServersLoop(0xc420140000)
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/cluster.go:394 +0x31a
created by yulong-hids/server/vendor/gopkg.in/mgo%2ev2.newCluster
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/cluster.go:78 +0x181
goroutine 54626 [select, 349 minutes]:
net/http.(*persistConn).writeLoop(0xc420390480)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 21 [sleep]:
time.Sleep(0x37e11d600)
/usr/local/go/src/runtime/time.go:102 +0x166
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoServer).pinger(0xc4201440e0, 0xc42009c401)
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/server.go:301 +0x4b6
created by yulong-hids/server/vendor/gopkg.in/mgo%2ev2.newServer
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/server.go:89 +0x12d
goroutine 5 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1ff00, 0x72, 0xc4201d7d18)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4200ce198, 0x72, 0xffffffffffffff00, 0xa0a6c0, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4200ce198, 0xc42002c000, 0x24, 0x24)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4200ce180, 0xc42002c030, 0x24, 0x24, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4200ce180, 0xc42002c030, 0x24, 0x24, 0x0, 0x0, 0x0)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42000e018, 0xc42002c030, 0x24, 0x24, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.fill(0xa0ec00, 0xc42000e018, 0xc42002c030, 0x24, 0x24, 0x0, 0xda)
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:535 +0x53
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoSocket).readLoop(0xc420162000)
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:551 +0x602
created by yulong-hids/server/vendor/gopkg.in/mgo%2ev2.newSocket
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:194 +0x1f5
goroutine 6 [chan receive, 28 minutes]:
yulong-hids/server/models.esCheckThread()
/usr/local/go/src/yulong-hids/server/models/es.go:254 +0xa2
created by yulong-hids/server/models.init.0
/usr/local/go/src/yulong-hids/server/models/common.go:137 +0x2f3
goroutine 10 [select, 13 minutes]:
yulong-hids/server/vendor/github.com/olivere/elastic.(*Client).sniffer(0xc4201b2000)
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/client.go:813 +0x17c
created by yulong-hids/server/vendor/github.com/olivere/elastic.NewClient
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/client.go:282 +0x7c6
goroutine 11 [select]:
yulong-hids/server/vendor/github.com/olivere/elastic.(*Client).healthchecker(0xc4201b2000)
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/client.go:1000 +0x181
created by yulong-hids/server/vendor/github.com/olivere/elastic.NewClient
/usr/local/go/src/yulong-hids/server/vendor/github.com/olivere/elastic/client.go:285 +0x7a2
goroutine 12 [sleep]:
time.Sleep(0x6fc23ac00)
/usr/local/go/src/runtime/time.go:102 +0x166
yulong-hids/server/models.Heartbeat()
/usr/local/go/src/yulong-hids/server/models/common.go:196 +0x84
created by main.init.0
/usr/local/go/src/yulong-hids/server/server.go:66 +0x175
goroutine 13 [sleep]:
time.Sleep(0x2540be400)
/usr/local/go/src/runtime/time.go:102 +0x166
yulong-hids/server/action.TaskThread()
/usr/local/go/src/yulong-hids/server/action/task.go:45 +0x22c
created by main.init.0
/usr/local/go/src/yulong-hids/server/server.go:68 +0x18d
goroutine 14 [chan receive]:
yulong-hids/server/safecheck.ScanMonitorThread()
/usr/local/go/src/yulong-hids/server/safecheck/check.go:292 +0x28d
created by main.init.0
/usr/local/go/src/yulong-hids/server/server.go:70 +0x1a5
goroutine 15 [chan receive]:
yulong-hids/server/safecheck.firewallCheckThread()
/usr/local/go/src/yulong-hids/server/safecheck/health.go:108 +0x800
yulong-hids/server/safecheck.HealthCheckThread()
/usr/local/go/src/yulong-hids/server/safecheck/health.go:19 +0x96
created by main.init.0
/usr/local/go/src/yulong-hids/server/server.go:72 +0x1bd
goroutine 28 [chan receive]:
yulong-hids/server/safecheck.ScanMonitorThread.func1()
/usr/local/go/src/yulong-hids/server/safecheck/check.go:287 +0x6c
created by yulong-hids/server/safecheck.ScanMonitorThread
/usr/local/go/src/yulong-hids/server/safecheck/check.go:285 +0x254
goroutine 29 [sleep]:
time.Sleep(0x6fc23ac00)
/usr/local/go/src/runtime/time.go:102 +0x166
yulong-hids/server/safecheck.offlineCheckThread()
/usr/local/go/src/yulong-hids/server/safecheck/health.go:98 +0xc2a
created by yulong-hids/server/safecheck.HealthCheckThread
/usr/local/go/src/yulong-hids/server/safecheck/health.go:17 +0x79
goroutine 30 [sleep]:
time.Sleep(0xdf8475800)
/usr/local/go/src/runtime/time.go:102 +0x166
yulong-hids/server/safecheck.cleanThread()
/usr/local/go/src/yulong-hids/server/safecheck/health.go:42 +0x39f
created by yulong-hids/server/safecheck.HealthCheckThread
/usr/local/go/src/yulong-hids/server/safecheck/health.go:18 +0x91
goroutine 31 [chan receive, 448 minutes]:
yulong-hids/server/safecheck.offlineCheckThread.func1(0xc42012ad60)
/usr/local/go/src/yulong-hids/server/safecheck/health.go:55 +0x6c
created by yulong-hids/server/safecheck.offlineCheckThread
/usr/local/go/src/yulong-hids/server/safecheck/health.go:53 +0x154
goroutine 34 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1fc90, 0x72, 0xc42050d860)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4201ae998, 0x72, 0xffffffffffffff00, 0xa0a6c0, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4201ae998, 0xc42042e000, 0x2000, 0x2000)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4201ae980, 0xc42042e000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4201ae980, 0xc42042e000, 0x2000, 0x2000, 0x8, 0x8, 0x1ff3)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42000e220, 0xc42042e000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
crypto/tls.(*block).readFromUntil(0xc420161da0, 0x7f9d9807e3a0, 0xc42000e220, 0x5, 0xc42000e220, 0x0)
/usr/local/go/src/crypto/tls/conn.go:493 +0x96
crypto/tls.(*Conn).readRecord(0xc420186a80, 0x9cbf17, 0xc420186ba0, 0x0)
/usr/local/go/src/crypto/tls/conn.go:595 +0xe0
crypto/tls.(*Conn).Read(0xc420186a80, 0xc420237000, 0x400, 0x400, 0x0, 0x0, 0x0)
/usr/local/go/src/crypto/tls/conn.go:1156 +0x100
bufio.(*Reader).Read(0xc4200753e0, 0xc42027c084, 0xc, 0xc, 0xc42050dcc8, 0x813507, 0x903420)
/usr/local/go/src/bufio/bufio.go:216 +0x238
io.ReadAtLeast(0xa09100, 0xc4200753e0, 0xc42027c084, 0xc, 0xc, 0xc, 0xc42012c47e, 0x6, 0xbd)
/usr/local/go/src/io/io.go:309 +0x86
io.ReadFull(0xa09100, 0xc4200753e0, 0xc42027c084, 0xc, 0xc, 0x0, 0x46d172, 0x1)
/usr/local/go/src/io/io.go:327 +0x58
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0xc4202d0060, 0xa09100, 0xc4200753e0, 0x0, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/message.go:359 +0x71
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest(0xc4201a0160, 0xa0d800, 0xc420161fb0, 0xa09100, 0xc4200753e0, 0xa0d800, 0xc420161fb0, 0xc4201a0160)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:335 +0x7f
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0xc4201a0160, 0xa0eb40, 0xc420186a80)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:258 +0x248
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveListener
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:189 +0x1de
goroutine 160819 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc4202ff8c0)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 88802 [select, 289 minutes]:
net/http.(*persistConn).readLoop(0xc420390240)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 73 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1faf0, 0x72, 0xc420253d18)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4200ce918, 0x72, 0xffffffffffffff00, 0xa0a6c0, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4200ce918, 0xc42002c200, 0x24, 0x24)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4200ce900, 0xc42002c2a0, 0x24, 0x24, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4200ce900, 0xc42002c2a0, 0x24, 0x24, 0x0, 0x0, 0x0)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42000e0f8, 0xc42002c2a0, 0x24, 0x24, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.fill(0xa0ec00, 0xc42000e0f8, 0xc42002c2a0, 0x24, 0x24, 0x0, 0x11)
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:535 +0x53
yulong-hids/server/vendor/gopkg.in/mgo%2ev2.(*mongoSocket).readLoop(0xc420144460)
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:551 +0x602
created by yulong-hids/server/vendor/gopkg.in/mgo%2ev2.newSocket
/usr/local/go/src/yulong-hids/server/vendor/gopkg.in/mgo.v2/socket.go:194 +0x1f5
goroutine 160735 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc42024b560)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160821 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc4202ffb00)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 88833 [select, 289 minutes]:
net/http.(*persistConn).writeLoop(0xc4202ff560)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 160785 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc4200b5560)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 473 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1fa20, 0x72, 0xc420062860)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4201afb98, 0x72, 0xffffffffffffff00, 0xa0a6c0, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4201afb98, 0xc4201f8000, 0x8000, 0x8000)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4201afb80, 0xc4201f8000, 0x8000, 0x8000, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4201afb80, 0xc4201f8000, 0x8000, 0x8000, 0x8, 0x8, 0x7ff3)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42009e450, 0xc4201f8000, 0x8000, 0x8000, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
crypto/tls.(*block).readFromUntil(0xc42040dcb0, 0x7f9d9807e3a0, 0xc42009e450, 0x5, 0xc42009e450, 0x0)
/usr/local/go/src/crypto/tls/conn.go:493 +0x96
crypto/tls.(*Conn).readRecord(0xc4200d4380, 0x9cbf17, 0xc4200d44a0, 0x0)
/usr/local/go/src/crypto/tls/conn.go:595 +0xe0
crypto/tls.(*Conn).Read(0xc4200d4380, 0xc4200f9000, 0x400, 0x400, 0x0, 0x0, 0x0)
/usr/local/go/src/crypto/tls/conn.go:1156 +0x100
bufio.(*Reader).Read(0xc42048fc80, 0xc42027cad0, 0xc, 0xc, 0xc420062cc8, 0x813507, 0x903420)
/usr/local/go/src/bufio/bufio.go:216 +0x238
io.ReadAtLeast(0xa09100, 0xc42048fc80, 0xc42027cad0, 0xc, 0xc, 0xc, 0xc42012c55e, 0x6, 0xbe)
/usr/local/go/src/io/io.go:309 +0x86
io.ReadFull(0xa09100, 0xc42048fc80, 0xc42027cad0, 0xc, 0xc, 0x0, 0x46d172, 0x1)
/usr/local/go/src/io/io.go:327 +0x58
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0xc4202a2a20, 0xa09100, 0xc42048fc80, 0x0, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/message.go:359 +0x71
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest(0xc4201a0160, 0xa0d800, 0xc42040de00, 0xa09100, 0xc42048fc80, 0xa0d800, 0xc42040de00, 0xc4201a0160)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:335 +0x7f
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0xc4201a0160, 0xa0eb40, 0xc4200d4380)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:258 +0x248
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveListener
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:189 +0x1de
goroutine 160760 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc420176240)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160761 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc420176240)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 160686 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc420390c60)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160736 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc42024b560)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 54593 [select, 349 minutes]:
net/http.(*persistConn).readLoop(0xc420390480)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160818 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc4202ff8c0)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 88803 [select, 289 minutes]:
net/http.(*persistConn).writeLoop(0xc420390240)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 260141 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1f7b0, 0x72, 0xc4201d9860)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4201af918, 0x72, 0xffffffffffffff00, 0xa0a6c0, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4201af918, 0xc4200f8400, 0x400, 0x400)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4201af900, 0xc4200f8400, 0x400, 0x400, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4201af900, 0xc4200f8400, 0x400, 0x400, 0x8, 0x8, 0x3f3)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42009e358, 0xc4200f8400, 0x400, 0x400, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
crypto/tls.(*block).readFromUntil(0xc4202e3650, 0x7f9d9807e3a0, 0xc42009e358, 0x5, 0xc42009e358, 0x0)
/usr/local/go/src/crypto/tls/conn.go:493 +0x96
crypto/tls.(*Conn).readRecord(0xc4200d4a80, 0x9cbf17, 0xc4200d4ba0, 0x0)
/usr/local/go/src/crypto/tls/conn.go:595 +0xe0
crypto/tls.(*Conn).Read(0xc4200d4a80, 0xc4200f9800, 0x400, 0x400, 0x0, 0x0, 0x0)
/usr/local/go/src/crypto/tls/conn.go:1156 +0x100
bufio.(*Reader).Read(0xc4202d1320, 0xc420202f30, 0xc, 0xc, 0xc4201d9cc8, 0x813507, 0x903420)
/usr/local/go/src/bufio/bufio.go:216 +0x238
io.ReadAtLeast(0xa09100, 0xc4202d1320, 0xc420202f30, 0xc, 0xc, 0xc, 0xc42027601e, 0x6, 0xc6)
/usr/local/go/src/io/io.go:309 +0x86
io.ReadFull(0xa09100, 0xc4202d1320, 0xc420202f30, 0xc, 0xc, 0x0, 0x46d172, 0x0)
/usr/local/go/src/io/io.go:327 +0x58
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0xc420302960, 0xa09100, 0xc4202d1320, 0x0, 0x0)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/message.go:359 +0x71
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest(0xc4201a0160, 0xa0d800, 0xc4202e3860, 0xa09100, 0xc4202d1320, 0xa0d800, 0xc4202e3860, 0xc4201a0160)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:335 +0x7f
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0xc4201a0160, 0xa0eb40, 0xc4200d4a80)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:258 +0x248
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveListener
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:189 +0x1de
goroutine 160788 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc42024bd40)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 241293 [IO wait]:
internal/poll.runtime_pollWait(0x7f9d98c1f060, 0x72, 0xc4204339a8)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4201afa18, 0x72, 0xffffffffffffff00, 0xa0a6c0, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4201afa18, 0xc4202fc000, 0x1000, 0x1000)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4201afa00, 0xc4202fc000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4201afa00, 0xc4202fc000, 0x1000, 0x1000, 0x453530, 0xc4201b0f00, 0x4)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42000e418, 0xc4202fc000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
net/http.(*persistConn).Read(0xc4203910e0, 0xc4202fc000, 0x1000, 0x1000, 0xc420433b98, 0x404fa5, 0xc420341620)
/usr/local/go/src/net/http/transport.go:1453 +0x136
bufio.(*Reader).fill(0xc4202d1ec0)
/usr/local/go/src/bufio/bufio.go:100 +0x11e
bufio.(*Reader).Peek(0xc4202d1ec0, 0x1, 0x0, 0x0, 0x1, 0xc420340ea0, 0x0)
/usr/local/go/src/bufio/bufio.go:132 +0x3a
net/http.(*persistConn).readLoop(0xc4203910e0)
/usr/local/go/src/net/http/transport.go:1601 +0x185
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160687 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc420390c60)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 241294 [select]:
net/http.(*persistConn).writeLoop(0xc4203910e0)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 88832 [select, 289 minutes]:
net/http.(*persistConn).readLoop(0xc4202ff560)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160786 [select, 169 minutes]:
net/http.(*persistConn).writeLoop(0xc4200b5560)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 160787 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc42024bd40)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 160820 [select, 169 minutes]:
net/http.(*persistConn).readLoop(0xc4202ffb00)
/usr/local/go/src/net/http/transport.go:1717 +0x743
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 260236 [runnable]:
yulong-hids/server/action.ResultStat(0xc42037c154, 0xc, 0xc42037c164, 0xa, 0xc42037c176, 0x5, 0xc42009e028, 0x1, 0x1, 0xbeb47de7d1447a35, ...)
/usr/local/go/src/yulong-hids/server/action/statistics.go:34 +0x564
main.(*Watcher).PutInfo(0xc420202580, 0xa0d800, 0xc42028e090, 0xc4202c6000, 0xc42037c1b8, 0x0, 0x0)
/usr/local/go/src/yulong-hids/server/server.go:44 +0x1c9
reflect.Value.call(0xc4201ae800, 0xc42000e210, 0x13, 0x9af758, 0x4, 0xc420510c50, 0x4, 0x4, 0xc420073140, 0x92e760, ...)
/usr/local/go/src/reflect/value.go:447 +0x969
reflect.Value.Call(0xc4201ae800, 0xc42000e210, 0x13, 0xc420510c50, 0x4, 0x4, 0x8b2101, 0x8b21e0, 0xc42037c1b8)
/usr/local/go/src/reflect/value.go:308 +0xa4
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*service).call(0xc42001e820, 0xa0d800, 0xc42028e090, 0xc4201ae880, 0x8bc2e0, 0xc4202c6000, 0x16, 0x8b21e0, 0xc42037c1b8, 0x16, ...)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/service.go:315 +0x1b5
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).handleRequest(0xc4201a0160, 0xa0d800, 0xc42028e090, 0xc4200cb980, 0x903420, 0xc42028e030, 0xa0d800)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:387 +0x3b0
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn.func2(0xc4200cb980, 0xa0eb40, 0xc4200d4a80, 0xa0d800, 0xc4202e3860, 0xc4201a0160)
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:302 +0x17e
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn
/usr/local/go/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:290 +0x4f4
v0.4.3 BETA 出现server异常崩溃,已经有2次了。
bufio.(*Reader).Read(0xc42021b620, 0xc42032a6c0, 0xc, 0xc, 0x60, 0x60, 0x994020)
/usr/local/go/src/bufio/bufio.go:216 +0x238
io.ReadAtLeast(0xa09080, 0xc42021b620, 0xc42032a6c0, 0xc, 0xc, 0xc, 0x2, 0xc420020a00, 0x2)
/usr/local/go/src/io/io.go:309 +0x86
io.ReadFull(0xa09080, 0xc42021b620, 0xc42032a6c0, 0xc, 0xc, 0x813f53, 0x994020, 0xc420206660)
/usr/local/go/src/io/io.go:327 +0x58
yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol.(*Message).Decode(0xc420206660, 0xa09080, 0xc42021b620, 0x0, 0x0)
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/protocol/message.go:359 +0x71
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).readRequest(0xc4200f0420, 0xa0d780, 0xc4201cf200, 0xa09080, 0xc42021b620, 0xa0d780, 0xc4201cf200, 0xc4200f0420)
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:335 +0x7f
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn(0xc4200f0420, 0xa0eac0, 0xc42055a700)
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:258 +0x248
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveListener
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:189 +0x1de
goroutine 37239 [select]:
net/http.(*persistConn).writeLoop(0xc4204930e0)
/usr/local/go/src/net/http/transport.go:1822 +0x14b
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1238 +0x97f
goroutine 37238 [IO wait]:
internal/poll.runtime_pollWait(0x7f32e32707b0, 0x72, 0xc42052f9a8)
/usr/local/go/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc4200ced98, 0x72, 0xffffffffffffff00, 0xa0a640, 0xc965d8)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc4200ced98, 0xc4203a6000, 0x1000, 0x1000)
/usr/local/go/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc4200ced80, 0xc4203a6000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
/usr/local/go/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc4200ced80, 0xc4203a6000, 0x1000, 0x1000, 0x453530, 0xc420399b00, 0x4)
/usr/local/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc42009c158, 0xc4203a6000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
/usr/local/go/src/net/net.go:176 +0x6a
net/http.(*persistConn).Read(0xc4204930e0, 0xc4203a6000, 0x1000, 0x1000, 0xc42052fb98, 0x404fa5, 0xc42019e600)
/usr/local/go/src/net/http/transport.go:1453 +0x136
bufio.(*Reader).fill(0xc4205864e0)
/usr/local/go/src/bufio/bufio.go:100 +0x11e
bufio.(*Reader).Peek(0xc4205864e0, 0x1, 0x0, 0x0, 0x1, 0xc42007c120, 0x0)
/usr/local/go/src/bufio/bufio.go:132 +0x3a
net/http.(*persistConn).readLoop(0xc4204930e0)
/usr/local/go/src/net/http/transport.go:1601 +0x185
created by net/http.(*Transport).dialConn
/usr/local/go/src/net/http/transport.go:1237 +0x95a
goroutine 37597 [runnable]:
yulong-hids/server/action.ResultStat(0xc4202e3070, 0xe, 0xc4202e3084, 0xa, 0xc4202e3096, 0x5, 0xc42000e068, 0x1, 0x1, 0xbea93c80fb68c6e4, ...)
/home/neargle/gopath/src/yulong-hids/server/action/statistics.go:34 +0x564
main.(*Watcher).PutInfo(0xc420099a60, 0xa0d780, 0xc4201ce420, 0xc4202b5260, 0xc4202e30d8, 0x0, 0x0)
/home/neargle/gopath/src/yulong-hids/server/server.go:44 +0x1c9
reflect.Value.call(0xc4200ce800, 0xc42009c260, 0x13, 0x9af758, 0x4, 0xc4204c9c50, 0x4, 0x4, 0xc4202b0040, 0x92e760, ...)
/usr/local/go/src/reflect/value.go:447 +0x969
reflect.Value.Call(0xc4200ce800, 0xc42009c260, 0x13, 0xc4204c9c50, 0x4, 0x4, 0x8b2101, 0x8b21e0, 0xc4202e30d8)
/usr/local/go/src/reflect/value.go:308 +0xa4
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*service).call(0xc42009ec80, 0xa0d780, 0xc4201ce420, 0xc4200ce880, 0x8bc2e0, 0xc4202b5260, 0x16, 0x8b21e0, 0xc4202e30d8, 0x16, ...)
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/service.go:315 +0x1b5
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).handleRequest(0xc4200f0420, 0xa0d780, 0xc4201ce420, 0xc4202f50e0, 0x903420, 0xc4201ce3c0, 0xa0d780)
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:387 +0x3b0
yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn.func2(0xc4202f50e0, 0xa0eac0, 0xc4200d4a80, 0xa0d780, 0xc4205cf290, 0xc4200f0420)
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:302 +0x17e
created by yulong-hids/server/vendor/github.com/smallnest/rpcx/server.(*Server).serveConn
/home/neargle/gopath/src/yulong-hids/server/vendor/github.com/smallnest/rpcx/server/server.go:290 +0x4f4
web引导步骤生成证书报错
linux
要了下错误日志
服务端响应格式错误,请检查输入是否合理
下午在群里提问,大佬说我配置文件有问题,以下就修改完之后的配置文件
[mongodb]
url = "${IDS_MONGODB_URL||mongodb://192.168.25.71:27017/agent}"
[elastic_search]
url = "${IDS_ELASTICSEARCH_URL||http://192.168.25.71:9200/}"
配置完之后重启web,还是显示响应格式错误
can process monitor support Darwin plarform?
daemon common.go文件导入包重复
import (
"crypto/tls"
"net/http"
"os"
"os/exec"
"runtime"
"strings"
"sync"
"time"
"net"
"strings"
"fmt"
"github.com/axgle/mahonia"
"github.com/kardianos/service"
)
两个strings,编译会出错
启动web服务报403错误,无法看到面板
在开发机上编译运行web.exe,在127.0.0.1/login/可以看到登录界面,但是登录之后看不到监控面板(已在服务器上启动了MongoDB, Elasticsearch并能连接)
下面是app.config
appname = yulong-hids-analyze-dashboard
runmode = prod
sessionon = true
apihost = ""
TemplateLeft = "<<<"
TemplateRight = ">>>"
ApiVer = "json"
copyrequestbody = true
perloadcount = 500
# Alert : 1
# Critical : 2
# Error : 3
# Warning : 4
# Notice : 5
# Informational : 6
# Debug : 7
loglevel=7
# 设置hostname, 如果没设置则不会验证
# 如果设置了,只有该host可以访问web页面,多个host以逗号隔开
ylhostname = ""
# 后台登录用户名
username = "yulong"
# passwordhex为登录密码的32位md5,默认密码为(带句号): All_life_is_a_game_of_luck.
passwordhex = "0c885bb124969eead759a4c2b512ed52"
# 日志文件路径
logfile = "logs.log"
OnlyHTTPS = true
EnableHTTPS = true
EnableHttpTLS = true
HTTPSPort = 443
EnableHTTP = true
HTTPPort = 80
HTTPSCertFile = "https_cert/cert.pem"
HTTPSKeyFile = "https_cert/private.pem"
FilePath = "upload_files/"
# 是否开启二次验证,推荐开启
TwoFactorAuth = true
# base32格式的二次验证秘钥,请务必修改默认值
# 可使用命令: python2 -c "import base64, random, string;print(base64.b32encode(''.join([random.choice(string.printable) for _ in range(35)]).encode()));"
# 命令可直接生成随机秘钥,直接在 Google Authenticator app内填入秘钥即可
TwoFactorAuthKey = "IVFHGS2OGYTXIVDGEIZWCNC2MVMHYWDRK44GOQALPNJHGRS6FE2QUCT4"
[mongodb]
# mongodb url 数据库名固定为agent
# mongodb 的 ip 地址请设置内网ip,请勿设置 127.0.0.1
url = "${IDS_MONGODB_URL||mongodb://*.*.*.*:27017/agent}"
[elastic_search]
# elastic_search web接口
baseurl = "${IDS_ELASTICSEARCH_URL||http://*.*.*.*:9200/}"
mac的编译方式呢。。。。。
mac的编译方式呢。。。。。
无法卸载agent
使用命令daemon -uninstall后,查看进程,还是会有daemon和agent,只有syshook_execve是卸载了
[root@localhost ~]# ps -ef | grep 192.168
root 7610 1 0 07:45 ? 00:00:00 /usr/yulong-hids/daemon -netloc 192.168.47.104
root 7616 7610 2 07:45 ? 00:04:45 /usr/yulong-hids/agent 192.168.47.104
root 8619 8578 0 11:35 pts/0 00:00:00 grep --color=auto 192.168
[root@localhost ~]# /usr/yulong-hids/daemon -uninstall
2018/11/01 11:35:20 Uninstall completed
[root@localhost ~]# ps -ef | grep 192.168
root 7610 1 0 07:45 ? 00:00:00 /usr/yulong-hids/daemon -netloc 192.168.47.104
root 7616 7610 2 07:45 ? 00:04:45 /usr/yulong-hids/agent 192.168.47.104
root 8643 8578 0 11:35 pts/0 00:00:00 grep --color=auto 192.168
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# lsmod| grep syshook_execve
[root@localhost ~]#
win下未获取到进程
实际驱动未能加载,可能与系统不兼容sha256签名的驱动有关。
待dual sign出一个包含sha1签名的驱动再试下。
agent segment 崩溃
agent启动后segment fault,
`panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x6ad0f6]
goroutine 62 [running]:
yulong-hids/agent/vendor/github.com/akrennmair/gopcap.sockaddr_to_IP(0x0, 0x0, 0x1, 0xc4203681e0, 0x0, 0x1)
/usr/local/go/src/yulong-hids/agent/vendor/github.com/akrennmair/gopcap/pcap.go:234 +0x26
yulong-hids/agent/vendor/github.com/akrennmair/gopcap.findalladdresses(0x7f88680021a0, 0x0, 0x0, 0x10)
/usr/local/go/src/yulong-hids/agent/vendor/github.com/akrennmair/gopcap/pcap.go:222 +0xbd
yulong-hids/agent/vendor/github.com/akrennmair/gopcap.Findalldevs(0xc420020400, 0x9, 0x9, 0x0, 0x0)
/usr/local/go/src/yulong-hids/agent/vendor/github.com/akrennmair/gopcap/pcap.go:208 +0x1ec
yulong-hids/agent/monitor.getPcapHandle(0xc420252120, 0xc, 0x0, 0x0, 0x0)
/usr/local/go/src/yulong-hids/agent/monitor/lib.go:73 +0x37
yulong-hids/agent/monitor.StartNetSniff(0xc4200ca720)
/usr/local/go/src/yulong-hids/agent/monitor/connection_linux.go:207 +0x4e
created by yulong-hids/agent/client.(*Agent).monitor
/usr/local/go/src/yulong-hids/agent/client/agent.go:209 +0x5c`
ifconfig结果
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 02:42:84:0f:24:bb txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.89.101.12 netmask 255.255.255.128 broadcast 10.89.101.127
ether 24:6e:96:2c:9d:20 txqueuelen 1000 (Ethernet)
RX packets 54826197140 bytes 17925574214592 (16.3 TiB)
RX errors 0 dropped 37 overruns 0 frame 0
TX packets 54952405014 bytes 17911656172103 (16.2 TiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
flannel0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1472
inet 172.17.2.0 netmask 255.255.0.0 destination 172.17.2.0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 260154 bytes 19102156 (18.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 14128613 bytes 895492725 (854.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14128613 bytes 895492725 (854.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
点击忽略所有未处理时报错
如下为 web 的提示
2018/04/11 09:52:20 ^[[1;31m[E] [notice.go:95] Model UpdateAll E11000 duplicate key error collection: agent.notice index: ip_1_info_1_type_1_status_1_uptime_1 dup key: { : "10.2.13.2", : "/bin/bash", : "process", : 1, : null } ^[[0m
截图如下
server启动报错
centos7.2.15系统,web正常配置启动之后。启动./server -db mongodbIP:27017 -es elasticIP:9200 报错: 2018/04/09 17:33:19 Get Config
2018/04/09 17:33:19 {false false {[] [] [] []} {[] [] [] []} {false } {false false}}
2018/04/09 17:33:19 Start Task Thread
2018/04/09 17:33:19 cert error!
linux下没有hook到进程
用的是release里面data.zip带的驱动
kernel版本 Linux mt-pi.office.mos 2.6.32-431.20.3.el6.mt20140703.x86_64
insmod syshook_execve.ko
返回
insmod: error inserting 'syshook_execve.ko': -1 Unknown symbol in module
驱动无法正常加载。
apt update 没显示 pid
外连监控
cert error
[root@192 yulong]# ./server -db 192.168.136.134:27017 -es 0.0.0.0:9200
2018/05/03 17:17:03 Get Config
2018/05/03 17:17:03 {false false {[] [] [] []} {[] [] [] []} {false } {false false}}
2018/05/03 17:17:03 cert error!
主机列表为空,agent运行正常
是需要开放那个端口和IP吗, SERVER 主动连接,还是AGENT 上报
我的主机列表没有数据
2018/07/25 11:42:54 Download dependent environment package 2018/07/25 11:42:55 Download Agent 2018/07/25 11:42:56 Agent file MD5: 087c9064c2040b5c74642d4c79e7f94f 2018/07/25 11:42:56 Agent download finished, hash check passed 2018/07/25 11:42:56 Copy the daemon to the installation directory 2018/07/25 11:42:56 Start the service 2018/07/25 11:42:56 Start service successfully 2018/07/25 11:42:56 Installed!
No server node available
[root@yulong-hids]# ./agent 17..*.*8 debug
2018/06/28 11:13:29 DEBUG MODE
2018/06/28 11:13:29 Web API: https://17.**.***.*8/json/serverlist
2018/06/28 11:13:29 Available server node: []
2018/06/28 11:13:59 No server node available
panic: 1
goroutine 1 [running]:
yulong-hids/agent/client.(*Agent).init(0xc4200dc370)
/usr/local/go/src/yulong-hids/agent/client/agent.go:61 +0x6cc
yulong-hids/agent/client.(*Agent).Run(0xc4200dc370)
/usr/local/go/src/yulong-hids/agent/client/agent.go:82 +0x2b
main.main()
/usr/local/go/src/yulong-hids/agent/agent.go:22 +0xb9
告警页面显示daemon外连外部ip
除非需要接威胁情报,驭龙整套系统都没有外连ip的需求。
上图ip对应为pypi.python.org用的cdn节点,用户确实那段时间有pip install。
初步怀疑关联错了,待复现诊断。
分析windows日志的部分可不可以单独使用
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.