1.2 seconds upper bound for rules table on the UI to load without any rules The below is just the API
$ time ./get_prepackaged_rules_status.sh
{
"rules_custom_installed": 0,
"rules_installed": 0,
"rules_not_installed": 145,
############################################## | |
# Sample client-side OpenVPN 2.0 config file # | |
# for connecting to multi-client server. # | |
# # | |
# This configuration can be used by multiple # | |
# clients, however each client should have # | |
# its own cert and key files. # | |
# # | |
# On Windows, you might want to rename this # | |
# file so it has a .ovpn extension # |
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:128) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT] | |
│ at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:275) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT] | |
│ at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:132) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT] | |
│ at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:120) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT] | |
│ at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:229) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT] | |
│ at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:173) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT] | |
│ at org.elasticsearch.xpa |
server log [01:11:26.989] [debug][plugins][plugins][securitySolution][securitySolution] totalHits: 4737 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default" | |
server log [01:11:26.989] [debug][plugins][plugins][securitySolution][securitySolution] searchResult.hit.hits.length: 100 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default" | |
server log [01:11:26.990] [debug][plugins][plugins][securitySolution][securitySolution] valuesOfGivenType: [ | |
"71.211.48.72", | |
"47.34.56.166", | |
"172.100.214.142", | |
"67.173.227.94", | |
"89.12.89.72", | |
"35.226.77.71", | |
"35.199.90.14", |
server log [22:34:34.179] [debug][plugins][plugins][securitySolution][securitySolution] Lists filtered out 33 events name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default" | |
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] individual bulk process time took: 474.62 milliseconds | |
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] took property says bulk took: 45 milliseconds | |
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] created 67 signals name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default" | |
server log [22:34:34.662] [debug][plugins][plugins][securitySolution][securitySolution] filteredEvents.hits.hits: 67 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule |
server log [16:05:30.489] [error][plugins][plugins][siem][siem] [-] nextSearchAfter threw an error [security_exception] missing authentication credentials for REST request [/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } :: {"path":"/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search","query":{"allow_no_indices":true,"size":100,"ignore_unavailable":true},"body":"{\"query\":{\"bool\":{\"filter\":[{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},{\"bool\":{\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":{\"gte\":\"now-6m\"}}}],\"minimum_should_match\":1}},{\"bool\":{\"should\":[{\"range\":{\"@timestamp\": |
agent.type | ||
---|---|---|
as.number | ||
as.organization.name | ||
client.as.number | ||
client.as.organization.name | ||
client.nat.ip | ||
client.nat.port | ||
client.user.domain | ||
cloud.machine.type | ||
destination.as.number |
--- | |
options: | |
docker: true | |
pipelines: | |
branches: | |
master: | |
- step: | |
script: | |
# Installing gcloud |
pi@raspberrypi:/var/log/maltrail $ tail 2016-05-18.log 2016-05-19.log 2016-05-20.log 2016-05-21.log 2016-05-22.log 2016-05-23.log 2016-05-24.log 2016-05-25.log | |
==> 2016-05-18.log <== | |
"2016-05-18 23:47:51.125602" raspberrypi 192.168.1.5 35579 128.208.2.233 9001 TCP IP 128.208.2.233 "tor exit node (suspicious)" blutmagie.de | |
"2016-05-18 23:49:59.424015" raspberrypi 192.168.1.5 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) | |
==> 2016-05-19.log <== | |
"2016-05-19 10:26:19.485956" raspberrypi 192.168.1.5 39074 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de | |
"2016-05-19 11:59:51.032876" raspberrypi 192.168.1.5 39075 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de | |
"2016-05-19 13:25:15.583751" raspberrypi 192.168.1.5 39076 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de | |
"2016-05-19 15:10:59.114896" raspberrypi 192.168.1.5 39077 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" bl |
2016-03-28 22:19:58 SIGUSR1[soft,init_instance] received, process restarting | |
2016-03-28 22:19:58 MANAGEMENT: >STATE:1459217998,RECONNECTING,init_instance,, | |
2016-03-28 22:20:00 *Tunnelblick: No 'reconnecting.sh' script to execute | |
2016-03-28 22:20:00 MANAGEMENT: CMD 'hold release' | |
2016-03-28 22:20:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts | |
2016-03-28 22:20:00 Socket Buffers: R=[131072->65536] S=[131072->65536] | |
2016-03-28 22:20:00 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:9040 [nonblock] | |
2016-03-28 22:20:00 MANAGEMENT: >STATE:1459218000,TCP_CONNECT,,, | |
2016-03-28 22:20:00 TCP: connect to [AF_INET]XXX.XXX.XXX.XXX:9040 failed, will try again in 5 seconds: Can't assign requested address | |
2016-03-28 22:20:00 SIGUSR1[soft,init_instance] received, process restarting |