ossim:~# perl update.pl usr/lib/perl5/ossim_cd_updater.pm home/ossim/dist/ossim-update.pl var/lib/ossim/updates/ossim-update-version.sh Warning!! This program upgrades the ossim packages, configuration files, and the preconfigured software in the OSSIM CD Installer. You can choose one of two assistent modes: "expert" and "auto". The "auto" mode will backup the most important directories and databases without asking questions (recommended for all-in-one installations without custom configurations). The "expert" mode will ask for confirmation before doing the backups and before updating configuration files located in /etc related to ossim, snort, nagios, ntop, etc (recommended if you modified the config files, and plugin configs manually). Do you want to continue? [yes,no]: yes ----------------------------------------- New update started: 12-Feb-2008_13-46 Updating apt-get index Get:1 http://security.debian.org etch/updates Release.gpg [189B] Get:2 http://security.debian.org etch/updates Release [37.6kB] Get:3 http://ftp.debian.org etch Release.gpg [378B] Get:4 http://ftp.debian.org etch Release [58.2kB] Ign http://www.ossim.net debian/ Release.gpg Get:5 http://www.ossim.net debian/ Release [93B] Get:6 http://www.ossim.net debian/ Packages [4880B] Get:7 http://www.ossim.net debian/ Sources [1838B] Ign http://security.debian.org etch/updates/main Packages/DiffIndex Get:8 http://security.debian.org etch/updates/main Packages [306kB] Get:9 http://ftp.debian.org etch/main Packages [5621kB] Fetched 6030kB in 29s (207kB/s) Reading package lists... --05:46:53-- http://updates.alienvault.com/ossim-cd-versions.txt => `ossim-cd-versions.txt' Resolving updates.alienvault.com... 69.93.173.5 Connecting to updates.alienvault.com|69.93.173.5|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6 [text/plain] 100%[===============================================================>] 6 --.--K/s 05:46:55 (2.21 KB/s) - `ossim-cd-versions.txt' saved [6/6] Updating version index.done. Empty version information, assuming 1.0.3 There are updates available. (1.0.4) Please, choose the mode by typing "auto" or "expert": auto auto mode choosen. Backing up your installation into /var/lib/ossim/backup/20080212054659 before upgrading.........done. Need to upgrade to 1.0.4 all-in-one_1.0.4.tar.gz needed.--05:47:31-- http://updates.alienvault.com/updates/all-in-one_1.0.4.tar.gz => `1.0.4.tar.gz' Resolving updates.alienvault.com... 69.93.173.5 Connecting to updates.alienvault.com|69.93.173.5|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 21,635,745 (21M) [application/x-gzip] 100%[===============================================================>] 21,635,745 310.41K/s ETA 00:00 05:48:41 (305.90 KB/s) - `1.0.4.tar.gz' saved [21635745/21635745] Validating package. export UPDATER_MODE=auto && sh /var/lib/ossim/updates//ossim-update-version.sh 1.0.4 localhost 3306 ossim root VmTNklEainN; ------------------------------- - Upgrading to Version: 1.0.4 - ------------------------------- [+] Executing pre/ scripts Press the enter key to start... [-] Executing /var/lib/ossim/updates/1.0.4/pre/00gen-delete-home.sh Removing deprecated files in 1.0.4: done ... ok [-] Executing /var/lib/ossim/updates/1.0.4/pre/00gen-delete.sh Removing deprecated files in 1.0.4: ..done ... ok [-] Executing /var/lib/ossim/updates/1.0.4/pre/00ossim_setup_check.sh ... ok [-] Executing /var/lib/ossim/updates/1.0.4/pre/01dpkg.sh This packages will be in the repository! This is just a beta version... (Reading database ... 29129 files and directories currently installed.) Preparing to replace ossim-utils 1:0.9.9~rc5-3 (using .../ossim-utils_0.9.9~rc5-5_all.deb) ... Unpacking replacement ossim-utils ... Preparing to replace ossim-framework-daemon 1:0.9.9~rc5-3 (using .../ossim-framework-daemon_0.9.9~rc5-5_all.deb) ... Unpacking replacement ossim-framework-daemon ... Preparing to replace ossim-mysql 1:0.9.9~rc5-3 (using .../ossim-mysql_0.9.9~rc5-5_all.deb) ... Unpacking replacement ossim-mysql ... Preparing to replace ossim-agent 1:0.9.9~rc5+cvs20071026-1 (using .../ossim-agent_0.9.9~rc5+cvs20080215-1_all.deb) ... Unpacking replacement ossim-agent ... Preparing to replace ossim-framework 1:0.9.9~rc5-3 (using .../ossim-framework_0.9.9~rc5-5_all.deb) ... Unpacking replacement ossim-framework ... Preparing to replace ossim 1:0.9.9~rc5-3 (using .../ossim_0.9.9~rc5-5_all.deb) ... Unpacking replacement ossim ... Preparing to replace ossim-server 1:0.9.9~rc5-3 (using .../ossim-server_0.9.9~rc5-5_i386.deb) ... Unpacking replacement ossim-server ... Preparing to replace ossim-contrib 1:0.9.9~rc5-3 (using .../ossim-contrib_0.9.9~rc5-5_all.deb) ... Unpacking replacement ossim-contrib ... Setting up ossim-utils (0.9.9~rc5-5) ... Configuration file `/etc/ossim/framework/ossim.conf' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** ossim.conf (Y/I/N/O/D/Z) [default=N] ? Setting up ossim-mysql (0.9.9~rc5-5) ... Setting up ossim-agent (0.9.9~rc5+cvs20080215-1) ... Configuration file `/etc/ossim/agent/config.cfg' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** config.cfg (Y/I/N/O/D/Z) [default=N] ? Installing new version of config file /etc/ossim/agent/aliases.cfg ... Installing new version of config file /etc/ossim/agent/plugins/stonegate.cfg ... Installing new version of config file /etc/ossim/agent/plugins/cisco-pix.cfg ... Configuration file `/etc/ossim/agent/plugins/nessus-monitor.cfg' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** nessus-monitor.cfg (Y/I/N/O/D/Z) [default=N] ? Installing new version of config file /etc/ossim/agent/plugins/pam_unix.cfg ... Configuration file `/etc/ossim/agent/plugins/snort.cfg' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** snort.cfg (Y/I/N/O/D/Z) [default=N] ? Installing new version of config file /etc/ossim/agent/plugins/sudo.cfg ... Installing new version of config file /etc/ossim/agent/plugins/iis.cfg ... Installing new version of config file /etc/ossim/agent/plugins/netscreen-firewall.cfg ... Configuration file `/etc/ossim/agent/plugins/nagios.cfg' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** nagios.cfg (Y/I/N/O/D/Z) [default=N] ? Installing new version of config file /etc/ossim/agent/plugins/snare.cfg ... Configuration file `/etc/ossim/agent/plugins/snortunified.cfg' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** snortunified.cfg (Y/I/N/O/D/Z) [default=N] ? Installing new version of config file /etc/ossim/agent/plugins/realsecure.cfg ... Installing new version of config file /etc/ossim/agent/plugins/ssh.cfg ... Setting up ossim-server (0.9.9~rc5-5) ... Installing new version of config file /etc/ossim/server/directives.dtd ... Configuration file `/etc/ossim/server/generic.xml' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** generic.xml (Y/I/N/O/D/Z) [default=N] ? Setting up ossim-contrib (0.9.9~rc5-5) ... Setting up ossim-framework (0.9.9~rc5-5) ... Installing new version of config file /etc/ossim/framework/apache.conf ... Setting up ossim-framework-daemon (0.9.9~rc5-5) ... Setting up ossim (0.9.9~rc5-5) ... OSSIM packages installed... ... ok [+] Intalling Depend packages Press the enter key to start... [-] Installing munin Selecting previously deselected package libhtml-template-perl. (Reading database ... 29215 files and directories currently installed.) Unpacking libhtml-template-perl (from .../libhtml-template-perl_2.8-1_all.deb) ... Selecting previously deselected package munin. Unpacking munin (from .../archives/munin_1.2.5-1_all.deb) ... Setting up libhtml-template-perl (2.8-1) ... Setting up munin (1.2.5-1) ... Adding system user `munin' (UID 110) ... Adding new group `munin' (GID 111) ... Adding new user `munin' (UID 110) with group `munin' ... Not creating home directory `/var/lib/munin'. ... ok [-] Installing munin-node Selecting previously deselected package libio-multiplex-perl. (Reading database ... 29270 files and directories currently installed.) Unpacking libio-multiplex-perl (from .../libio-multiplex-perl_1.08-3_all.deb) ... Selecting previously deselected package libnet-cidr-perl. Unpacking libnet-cidr-perl (from .../libnet-cidr-perl_0.11-1_all.deb) ... Selecting previously deselected package libnet-server-perl. Unpacking libnet-server-perl (from .../libnet-server-perl_0.94-1_all.deb) ... Selecting previously deselected package munin-node. Unpacking munin-node (from .../munin-node_1.2.5-1_all.deb) ... Setting up libio-multiplex-perl (1.08-3) ... Setting up libnet-cidr-perl (0.11-1) ... Setting up libnet-server-perl (0.94-1) ... Setting up munin-node (1.2.5-1) ... Initializing plugins..done. Starting Munin-Node: done. ... ok [-] Installing console-data ... ok [-] Installing fprobe Preconfiguring packages ... Selecting previously deselected package fprobe. (Reading database ... 29449 files and directories currently installed.) Unpacking fprobe (from .../archives/fprobe_1.1-6_i386.deb) ... Setting up fprobe (1.1-6) ... Starting fprobe: fprobe. ... ok [-] Installing nagios-images ... ok [-] Installing nagios-plugins (Reading database ... 29463 files and directories currently installed.) Preparing to replace nagios-plugins 1.4.5-1 (using .../nagios-plugins_1.4.5-1etch1_i386.deb) ... Unpacking replacement nagios-plugins ... Setting up nagios-plugins (1.4.5-1etch1) ... ... ok [+] Executing sql scripts Press the enter key to start... [-] Processing /var/lib/ossim/updates/1.0.4/sql/00ossim.sql ... ok [-] Processing /var/lib/ossim/updates/1.0.4/sql/00osvdb.sql ... ok [-] Processing /var/lib/ossim/updates/1.0.4/sql/00snort.sql ... ok [-] Processing /var/lib/ossim/updates/1.0.4/sql/01pluginlist.sql ... ok [-] Processing /var/lib/ossim/updates/1.0.4/sql/01pluginsids.sql ... ok [+] Updating OSSIM CD Installer files Press the enter key to start... [-] Unpacking /var/lib/ossim/updates/1.0.4/dist/00ossim-home-add.tar.gz ... ok [-] Unpacking /var/lib/ossim/updates/1.0.4/dist/00ossim-new.tar.gz ... ok [-] Unpacking /var/lib/ossim/updates/1.0.4/dist/01dist-modified.tar.gz ... ok [-] Unpacking /var/lib/ossim/updates/1.0.4/dist/02etc-new.tar.gz ... ok [-] Unpacking /var/lib/ossim/updates/1.0.4/dist/02home-modified.tar.gz ... ok [-] Unpacking /var/lib/ossim/updates/1.0.4/dist/03etc-modified.tar.gz ... ok [+] Executing post/ scripts Press the enter key to start... [-] Executing /var/lib/ossim/updates/1.0.4/post/01php.sh Changing PHP.ini memory_limit to 32M . . . done ... ok [-] Executing /var/lib/ossim/updates/1.0.4/post/02ossec.sh Setting up OSSEC OSSEC HIDS v1.4 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux ossim 2.6.18-5-486 - User: root - Host: ossim -- Press ENTER to continue or Ctrl-C to abort. -- 2- Setting up the installation environment. - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: --- Email notification disabled. 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: - Active response disabled. 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 5- Installing the system - Running the Makefile - System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at contact@ossec.net or using our public maillist at ossec-list@ossec.net ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - In order to connect agent and server, you need to add each agent to the server. Run the 'manage_agents' to add or remove them: /var/ossec/bin/manage_agents More information at: http://www.ossec.net/en/manual.html#ma Starting OSSEC . . .Starting OSSEC HIDS v1.4 (by Daniel B. Cid)... 2008/02/12 05:51:44 ossec-maild: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. done ... ok [-] Executing /var/lib/ossim/updates/1.0.4/post/50locales.sh Generating locales (this might take a while)... en_US.ISO-8859-1... done en_US.UTF-8... done de_DE.ISO-8859-1... done de_DE.UTF-8... done de_DE.ISO-8859-15@euro... done es_ES.ISO-8859-1... done es_ES.UTF-8... done es_ES.ISO-8859-15@euro... done eu_ES.ISO-8859-1... done eu_ES.UTF-8... done eu_ES.ISO-8859-15@euro... done fr_FR.ISO-8859-1... done fr_FR.UTF-8... done fr_FR.ISO-8859-15@euro... done pt_BR.ISO-8859-1... done pt_BR.UTF-8... done zh_CN.GB2312... done zh_CN.GB18030... done zh_CN.GBK... done zh_CN.UTF-8... done zh_HK.BIG5-HKSCS... done zh_HK.UTF-8... done zh_SG.GB2312... done zh_SG.GBK... done zh_SG.UTF-8... done zh_TW.BIG5... done zh_TW.EUC-TW... done zh_TW.UTF-8... done Generation complete. ... ok [-] Executing /var/lib/ossim/updates/1.0.4/post/60restart_apache.sh ... ok [-] Executing /var/lib/ossim/updates/1.0.4/post/99post.sh Getting IP Checking DB Connection succeeded, moving on Sensor ip blank, using main ip Server ip blank, using main ip Inserting 192.168.1.95 and ossim into sensor and host tables Ignore errors start ---------------------------- DBD::mysql::st execute failed: Duplicate entry 'ossim' for key 1 at /home/ossim/dist/reconfig.pl line 289. DBD::mysql::st execute failed: Duplicate entry '192.168.1.95' for key 1 at /home/ossim/dist/reconfig.pl line 296. Ignore errors end ---------------------------- Updating snare config Updating OCS server ip Ignore errors start ---------------------------- mv: cannot stat `192.168.1.95.exe': No such file or directory Ignore errors end ---------------------------- Updating Ossim-agent windows installer server ip Ignore errors start ---------------------------- ossim-install.exe: adjusting offsets for a preamble of 67072 bytes updating: etc/ossim/agent/config.cfg (deflated 46%) Ignore errors end ---------------------------- Updating agent config Updating ntop link Updating plugin configuration Updating executive panels config 10 strings replaced in /etc/ossim/framework/panel/configs/ Updating executive panels interfaces config 5 strings replaced in /etc/ossim/framework/panel/configs/ System startup links for /etc/init.d/ossim-agent already exist. System startup links for /etc/init.d/ossim-server already exist. System startup links for /etc/init.d/ossim-server already exist. System startup links for /etc/init.d/ossim-framework already exist. System startup links for /etc/init.d/mysql already exist. Updating ntop Updating snortunified Setting linklayer to ethernet Updating pads Updating p0f Updating arpwatch Stopping Network Intrusion Detection System : snort (eth0 ...done). Stopping network top daemon: ntop Ignore errors start ---------------------------- Restarting OSSIM Agent: ossim-agent2008-02-12 05:55:52,192 Agent [INFO]: Forking into background.. . Ignore errors end ---------------------------- Adjusting monit startup Stopping daemon monitor: monit. Starting daemon monitor: monit. Using database password defined at config file. Ignore errors start ---------------------------- Ignore errors end ---------------------------- Ignore errors start ---------------------------- Tue Feb 12 05:55:54 2008 NOTE: Interface merge enabled by default Tue Feb 12 05:55:54 2008 Initializing gdbm databases Tue Feb 12 05:55:54 2008 **ERROR** ....open of /var/lib/ntop/prefsCache.db failed: Can't be writer Tue Feb 12 05:55:54 2008 Possible solution: please use '-P ' Tue Feb 12 05:55:54 2008 **FATAL_ERROR** GDBM open failed, ntop shutting down... Tue Feb 12 05:55:54 2008 CLEANUP[t3055074176]: ntop caught signal 2 Tue Feb 12 05:55:54 2008 THREADMGMT[t3055074176]: ntop RUNSTATE: SHUTDOWN(7) Tue Feb 12 05:55:54 2008 CLEANUP[t3055074176] catching thread is MAIN Tue Feb 12 05:55:54 2008 CLEANUP: Running threads Tue Feb 12 05:55:54 2008 CLEANUP: Locking purge mutex (may block for a little while) Tue Feb 12 05:55:54 2008 CLEANUP: Locked purge mutex, continuing shutdown Tue Feb 12 05:55:54 2008 CLEANUP: Continues Tue Feb 12 05:55:54 2008 PLUGIN_TERM: Unloading plugins (if any) Tue Feb 12 05:55:54 2008 CLEANUP: Clean up complete Tue Feb 12 05:55:54 2008 THREADMGMT[t3055074176]: ntop RUNSTATE: TERM(8) Tue Feb 12 05:55:54 2008 =================================== Tue Feb 12 05:55:54 2008 ntop is shutdown... Tue Feb 12 05:55:54 2008 =================================== Ignore errors end ---------------------------- All in one profile at 192.168.1.95 Don't worry about most of the errors, many of them can be ignored and your system should be up and running now. ... ok --------------------------------- - Upgraded to Version: 1.0.4 - --------------------------------- *If any of the scripts fails, it should be listed in the file /var/lib/ossim/updates/1.0.4-error.log with its error code. Script started, file is /var/log/ossim/ossim-update.log Script started, file is /var/log/ossim/ossim-update.log Script done, file is /var/log/ossim/ossim-update.log Upgraded to 1.0.4. Please review the log files.