Giter VIP home page Giter VIP logo

Comments (14)

pirate avatar pirate commented on May 28, 2024 4

Awesome work @diligiant , thats exactly the stack trace I need to fix it. Looks like for the sudo parser I was naiive in assuming that a line always contains a ; semicolon. Will fix in next release. (Sorry about the delay guys, I've been really busy at work lately).

from security-growler.

diligiant avatar diligiant commented on May 28, 2024 2

you asked for it ;)
[05/25 19:05] Stopped Watching Sources: ValueError: Traceback (most recent call last):
File "/Applications/Security Growler.app/Contents/Resources/growler.py", line 41, in <module> watch_sources()
File "/Applications/Security Growler.app/Contents/Resources/growler.py", line 24, in watch_sources alert_type, title, content = parse_line(line, source)
File "/Applications/Security Growler.app/Contents/Resources/parsers/__init__.py", line 39, in parse_line alert_type, title, content = parser.parse(line, source)
File "/Applications/Security Growler.app/Contents/Resources/parsers/sudo.py", line 12, in parse pre, pwd, _, command = line.split(' ; ', 3)
ValueError: need more than 1 value to unpack

from security-growler.

JayBrown avatar JayBrown commented on May 28, 2024 1

Addendum: Last night I tested the sleep/wake thing again, but this time Security Growler kept working. (It was just a short sleep phase, i.e. 5 minutes.) This, coupled with the fact that Security Growler also just stopped working on its own without any sleep/wake thing, probably tells us that sleep/wake has nothing to do with it, and that it would rather be some kind of error that occurs after a couple of hours.

from security-growler.

JayBrown avatar JayBrown commented on May 28, 2024

It seems that this issue isn't restricted to wake-from-sleep. After a couple of hours Security Growler stopped working, even though I didn't put my Mac to sleep. So I guess the app needs some form of KeepAlive setting.

from security-growler.

JayBrown avatar JayBrown commented on May 28, 2024

Maybe it has to do with this error, which I received for the first time just now.

http://i.imgur.com/VYBwcqu.png

from security-growler.

pirate avatar pirate commented on May 28, 2024

Have not seen that error before, thanks for reporting! Would you mind posting the output of this command so I can see the full error message text.

grep ValueError < ~/Library/Logs/SecurityGrowler.log

from security-growler.

JayBrown avatar JayBrown commented on May 28, 2024 
 ❯ grep ValueError < ~/Library/Logs/SecurityGrowler.log                                                                          [00:33:23]
[05/01 16:55] Stopped Watching Sources: ValueError
[05/01 16:55] Stopped Watching Sources: ValueError

from security-growler.

pirate avatar pirate commented on May 28, 2024

Whoops sorry, forgot to include surrounding lines that actually have the error info, can you run this and paste again:

grep --context=12 ValueError < ~/Library/Logs/SecurityGrowler.log

from security-growler.

JayBrown avatar JayBrown commented on May 28, 2024 
 ❯ grep --context=12 ValueError < ~/Library/Logs/SecurityGrowler.log                                                             [00:44:56]
/var/log/system.log      : for sudo,ssh,portscan,ostiarius events
port 3689                : for connections events
port 3306                : for connections events
port 5900                : for vnc events
port 21                  : for connections events
port 585                 : for connections events
port 5432                : for connections events
port 445                 : for connections events
[05/01 16:53] ‼️ SUDO EVENT: USER [unknown]: /usr/bin/whoami
@ /
[05/01 16:53] ‼️ SUDO EVENT: USER [unknown]: /usr/bin/defaults read ~/Library/Preferences/USER_DEFINED_PREFERENCES USER_DEFINED_PREFS_KEY
@ /
[05/01 16:55] Stopped Watching Sources: ValueError
[05/01 16:45] Started Watching Sources:
/var/log/system.log      : for sudo,ssh,portscan,ostiarius events
port 3689                : for connections events
port 3306                : for connections events
port 5900                : for vnc events
port 21                  : for connections events
port 585                 : for connections events
port 5432                : for connections events
port 445                 : for connections events
[05/01 16:53] ‼️  SUDO EVENT: USER [unknown]: /usr/bin/whoami
@ /
[05/01 16:53] ‼️  SUDO EVENT: USER [unknown]: /usr/bin/defaults read ~/Library/Preferences/USER_DEFINED_PREFERENCES USER_DEFINED_PREFS_KEY
@ /
[05/01 16:55] Stopped Watching Sources: ValueError
[05/01 17:50] --------
[05/01 17:50] Started Watching Sources:
/var/log/system.log      : for sudo,ssh,portscan,ostiarius events
port 3689                : for connections events
port 3306                : for connections events
port 5900                : for vnc events
port 21                  : for connections events
port 585                 : for connections events
port 5432                : for connections events
port 445                 : for connections events
[05/01 19:53] ‼️ SUDO EVENT: USER [unknown]: /usr/bin/whoami
@ /

Note: the defaults read command is running with sudo, because the prefs file is accessed by another app that runs with root privileges, so the file is root access only. The whoami is just part of the routine.

from security-growler.

pirate avatar pirate commented on May 28, 2024

Hmm unfortunately that doesn't give any more valuable information. It's a little weird since a ValueError should log a stacktrace to the logfile before quitting.

    try:
        watch_sources()
    except BaseException as e:
        notify(type(e).__name__, 'Stopped Watching Sources')
        if isinstance(e, Exception):
            traceback.print_exc()

I'll change it to notify the traceback so it gets logged to all alert channels instead of just printing it to stdout with traceback.print_exc(). I don't have a lot of time tonight but I'll try and get around to it early next week, there are some other bugs I can fix and bundle with the next v2.3 release as well.

from security-growler.

BenjaminHCCarr avatar BenjaminHCCarr commented on May 28, 2024

I receive the same error @JayBrown with his imgur link, exactly, sometimes I get two back to back, again after a couple of hours of use. I am on 10.10.5, so it's not the new sandbox problm.

tyr:~/tmp benc$ uname -a
Darwin tyr.local 14.5.0 Darwin Kernel Version 14.5.0: Mon Jan 11 18:48:35 PST 24

My python version is

Python 3.5.0 (v3.5.0:374f501f4567, Sep 12 2015, 11:00:19)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin

I'll grep the log when it happens again. It might be useful to put the build/git-id in the settings file. I am using Security Growler v2.2 light mode. Using your .app bundle, didn't build from source.

from security-growler.

pirate avatar pirate commented on May 28, 2024

Added traceback notifications on error or quit (e3e4936), download the updated app here. Next time it has an error, copy paste the traceback and post it here, that'll let me find exactly what line the error is on.

from security-growler.

BenjaminHCCarr avatar BenjaminHCCarr commented on May 28, 2024

thanks @pirate! that kind of thing happens, ping me when you roll a release, and I'll repackage homebrew.

from security-growler.

BenjaminHCCarr avatar BenjaminHCCarr commented on May 28, 2024

This looks to still be an issue in v2.3; showing a couple hours of (light) logging) so show that it works most of the time, but some sudo calls make it go sideways still.

[03/15 12:42] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Invalid user telecomadmin from 91.197.23...
[03/15 12:43] ‼️ SSH EVENT:  : from:  | input_userauth_request: invalid user tel...
[03/15 12:43] ‼️ SSH EVENT:  : from: 199.249.223.77 | Connection closed by 199.249.223.77 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Invalid user ubnt from 91.197.232.107...
[03/15 12:43] ‼️ SSH EVENT:  : from:  | input_userauth_request: invalid user ubn...
[03/15 12:43] ‼️ SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 14:32] ‼️ SSH EVENT:  : from: 202.215.132.129 | Invalid user admin from 202.215.132.129...
[03/15 14:32] ‼️ SSH EVENT:  : from:  | input_userauth_request: invalid user adm...
[03/15 14:32] ‼️ SSH EVENT: invalid: from: 202.215.132.129 | error: maximum authentication attempts e...
[03/15 14:32] ‼️ SSH EVENT:  : from:  | Disconnecting: Too many authentication f...
[03/15 14:34] ‼️ SSH EVENT:  : from: 175.143.14.138 | Invalid user support from 175.143.14.138...
[03/15 14:34] ‼️ SSH EVENT:  : from:  | input_userauth_request: invalid user sup...
[03/15 14:34] ‼️ SSH EVENT: invalid: from: 175.143.14.138 | error: maximum authentication attempts e...
[03/15 14:34] ‼️ SSH EVENT:  : from:  | Disconnecting: Too many authentication f...
 input_userauth_request: invalid user adm...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user cisco from 91.197.232.107...
[03/15 12:42] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user cis...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user operator from 91.197.232.10...
[03/15 12:42] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user ope...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user osmc from 91.197.232.107...
[03/15 12:42] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user osm...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user osmc from 91.197.232.107...
[03/15 12:42] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user osm...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user pi from 91.197.232.107...
[03/15 12:42] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user pi ...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:42] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user telecomadmin from 91.197.23...
[03/15 12:43] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user tel...
[03/15 12:43] ‼️  SSH EVENT:  : from: 199.249.223.77 | Connection closed by 199.249.223.77 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Invalid user ubnt from 91.197.232.107...
[03/15 12:43] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user ubn...
[03/15 12:43] ‼️  SSH EVENT:  : from: 91.197.232.107 | Connection closed by 91.197.232.107 [pre...
[03/15 14:32] ‼️  SSH EVENT:  : from: 202.215.132.129 | Invalid user admin from 202.215.132.129...
[03/15 14:32] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user adm...
[03/15 14:32] ‼️  SSH EVENT: invalid: from: 202.215.132.129 | error: maximum authentication attempts e...
[03/15 14:32] ‼️  SSH EVENT:  : from:  | Disconnecting: Too many authentication f...
[03/15 14:34] ‼️  SSH EVENT:  : from: 175.143.14.138 | Invalid user support from 175.143.14.138...
[03/15 14:34] ‼️  SSH EVENT:  : from:  | input_userauth_request: invalid user sup...
[03/15 14:34] ‼️  SSH EVENT: invalid: from: 175.143.14.138 | error: maximum authentication attempts e...
[03/15 14:34] ‼️  SSH EVENT:  : from:  | Disconnecting: Too many authentication f...
[03/15 15:09] Stopped Watching Sources: ValueError: Traceback (most recent call last):
  File "/Applications/Security Growler.app/Contents/Resources/growler.py", line 41, in <module>
    watch_sources()
  File "/Applications/Security Growler.app/Contents/Resources/growler.py", line 24, in watch_sources
    alert_type, title, content = parse_line(line, source)
  File "/Applications/Security Grow[03/15 15:09] Stopped Watching Sources: ValueError: Traceback (most recent call last):
  File "/Applications/Security Growler.app/Contents/Resources/growler.py", line 41, in <module>
    watch_sources()
  File "/Applications/Security Growler.app/Contents/Resources/growler.py", line 24, in watch_sources
    alert_type, title, content = parse_line(line, source)
  File "/Applications/Security Growler.app/Contents/Resources/parsers/__init__.py", line 39, in parse_line
    alert_type, title, content = parser.parse(line, source)
  File "/Applications/Security Growler.app/Contents/Resources/parsers/sudo.py", line 15, in parse
    pre, pwd, _, command = line.split(' ; ', 3)
ValueError: need more than 1 value to unpack

ler.app/Contents/Resources/parsers/__init__.py", line 39, in parse_line
    alert_type, title, content = parser.parse(line, source)
  File "/Applications/Security Growler.app/Contents/Resources/parsers/sudo.py", line 15, in parse
    pre, pwd, _, command = line.split(' ; ', 3)
ValueError: need more than 1 value to unpack

[03/15 15:11] --------
[03/15 15:11] Started Watching Sources: 
/var/log/system.log      : for sudo,ssh,portscan,ostiarius events
port 3689                : for connections events
port 3306                : for connections events
port 5900                : for vnc events
port 21                  : for connections events
port 585                 : for connections events
port 5432                : for connections events
port 445                 : for connections events

from security-growler.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.