search

Sysinternals / SysmonForLinux

MIT License
1.68k stars 180 forks source link

Sysmon is terminating with "stack smashing detected" #149

Closed juergenthomann closed 7 months ago

juergenthomann commented 9 months ago

Describe the bug Sysmon is terminated after some time with "stack smashing detected". It depends on the server but on 2 it gets terminated nearly instantly. On others it runs with luck some days.

To Reproduce Install Sysmon on Debian 11 and use the config below during "sysmon -i"

Sysmon version We tried 1.2, 1.3 and also 1.3.1.

Distro/kernel version Debian 11 with linux-image-5.10.0-25-amd64, but previous versions are also affected.

Sysmon configuration for Testing we currently use the following config. But without any special config it happens as well

<?xml version="1.0"?>
<Sysmon schemaversion="4.70">
        <EventFiltering>
                <!-- Event ID 1 == ProcessCreate. Log all newly created processes -->
                <RuleGroup name="" groupRelation="or">
                        <ProcessCreate onmatch="exclude"/>
                </RuleGroup>
                <!-- Event ID 3 == NetworkConnect Detected. Log all network connections -->
                <RuleGroup name="" groupRelation="or">
                        <NetworkConnect onmatch="exclude"/>
                 </RuleGroup>
                 <!-- Event ID 5 == ProcessTerminate. Log all processes terminated -->
                <RuleGroup name="" groupRelation="or">
                        <ProcessTerminate onmatch="exclude"/>
                </RuleGroup>
                <!-- Event ID 9 == RawAccessRead. Log all raw access read -->
                <RuleGroup name="" groupRelation="or">
                        <RawAccessRead onmatch="exclude"/>
                </RuleGroup>
                <!-- Event ID 10 == ProcessAccess. Log all open process operations -->
                <RuleGroup name="" groupRelation="or">
                        <ProcessAccess onmatch="exclude"/>
                </RuleGroup>
                <!-- Event ID 11 == FileCreate. Log every file creation -->
                <RuleGroup name="" groupRelation="or">
                        <FileCreate onmatch="exclude"/>
                </RuleGroup>
                <!--Event ID 23 == FileDelete. Log all files being deleted -->
                <RuleGroup name="" groupRelation="or">
                        <FileDelete onmatch="exclude"/>
                 </RuleGroup>
        </EventFiltering>
</Sysmon>

Logs

Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.363
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.363
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441160000Z"/><EventRecordID>2708</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.345</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-8d67-3209e2550000}</Data><Data Name="ProcessId">1328976</Data><Data Name="Image">/bin/bash</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">bash /usr/local/bin/zookeeperReady.sh</Data><Data Name="CurrentDirectory">/apache-zookeeper-3.6.1-bin</Data><Data Name="User">root</Data><Data Name="LogonGuid">{f299857d-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">4294967295</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=d86b21405852d8642ca41afae9dcf0f532e2d67973b0648b0af7c26933f1becb</Data><Data Name="ParentProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ParentProcessId">1328969</Data><Data Name="ParentImage">-</Data><Data Name="ParentCommandLine">-</Data><Data Name="ParentUser">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441222000Z"/><EventRecordID>2709</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.366</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-4de2-186f69550000}</Data><Data Name="ProcessId">1328967</Data><Data Name="Image">/usr/bin/runc</Data><Data Name="User">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>23</EventID><Version>5</Version><Level>4</Level><Task>23</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441261000Z"/><EventRecordID>2710</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.367</Data><Data Name="ProcessGuid">{f299857d-6eb8-64e4-b640-860000000000}</Data><Data Name="ProcessId">265440</Data><Data Name="User">-</Data><Data Name="Image">/usr/bin/containerd-shim-runc-v2</Data><Data Name="TargetFilename">/tmp/runc-process599111333</Data><Data Name="Hashes">-</Data><Data Name="IsExecutable">-</Data><Data Name="Archived">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441307000Z"/><EventRecordID>2711</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.363</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-8d67-3209e2550000}</Data><Data Name="ProcessId">1328976</Data><Data Name="Image">/bin/bash</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441339000Z"/><EventRecordID>2712</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.363</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-8d67-3209e2550000}</Data><Data Name="ProcessId">1328976</Data><Data Name="Image">/bin/bash</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441567000Z"/><EventRecordID>2713</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.345</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-f9d4-83b8a1550000}</Data><Data Name="ProcessId">1328976</Data><Data Name="Image">/usr/bin/env</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">/usr/bin/env bash /usr/local/bin/zookeeperReady.sh</Data><Data Name="CurrentDirectory">/apache-zookeeper-3.6.1-bin</Data><Data Name="User">root</Data><Data Name="LogonGuid">{f299857d-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">4294967295</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=ee543479c6fd441699234c90a0c5da06867329d608c05170158f2b019531d974</Data><Data Name="ParentProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ParentProcessId">1328969</Data><Data Name="ParentImage">-</Data><Data Name="ParentCommandLine">-</Data><Data Name="ParentUser">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441614000Z"/><EventRecordID>2714</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.366</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-4de2-186f69550000}</Data><Data Name="ProcessId">1328967</Data><Data Name="Image">/usr/bin/runc</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.441645000Z"/><EventRecordID>2715</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.366</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-4de2-186f69550000}</Data><Data Name="ProcessId">1328967</Data><Data Name="Image">/usr/bin/runc</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.451216000Z"/><EventRecordID>2716</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.400</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-fd66-548d61550000}</Data><Data Name="ProcessId">1328987</Data><Data Name="Image">/usr/bin/nslookup</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">nslookup solr-solrcloud-zookeeper-headless.snh-feedbackportal-int.svc.cluster.local</Data><Data Name="CurrentDirectory">/apache-zookeeper-3.6.1-bin</Data><Data Name="User">root</Data><Data Name="LogonGuid">{f299857d-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">4294967295</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=761972d5cd144af192cb0e1c6fb7fa4e55062b98393781654234eaca1a767845</Data><Data Name="ParentProcessGuid">{f299857d-2b42-6525-8d67-3209e2550000}</Data><Data Name="ParentProcessId">1328976</Data><Data Name="ParentImage">/bin/bash</Data><Data Name="ParentCommandLine">bash</Data><Data Name="ParentUser">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.451300000Z"/><EventRecordID>2717</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.407</Data><Data Name="ProcessGuid">{f299857d-5c28-64e4-e014-440300000000}</Data><Data Name="ProcessId">1607</Data><Data Name="Image">/usr/bin/kubelet</Data><Data Name="User">root</Data><Data Name="Protocol">tcp</Data><Data Name="Initiated">true</Data><Data Name="SourceIsIpv6">false</Data><Data Name="SourceIp">10.160.41.139</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">43376</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">false</Data><Data Name="DestinationIp">10.160.41.165</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">8081</Data><Data Name="DestinationPortName">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for IntegrityLevel on SYSMONEVENT_CREATE_PROCESS - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_CREATE_PROCESS
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.345
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         FileVersion: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Description: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Product: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Company: -
Oct 10 12:45:22 redacted sysmon[1328745]:         OriginalFileName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         CommandLine: bash /usr/local/bin/zookeeperReady.sh
Oct 10 12:45:22 redacted sysmon[1328745]:         CurrentDirectory: /apache-zookeeper-3.6.1-bin
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonGuid: {f299857d-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonId: 0
Oct 10 12:45:22 redacted sysmon[1328745]:         TerminalSessionId: 4294967295
Oct 10 12:45:22 redacted sysmon[1328745]:         IntegrityLevel: no level
Oct 10 12:45:22 redacted sysmon[1328745]:         Hashes: SHA256=d86b21405852d8642ca41afae9dcf0f532e2d67973b0648b0af7c26933f1becb
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessId: 1328969
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentImage: -
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentCommandLine: -
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentUser: -
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for User on SYSMONEVENT_PROCESS_TERMINATE - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.366
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-4de2-186f69550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328967
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/runc
Oct 10 12:45:22 redacted sysmon[1328745]:         User: -
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for User on SYSMONEVENT_FILE_DELETE - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_FILE_DELETE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.367
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-6eb8-64e4-b640-860000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 265440
Oct 10 12:45:22 redacted sysmon[1328745]:         User: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/containerd-shim-runc-v2
Oct 10 12:45:22 redacted sysmon[1328745]:         TargetFilename: /tmp/runc-process599111333
Oct 10 12:45:22 redacted sysmon[1328745]:         Hashes: -
Oct 10 12:45:22 redacted sysmon[1328745]:         IsExecutable: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Archived: -
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.363
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.363
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for IntegrityLevel on SYSMONEVENT_CREATE_PROCESS - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_CREATE_PROCESS
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.345
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-f9d4-83b8a1550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/env
Oct 10 12:45:22 redacted sysmon[1328745]:         FileVersion: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Description: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Product: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Company: -
Oct 10 12:45:22 redacted sysmon[1328745]:         OriginalFileName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         CommandLine: /usr/bin/env bash /usr/local/bin/zookeeperReady.sh
Oct 10 12:45:22 redacted sysmon[1328745]:         CurrentDirectory: /apache-zookeeper-3.6.1-bin
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonGuid: {f299857d-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonId: 0
Oct 10 12:45:22 redacted sysmon[1328745]:         TerminalSessionId: 4294967295
Oct 10 12:45:22 redacted sysmon[1328745]:         IntegrityLevel: no level
Oct 10 12:45:22 redacted sysmon[1328745]:         Hashes: SHA256=ee543479c6fd441699234c90a0c5da06867329d608c05170158f2b019531d974
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessId: 1328969
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentImage: -
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentCommandLine: -
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentUser: -
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.366
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-4de2-186f69550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328967
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/runc
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.366
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-4de2-186f69550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328967
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/runc
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for IntegrityLevel on SYSMONEVENT_CREATE_PROCESS - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_CREATE_PROCESS
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.400
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-fd66-548d61550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328987
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/nslookup
Oct 10 12:45:22 redacted sysmon[1328745]:         FileVersion: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Description: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Product: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Company: -
Oct 10 12:45:22 redacted sysmon[1328745]:         OriginalFileName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         CommandLine: nslookup solr-solrcloud-zookeeper-headless.snh-feedbackportal-int.svc.cluster.local
Oct 10 12:45:22 redacted sysmon[1328745]:         CurrentDirectory: /apache-zookeeper-3.6.1-bin
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonGuid: {f299857d-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonId: 0
Oct 10 12:45:22 redacted sysmon[1328745]:         TerminalSessionId: 4294967295
Oct 10 12:45:22 redacted sysmon[1328745]:         IntegrityLevel: no level
Oct 10 12:45:22 redacted sysmon[1328745]:         Hashes: SHA256=761972d5cd144af192cb0e1c6fb7fa4e55062b98393781654234eaca1a767845
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentImage: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentCommandLine: bash
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentUser: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_NETWORK_CONNECT
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.407
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-5c28-64e4-e014-440300000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1607
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /usr/bin/kubelet
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         Protocol: tcp
Oct 10 12:45:22 redacted sysmon[1328745]:         Initiated: true
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIsIpv6: false
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIp: 10.160.41.139
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePort: 43376
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePortName: -
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.451833000Z"/><EventRecordID>2718</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.366</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-3db0-e47d89550000}</Data><Data Name="ProcessId">1328982</Data><Data Name="Image">/bin/hostname</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">hostname -s</Data><Data Name="CurrentDirectory">/apache-zookeeper-3.6.1-bin</Data><Data Name="User">root</Data><Data Name="LogonGuid">{f299857d-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">4294967295</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=23442162d1204473dda2bcb7c0b371c9a1be6193a19a4cf330f524fa3664f58a</Data><Data Name="ParentProcessGuid">{f299857d-2b42-6525-8d67-3209e2550000}</Data><Data Name="ParentProcessId">1328976</Data><Data Name="ParentImage">/bin/bash</Data><Data Name="ParentCommandLine">bash</Data><Data Name="ParentUser">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIsIpv6: false
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIp: 10.160.41.165
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPort: 8081
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPortName: -
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for IntegrityLevel on SYSMONEVENT_CREATE_PROCESS - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_CREATE_PROCESS
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.366
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-3db0-e47d89550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328982
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/hostname
Oct 10 12:45:22 redacted sysmon[1328745]:         FileVersion: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Description: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Product: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Company: -
Oct 10 12:45:22 redacted sysmon[1328745]:         OriginalFileName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         CommandLine: hostname -s
Oct 10 12:45:22 redacted sysmon[1328745]:         CurrentDirectory: /apache-zookeeper-3.6.1-bin
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonGuid: {f299857d-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonId: 0
Oct 10 12:45:22 redacted sysmon[1328745]:         TerminalSessionId: 4294967295
Oct 10 12:45:22 redacted sysmon[1328745]:         IntegrityLevel: no level
Oct 10 12:45:22 redacted sysmon[1328745]:         Hashes: SHA256=23442162d1204473dda2bcb7c0b371c9a1be6193a19a4cf330f524fa3664f58a
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessGuid: {f299857d-2b42-6525-8d67-3209e2550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessId: 1328976
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentImage: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentCommandLine: bash
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentUser: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.397
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-3db0-e47d89550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328982
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/hostname
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: PROCESS_CACHE_REQUEST failed
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.398
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {00000000-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328985
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: <unknown process>
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: [!] Default string for IntegrityLevel on SYSMONEVENT_CREATE_PROCESS - (nil),0
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_CREATE_PROCESS
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.398
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-5458-c0587d550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328986
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/nc.traditional
Oct 10 12:45:22 redacted sysmon[1328745]:         FileVersion: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Description: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Product: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Company: -
Oct 10 12:45:22 redacted sysmon[1328745]:         OriginalFileName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         CommandLine: nc 127.0.0.1 2181
Oct 10 12:45:22 redacted sysmon[1328745]:         CurrentDirectory: /apache-zookeeper-3.6.1-bin
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonGuid: {f299857d-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         LogonId: 0
Oct 10 12:45:22 redacted sysmon[1328745]:         TerminalSessionId: 4294967295
Oct 10 12:45:22 redacted sysmon[1328745]:         IntegrityLevel: no level
Oct 10 12:45:22 redacted sysmon[1328745]:         Hashes: SHA256=4c84549200859bc96667c17010f1d958421e70d0f162a948e07f8314cacc0949
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentProcessId: 1328984
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentImage: -
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.451887000Z"/><EventRecordID>2719</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.397</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-3db0-e47d89550000}</Data><Data Name="ProcessId">1328982</Data><Data Name="Image">/bin/hostname</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentCommandLine: -
Oct 10 12:45:22 redacted sysmon[1328745]:         ParentUser: -
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_NETWORK_CONNECT
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.399
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-5458-c0587d550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328986
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/nc.traditional
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]:         Protocol: tcp
Oct 10 12:45:22 redacted sysmon[1328745]:         Initiated: true
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIsIpv6: false
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIp: 127.0.0.1
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePort: 51386
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePortName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIsIpv6: false
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIp: 127.0.0.1
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPort: 2181
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPortName: -
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.400
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-5458-c0587d550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328986
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/nc.traditional
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_NETWORK_CONNECT
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.408
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-c2bb-651f-79f4-4d0f8b550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 2875718
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /opt/java/openjdk/bin/java
Oct 10 12:45:22 redacted sysmon[1328745]:         User: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Protocol: tcp
Oct 10 12:45:22 redacted sysmon[1328745]:         Initiated: false
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIsIpv6: true
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIp: 0:0:0:0:0:ffff:aa0:298b
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePort: 43376
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePortName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIsIpv6: true
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIp: 0:0:0:0:0:ffff:aa0:29a5
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPort: 8081
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPortName: -
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_PROCESS_TERMINATE
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.322
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-2b42-6525-8d77-73a8eb550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 1328957
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /bin/bash
Oct 10 12:45:22 redacted sysmon[1328745]:         User: root
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_NETWORK_CONNECT
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.331
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-f351-6507-7964-347bda550000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 775880
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: /opt/java/openjdk/bin/java
Oct 10 12:45:22 redacted sysmon[1328745]:         User: nobody
Oct 10 12:45:22 redacted sysmon[1328745]:         Protocol: udp
Oct 10 12:45:22 redacted sysmon[1328745]:         Initiated: true
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIsIpv6: false
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIp: 10.160.41.124
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePort: 59012
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePortName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIsIpv6: false
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationIp: 10.160.0.10
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPort: 53
Oct 10 12:45:22 redacted sysmon[1328745]:         DestinationPortName: -
Oct 10 12:45:22 redacted sysmon[1328745]: Event SYSMONEVENT_NETWORK_CONNECT
Oct 10 12:45:22 redacted sysmon[1328745]:         RuleName: -
Oct 10 12:45:22 redacted sysmon[1328745]:         UtcTime: 2023-10-10 10:45:22.335
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessGuid: {f299857d-5c1a-64e4-0000-000000000000}
Oct 10 12:45:22 redacted sysmon[1328745]:         ProcessId: 33
Oct 10 12:45:22 redacted sysmon[1328745]:         Image: -
Oct 10 12:45:22 redacted sysmon[1328745]:         User: -
Oct 10 12:45:22 redacted sysmon[1328745]:         Protocol: tcp
Oct 10 12:45:22 redacted sysmon[1328745]:         Initiated: false
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIsIpv6: true
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.451934000Z"/><EventRecordID>2720</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.398</Data><Data Name="ProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ProcessId">1328985</Data><Data Name="Image">&lt;unknown process&gt;</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceIp: 0:0:0:0:0:ffff:aa0:297c
Oct 10 12:45:22 redacted sysmon[1328745]:         SourceHostname: -
Oct 10 12:45:22 redacted sysmon[1328745]:         SourcePor*** stack smashing detected ***: terminated
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.452119000Z"/><EventRecordID>2721</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.398</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-5458-c0587d550000}</Data><Data Name="ProcessId">1328986</Data><Data Name="Image">/bin/nc.traditional</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">nc 127.0.0.1 2181</Data><Data Name="CurrentDirectory">/apache-zookeeper-3.6.1-bin</Data><Data Name="User">root</Data><Data Name="LogonGuid">{f299857d-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">4294967295</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=4c84549200859bc96667c17010f1d958421e70d0f162a948e07f8314cacc0949</Data><Data Name="ParentProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ParentProcessId">1328984</Data><Data Name="ParentImage">-</Data><Data Name="ParentCommandLine">-</Data><Data Name="ParentUser">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.452171000Z"/><EventRecordID>2722</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.399</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-5458-c0587d550000}</Data><Data Name="ProcessId">1328986</Data><Data Name="Image">/bin/nc.traditional</Data><Data Name="User">root</Data><Data Name="Protocol">tcp</Data><Data Name="Initiated">true</Data><Data Name="SourceIsIpv6">false</Data><Data Name="SourceIp">127.0.0.1</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">51386</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">false</Data><Data Name="DestinationIp">127.0.0.1</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">2181</Data><Data Name="DestinationPortName">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.452216000Z"/><EventRecordID>2723</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.400</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-5458-c0587d550000}</Data><Data Name="ProcessId">1328986</Data><Data Name="Image">/bin/nc.traditional</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.452468000Z"/><EventRecordID>2724</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.408</Data><Data Name="ProcessGuid">{f299857d-c2bb-651f-79f4-4d0f8b550000}</Data><Data Name="ProcessId">2875718</Data><Data Name="Image">/opt/java/openjdk/bin/java</Data><Data Name="User">-</Data><Data Name="Protocol">tcp</Data><Data Name="Initiated">false</Data><Data Name="SourceIsIpv6">true</Data><Data Name="SourceIp">0:0:0:0:0:ffff:aa0:298b</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">43376</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">true</Data><Data Name="DestinationIp">0:0:0:0:0:ffff:aa0:29a5</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">8081</Data><Data Name="DestinationPortName">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.452801000Z"/><EventRecordID>2725</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.322</Data><Data Name="ProcessGuid">{f299857d-2b42-6525-8d77-73a8eb550000}</Data><Data Name="ProcessId">1328957</Data><Data Name="Image">/bin/bash</Data><Data Name="User">root</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.452854000Z"/><EventRecordID>2726</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.331</Data><Data Name="ProcessGuid">{f299857d-f351-6507-7964-347bda550000}</Data><Data Name="ProcessId">775880</Data><Data Name="Image">/opt/java/openjdk/bin/java</Data><Data Name="User">nobody</Data><Data Name="Protocol">udp</Data><Data Name="Initiated">true</Data><Data Name="SourceIsIpv6">false</Data><Data Name="SourceIp">10.160.41.124</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">59012</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">false</Data><Data Name="DestinationIp">10.160.0.10</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">53</Data><Data Name="DestinationPortName">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.453044000Z"/><EventRecordID>2727</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.335</Data><Data Name="ProcessGuid">{f299857d-5c1a-64e4-0000-000000000000}</Data><Data Name="ProcessId">33</Data><Data Name="Image">-</Data><Data Name="User">-</Data><Data Name="Protocol">tcp</Data><Data Name="Initiated">false</Data><Data Name="SourceIsIpv6">true</Data><Data Name="SourceIp">0:0:0:0:0:ffff:aa0:297c</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">0</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">true</Data><Data Name="DestinationIp">0:0:0:0:0:ffff:a80:8130</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">443</Data><Data Name="DestinationPortName">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>23</EventID><Version>5</Version><Level>4</Level><Task>23</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.453101000Z"/><EventRecordID>2728</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.370</Data><Data Name="ProcessGuid">{f299857d-6eb8-64e4-b640-860000000000}</Data><Data Name="ProcessId">265440</Data><Data Name="User">-</Data><Data Name="Image">/usr/bin/containerd-shim-runc-v2</Data><Data Name="TargetFilename">/run/containerd/io.containerd.runtime.v2.task/k8s.io/1b3ddffdcc2f3f66c29b690ad6e1830d5b5cc80df4801ac1bddf544a986ec258/5310696edd37cc85269f3af114d2864677f731b1a0f546a1d74b17d5f937f3c5.pid</Data><Data Name="Hashes">-</Data><Data Name="IsExecutable">-</Data><Data Name="Archived">-</Data></EventData></Event>
Oct 10 12:45:22 redacted sysmon[1328745]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-10-10T10:45:22.453185000Z"/><EventRecordID>2729</EventRecordID><Correlation/><Execution ProcessID="1328745" ThreadID="1328745"/><Channel>Linux-Sysmon/Operational</Channel><Computer>redacted</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-10-10 10:45:22.440</Data><Data Name="ProcessGuid">{f299857d-6eb8-64e4-b640-860000000000}</Data><Data Name="ProcessId">265488</Data><Data Name="Image">/usr/bin/containerd-shim-runc-v2</Data><Data Name="TargetFilename">/tmp/runc-process1360531797</Data><Data Name="CreationUtcTime">2023-10-10 10:45:22.440</Data><Data Name="User">-</Data></EventData></Event>
Oct 10 12:45:23 redacted systemd[1]: sysmon.service: Main process exited, code=dumped, status=6/ABRT
Oct 10 12:45:23 redacted systemd[1]: sysmon.service: Failed with result 'core-dump'.

Expected behavior sysmon schould not stop with stack smashing errors

Additional context The coredump points always to the same place. This could be a problem in sysmonCommon, but as the stack problems could be caused from a different code location, I think it the best to start here with the inventigation.

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f6bcf7bb537 in __GI_abort () at abort.c:79
#2  0x00007f6bcf8133a8 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f6bcf931187 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007f6bcf8a4542 in __GI___fortify_fail (msg=msg@entry=0x7f6bcf93116f "stack smashing detected") at fortify_fail.c:26
#4  0x00007f6bcf8a4520 in __stack_chk_fail () at stack_chk_fail.c:24
#5  0x00005638a62c6e51 in FetchUniquePGUID (pguid=0x7ffe220a5960, ProcessId=265653, UpdateCache=<optimized out>, time=<optimized out>)
    at /mnt/vss/_work/1/s/SysmonForLinux/sysmonCommon/eventsCommon.cpp:567
#6  0x0000000000000000 in ?? ()
ITSecOps-404 commented 8 months ago

I have the same / similar issue on Ubutnu server: VM on HyperV Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy Kernel: 5.15.0-88-generic

Sysmon version: v1.3.1

After install it runs for a bit then just stops, no specifc time interval. If a system is under load and I do a fresh install of sysmon it will not start at all.

In my case it does not start again after stopping.

sudo service sysmon status Reason for failing: sysmon.service: Main process exited, code=dumped, status=6/ABRT sysmon.service: Failed with result 'core-dump'.

To get it manually running again sudo service sysmon restart

It fails within a few seconds.

MarioHewardt commented 8 months ago

Thanks @ITSecOps-404. Do you see the same " stack smashing detected : terminated" error in the log? I'm wrapping up an issue in ProcDump for Linux right now but as soon as that I done, I will take a look at this.

ITSecOps-404 commented 8 months ago

Thanks @ITSecOps-404. Do you see the same " stack smashing detected : terminated" error in the log? I'm wrapping up an issue in ProcDump for Linux right now but as soon as that I done, I will take a look at this.

Yes, apologies I see the screenshot did not link.

MarioHewardt commented 8 months ago

Hi all - While I can't reproduce the issue, I think I have a fix. Would you be willing to try it out using https://github.com/mariohewardt/SysmonForLinux? You would have to build locally to try it.