Snort mailing list archives
Re: Sguil assist
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 23 Jun 2015 09:38:33 -0600
On 2015-06-23 09:16 AM, Y M wrote:
Hi James, There is an ongoing discussion about this in the security onion list. While I am not a regular user of SO, the discussion itself is interesting since I also use sguil ( I did not update OpenSSL) after reading the discussion. The general recommendation was not to upgrade or to downgrade OpenSSL.. Sorry, don't have the link at the moment YM Sent from Mobile On Tue, Jun 23, 2015 at 8:09 AM -0700, "James Lay" <jlay () slave-tothe-box net> wrote: Hey All, Emailed the sguil list, but got nothing back yet, so emailing here. Looks like the latest OpenSSL update nuked sguil 0.9.0 as shown: From sguild: 2015-06-23 14:45:36 pid(14931) Sensor agent connect from 127.0.0.1:40300 sock15 2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 : 2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1 2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read "socketInfo(sock15)": no such variable 2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure 2015-06-23 14:45:36 pid(14931) Closing socket. From the snort_agent: Connected to localhost Sending sguild (sock3) RegisterAgent snort POS POS ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort POS POS Socket sock3 closed Attempting to reconnect. Is there any way to disable ssl usage? In my case the agents are on the local machine anyway. Thanks....bummer morning :( James
Thanks YM...my fix was: If you can't downgrade, a workaround could be to force some other cipher on the sensors, like MD5. change these lines in snort_agent.tcl and pcap_agent.tcl: tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5 Since these are all on the local box anyway....up and running...woo hoo! James ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Sguil assist James Lay (Jun 23)
- Re: Sguil assist Y M (Jun 23)
- Re: Sguil assist James Lay (Jun 23)
- Re: Sguil assist Rodgers, Anthony (DTMB) (Jun 23)
- Re: Sguil assist James Lay (Jun 23)
- Re: Sguil assist Y M (Jun 23)