Snort mailing list archives
Re: Ignoring Backups - TCP Stateful?
From: Doug Burks <doug.burks () gmail com>
Date: Fri, 5 Dec 2014 16:30:23 -0500
Replies inline. On Fri, Dec 5, 2014 at 4:18 PM, Colony.Three <Colony.Three () protonmail ch> wrote:
So evidently Snorby has just been stupidly reporting -0- events for days, without giving ANY indication that netsniff-ng, snort-1, and prads WEREN'T EVEN RUNNING! So I sure can't depend on Snorby as a remote monitor for SO.
Snorby wasn't designed to monitor sniffing processes. It was designed to monitor IDS alerts.
I've been told several methods for restarting SecurityOnion so I don't know which is right, but using: # service nsm-sensor restart ... it tells me the above three daemons are failing (so I now know) and to refer to the respective error logs. I've put the logs here: https://pastee.org/954jm
In addition to the bpf syntax error I mentioned in my previous email, I also see the following Snort error: ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/file-image.so" version 1.0 compiled with dynamic engine library version 2.1 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 2.4. Please see: https://code.google.com/p/security-onion/wiki/FAQ#I_just_updated_Snort_and_it's_now_saying_'ERROR:_The_d
Looks like SO is really hosed again.
I wouldn't say "really hosed". These issues can be resolved.
-------- Original Message -------- Subject: Re: [Snort-users] Ignoring Backups - TCP Stateful? Time (GMT): Dec 05 2014 20:51:43 From: Colony.Three () protonmail ch To: snort-users () lists sourceforge net On Fri, Dec 5, 2014 at 2:40 PM, Colony.Three wrote:I am at a loss. I don't even know whether SecurityOnion is capturing packets or not."sudo sostat" can help you with this. If you need help interpreting the sostat output, please run the following command: sudo sostat-redacted https://pastee.org/523b3 Evidently something is seriously wrong. This has happened on several of my reinstalls of SO, and I always have to reinstall to fix it. Although by now I've about forgotten how to do a full reinstall with rule tweaking.Either my rules modifications were perfect, or nothing's being captured. I infer that ELSA would be the best way to see recent actual basic packet traffic, but Firefox will not let me in. "localhost:3154 uses an invalid security certificate"Have you tried to configure Firefox to accept the self-signed certificate? Of course. Firefox, when it comes upon a private cert, gives the option of getting out, or going into Technical Details. I click the latter, and it immediately gives the "localhost:3154 uses an invalid security certificate" with nothing to click nor any path forward. I've never seen it do this. Chromium is by G**gle and I can't use that. http://oi58.tinypic.com/2hmn4hz.jpg... much less do I know how to determine whether my backups are excluded from packet capture. I can't do backups until I'm sure the packets are -not- being captured. It's been almost a week now since my last backups.Have you tried my previous BPF suggestion? Would it help to simplify the BPF by removing "src"? So something like this? not(tcp host 192.168.1.4 and tcp port 8027) You could test your BPF using tcpdump in real time while running a test backup. It's not clear to me whether tcpdump -causes- the traffic monitor, or depends on some socket to listen for and print packets. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com Last day to register for 3-Day Training Class in Augusta GA is 12/11! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ignoring Backups - TCP Stateful? colony.three (Dec 03)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 03)
- <Possible follow-ups>
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 03)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 04)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 04)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)