Snort mailing list archives
Re: Sguil assist
From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Tue, 23 Jun 2015 18:04:29 +0000
TclTls has been patched (on Ubuntu 12.04, at least) to deal with this. -- Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber Security -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Tuesday, June 23, 2015 11:39 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Sguil assist On 2015-06-23 09:16 AM, Y M wrote:
Hi James,
There is an ongoing discussion about this in the security onion list.
While I am not a regular user of SO, the discussion itself is
interesting since I also use sguil ( I did not update OpenSSL) after
reading the discussion. The general recommendation was not to upgrade
or to downgrade OpenSSL..
Sorry, don't have the link at the moment
YM
Sent from Mobile
On Tue, Jun 23, 2015 at 8:09 AM -0700, "James Lay"
<jlay () slave-tothe-box net> wrote:
Hey All,
Emailed the sguil list, but got nothing back yet, so emailing here.
Looks like the latest OpenSSL update nuked sguil 0.9.0 as shown:
From sguild:
2015-06-23 14:45:36 pid(14931) Sensor agent connect from
127.0.0.1:40300 sock15
2015-06-23 14:45:36 pid(14931) Validating sensor access: 127.0.0.1 :
2015-06-23 14:45:36 pid(14931) Valid sensor agent: 127.0.0.1
2015-06-23 14:45:36 pid(14931) ERROR: handshake failed: sslv3 alert
handshake failure
2015-06-23 14:45:36 pid(14931) Error: Improper sensor cmd received:
VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}: can't read
"socketInfo(sock15)": no such variable
2015-06-23 14:45:36 pid(14931) Error from socket sock15: SSL channel
"sock15": error: sslv3 alert handshake failure
2015-06-23 14:45:36 pid(14931) Closing socket.
From the snort_agent:
Connected to localhost
Sending sguild (sock3) RegisterAgent snort POS POS
ERROR: error writing "sock3": software caused connection abort :
RegisterAgent snort POS POS
Socket sock3 closed
Attempting to reconnect.
Is there any way to disable ssl usage? In my case the agents are on
the local machine anyway. Thanks....bummer morning :(
James
Thanks YM...my fix was: If you can't downgrade, a workaround could be to force some other cipher on the sensors, like MD5. change these lines in snort_agent.tcl and pcap_agent.tcl: tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5 Since these are all on the local box anyway....up and running...woo hoo! James ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Sguil assist James Lay (Jun 23)
- Re: Sguil assist Y M (Jun 23)
- Re: Sguil assist James Lay (Jun 23)
- Re: Sguil assist Rodgers, Anthony (DTMB) (Jun 23)
- Re: Sguil assist James Lay (Jun 23)
- Re: Sguil assist Y M (Jun 23)