[Snort-users] Ignoring Backups - TCP Stateful?

Doug Burks doug.burks at ...11827...
Fri Dec 5 15:22:15 EST 2014

Replies inline.

On Fri, Dec 5, 2014 at 2:40 PM, Colony.Three <Colony.Three at ...17037...> wrote:
> I am at a loss.  I don't even know whether SecurityOnion is capturing
> packets or not.

"sudo sostat" can help you with this.  If you need help interpreting
the sostat output, please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.

Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.

> Either my rules modifications were perfect, or nothing's
> being captured.
> I infer that ELSA would be the best way to see recent actual basic packet
> traffic, but Firefox will not let me in.  "localhost:3154 uses an invalid
> security certificate"

Have you tried to configure Firefox to accept the self-signed certificate?

> ... much less do I know how to determine whether my backups are excluded
> from packet capture.  I can't do backups until I'm sure the packets are
> -not- being captured.  It's been almost a week now since my last backups.

Have you tried my previous BPF suggestion?  Would it help to simplify
the BPF by removing "src"? So something like this?
not(tcp host and tcp port 8027)

You could test your BPF using tcpdump in real time while running a test backup.

> Can anyone advise?  I'm not particular.
> -------- Original Message --------
> Subject: Re: [Snort-users] Ignoring Backups - TCP Stateful?
> Time (GMT): Dec 04 2014 15:21:24
> From: Colony.Three at ...17037...
> To: doug.burks at ...11827...
> CC: snort-users at lists.sourceforge.net
>>> In my case, the backups server calls rsync to backup the LAN machines
>>> (concurrently). The rsync daemon is not used anywhere.
>> Can you provide more information about what the actual traffic flows
> look like? Perhaps some example traffic flows?
>> Would it help to simplify the BPF by removing "src"? So something like
>> this?
>> not(tcp host and tcp port 8027)
> Not sure the best way to get this traffic?
> Part of the problem is I don't want to fill up my SO disk with backup
> traffic, but maybe I can run a ptial backup for a short time.

Doug Burks
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

More information about the Snort-users mailing list