[Snort-users] Ignoring Backups - TCP Stateful?
doug.burks at ...11827...
Fri Dec 5 16:23:21 EST 2014
On Fri, Dec 5, 2014 at 3:51 PM, Colony.Three <Colony.Three at ...17037...> wrote:
> On Fri, Dec 5, 2014 at 2:40 PM, Colony.Three wrote:
>> I am at a loss. I don't even know whether SecurityOnion is capturing
>> packets or not.
> "sudo sostat" can help you with this. If you need help interpreting
> the sostat output, please run the following command:
> sudo sostat-redacted
> Evidently something is seriously wrong. This has happened on several of my
> reinstalls of SO, and I always have to reinstall to fix it. Although by now
> I've about forgotten how to do a full reinstall with rule tweaking.
>From your sostat output:
netsniff-ng and snort are failed, most likely due to a bad BPF. I
didn't notice the "tcp host" in your BPF previously, loading it into
tcpdump causes an error. Changing it to the following works:
not(host 192.168.1.4 and tcp port 8027)
Your sensor only has 2GB RAM and is using lots of swap:
Mem: 2049604k total, 1891388k used, 158216k free, 6808k buffers
Swap: 3119900k total, 1579156k used, 1540744k free, 108720k cached
Please consider increasing your RAM:
If you're not using the following services, you should disable them:
* prads (sessions/assets)[ FAIL ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* http_agent (sguil)[ OK ]
>> Either my rules modifications were perfect, or nothing's
>> being captured.
>> I infer that ELSA would be the best way to see recent actual basic packet
>> traffic, but Firefox will not let me in. "localhost:3154 uses an invalid
>> security certificate"
> Have you tried to configure Firefox to accept the self-signed certificate?
> Of course. Firefox, when it comes upon a private cert, gives the option of
> getting out, or going into Technical Details. I click the latter, and it
> immediately gives the "localhost:3154 uses an invalid security certificate"
> with nothing to click nor any path forward. I've never seen it do this.
> Chromium is by G**gle and I can't use that.
I'm not a Firefox user, but there must be a way to configure it to
accept the self-signed cert.
>> ... much less do I know how to determine whether my backups are excluded
>> from packet capture. I can't do backups until I'm sure the packets are
>> -not- being captured. It's been almost a week now since my last backups.
> Have you tried my previous BPF suggestion? Would it help to simplify
> the BPF by removing "src"? So something like this?
> not(tcp host 192.168.1.4 and tcp port 8027)
> You could test your BPF using tcpdump in real time while running a test
> It's not clear to me whether tcpdump -causes- the traffic monitor, or
> depends on some socket to listen for and print packets.
You can use tcpdump to sniff traffic in real time as follows:
sudo tcpdump -nnvvi eth0 'not(host 192.168.1.4 and tcp port 8027)'
You can also use tcpdump's -d option to verify/troubleshoot BPF:
sudo tcpdump -d 'not(tcp host 192.168.1.4 and tcp port 8027)'
tcpdump: 'tcp' modifier applied to host
sudo tcpdump -d 'not(host 192.168.1.4 and tcp port 8027)'
(000) ldh 
(001) jeq #0x800 jt 2 jf 16
(002) ld 
(003) jeq #0xc0a80104 jt 6 jf 4
(004) ld 
(005) jeq #0xc0a80104 jt 6 jf 16
(006) ldb 
(007) jeq #0x6 jt 8 jf 16
(008) ldh 
(009) jset #0x1fff jt 16 jf 10
(010) ldxb 4*(&0xf)
(011) ldh [x + 14]
(012) jeq #0x1f5b jt 15 jf 13
(013) ldh [x + 16]
(014) jeq #0x1f5b jt 15 jf 16
(015) ret #0
(016) ret #65535
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
More information about the Snort-users