[Snort-users] Ignoring Backups - TCP Stateful?

Doug Burks doug.burks at ...11827...
Fri Dec 5 16:23:21 EST 2014

Replies inline.

On Fri, Dec 5, 2014 at 3:51 PM, Colony.Three <Colony.Three at ...17037...> wrote:
> On Fri, Dec 5, 2014 at 2:40 PM, Colony.Three wrote:
>> I am at a loss. I don't even know whether SecurityOnion is capturing
>> packets or not.
> "sudo sostat" can help you with this. If you need help interpreting
> the sostat output, please run the following command:
> sudo sostat-redacted
> https://pastee.org/523b3
> Evidently something is seriously wrong.  This has happened on several of my
> reinstalls of SO, and I always have to reinstall to fix it.  Although by now
> I've about forgotten how to do a full reinstall with rule tweaking.

>From your sostat output:

netsniff-ng and snort are failed, most likely due to a bad BPF.  I
didn't notice the "tcp host" in your BPF previously, loading it into
tcpdump causes an error.  Changing it to the following works:
not(host and tcp port 8027)

Your sensor only has 2GB RAM and is using lots of swap:

Mem:   2049604k total,  1891388k used,   158216k free,     6808k buffers
Swap:  3119900k total,  1579156k used,  1540744k free,   108720k cached

Please consider increasing your RAM:

If you're not using the following services, you should disable them:

  * prads (sessions/assets)[ FAIL ]
  * sancp_agent (sguil)[  OK  ]
  * pads_agent (sguil)[  OK  ]
  * http_agent (sguil)[  OK  ]


>> Either my rules modifications were perfect, or nothing's
>> being captured.
>> I infer that ELSA would be the best way to see recent actual basic packet
>> traffic, but Firefox will not let me in. "localhost:3154 uses an invalid
>> security certificate"
> Have you tried to configure Firefox to accept the self-signed certificate?
> Of course.  Firefox, when it comes upon a private cert, gives the option of
> getting out, or going into Technical Details.  I click the latter, and it
> immediately gives the "localhost:3154 uses an invalid security certificate"
> with nothing to click nor any path forward.  I've never seen it do this.
> Chromium is by G**gle and I can't use that.
> http://oi58.tinypic.com/2hmn4hz.jpg

I'm not a Firefox user, but there must be a way to configure it to
accept the self-signed cert.

>> ... much less do I know how to determine whether my backups are excluded
>> from packet capture. I can't do backups until I'm sure the packets are
>> -not- being captured. It's been almost a week now since my last backups.
> Have you tried my previous BPF suggestion? Would it help to simplify
> the BPF by removing "src"? So something like this?
> not(tcp host and tcp port 8027)
> You could test your BPF using tcpdump in real time while running a test
> backup.
> It's not clear to me whether tcpdump -causes- the traffic monitor, or
> depends on some socket to listen for and print packets.

You can use tcpdump to sniff traffic in real time as follows:

sudo tcpdump -nnvvi eth0 'not(host and tcp port 8027)'

You can also use tcpdump's -d option to verify/troubleshoot BPF:

sudo tcpdump -d 'not(tcp host and tcp port 8027)'
tcpdump: 'tcp' modifier applied to host

sudo tcpdump -d 'not(host and tcp port 8027)'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 16
(002) ld       [26]
(003) jeq      #0xc0a80104      jt 6    jf 4
(004) ld       [30]
(005) jeq      #0xc0a80104      jt 6    jf 16
(006) ldb      [23]
(007) jeq      #0x6             jt 8    jf 16
(008) ldh      [20]
(009) jset     #0x1fff          jt 16   jf 10
(010) ldxb     4*([14]&0xf)
(011) ldh      [x + 14]
(012) jeq      #0x1f5b          jt 15   jf 13
(013) ldh      [x + 16]
(014) jeq      #0x1f5b          jt 15   jf 16
(015) ret      #0
(016) ret      #65535

Doug Burks
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

More information about the Snort-users mailing list