[Snort-users] Ignoring Backups - TCP Stateful?

Doug Burks doug.burks at ...11827...
Fri Dec 5 16:30:23 EST 2014


Replies inline.

On Fri, Dec 5, 2014 at 4:18 PM, Colony.Three <Colony.Three at ...17037...> wrote:
> So evidently Snorby has just been stupidly reporting -0- events for days,
> without giving ANY indication that netsniff-ng, snort-1, and prads WEREN'T
> EVEN RUNNING!  So I sure can't depend on Snorby as a remote monitor for SO.


Snorby wasn't designed to monitor sniffing processes.  It was designed
to monitor IDS alerts.


> I've been told several methods for restarting SecurityOnion so I don't know
> which is right, but using:
> # service nsm-sensor restart
> ... it tells me the above three daemons are failing (so I now know) and to
> refer to the respective error logs.
>
> I've put the logs here:
> https://pastee.org/954jm


In addition to the bpf syntax error I mentioned in my previous email,
I also see the following Snort error:
ERROR: The dynamic detection library
"/usr/local/lib/snort_dynamicrules/file-image.so" version 1.0 compiled
with dynamic engine library version 2.1 isn't compatible with the
current dynamic engine library
"/usr/lib/snort_dynamicengine/libsf_engine.so" version 2.4.

Please see:
https://code.google.com/p/security-onion/wiki/FAQ#I_just_updated_Snort_and_it's_now_saying_'ERROR:_The_d


> Looks like SO is really hosed again.


I wouldn't say "really hosed".  These issues can be resolved.


>
> -------- Original Message --------
> Subject: Re: [Snort-users] Ignoring Backups - TCP Stateful?
> Time (GMT): Dec 05 2014 20:51:43
> From: Colony.Three at ...17037...
> To: snort-users at lists.sourceforge.net
>
> On Fri, Dec 5, 2014 at 2:40 PM, Colony.Three wrote:
>> I am at a loss. I don't even know whether SecurityOnion is capturing
>> packets or not.
>
>
> "sudo sostat" can help you with this. If you need help interpreting
> the sostat output, please run the following command:
>
> sudo sostat-redacted
>
> https://pastee.org/523b3
>
> Evidently something is seriously wrong.  This has happened on several of my
> reinstalls of SO, and I always have to reinstall to fix it.  Although by now
> I've about forgotten how to do a full reinstall with rule tweaking.
>
>
>
>> Either my rules modifications were perfect, or nothing's
>> being captured.
>>
>> I infer that ELSA would be the best way to see recent actual basic packet
>> traffic, but Firefox will not let me in. "localhost:3154 uses an invalid
>> security certificate"
>
>
> Have you tried to configure Firefox to accept the self-signed certificate?
>
> Of course.  Firefox, when it comes upon a private cert, gives the option of
> getting out, or going into Technical Details.  I click the latter, and it
> immediately gives the "localhost:3154 uses an invalid security certificate"
> with nothing to click nor any path forward.  I've never seen it do this.
> Chromium is by G**gle and I can't use that.
> http://oi58.tinypic.com/2hmn4hz.jpg
>
>
>> ... much less do I know how to determine whether my backups are excluded
>> from packet capture. I can't do backups until I'm sure the packets are
>> -not- being captured. It's been almost a week now since my last backups.
>
>
> Have you tried my previous BPF suggestion? Would it help to simplify
> the BPF by removing "src"? So something like this?
> not(tcp host 192.168.1.4 and tcp port 8027)
>
> You could test your BPF using tcpdump in real time while running a test
> backup.
>
> It's not clear to me whether tcpdump -causes- the traffic monitor, or
> depends on some socket to listen for and print packets.
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!




More information about the Snort-users mailing list