Snort mailing list archives
Re: Ignoring Backups - TCP Stateful?
From: Doug Burks <doug.burks () gmail com>
Date: Fri, 5 Dec 2014 16:23:21 -0500
Replies inline. On Fri, Dec 5, 2014 at 3:51 PM, Colony.Three <Colony.Three () protonmail ch> wrote:
On Fri, Dec 5, 2014 at 2:40 PM, Colony.Three wrote:I am at a loss. I don't even know whether SecurityOnion is capturing packets or not."sudo sostat" can help you with this. If you need help interpreting the sostat output, please run the following command: sudo sostat-redacted https://pastee.org/523b3 Evidently something is seriously wrong. This has happened on several of my reinstalls of SO, and I always have to reinstall to fix it. Although by now I've about forgotten how to do a full reinstall with rule tweaking.
From your sostat output:
netsniff-ng and snort are failed, most likely due to a bad BPF. I didn't notice the "tcp host" in your BPF previously, loading it into tcpdump causes an error. Changing it to the following works: not(host 192.168.1.4 and tcp port 8027) Your sensor only has 2GB RAM and is using lots of swap: Mem: 2049604k total, 1891388k used, 158216k free, 6808k buffers Swap: 3119900k total, 1579156k used, 1540744k free, 108720k cached Please consider increasing your RAM: https://code.google.com/p/security-onion/wiki/Hardware If you're not using the following services, you should disable them: * prads (sessions/assets)[ FAIL ] * sancp_agent (sguil)[ OK ] * pads_agent (sguil)[ OK ] * http_agent (sguil)[ OK ] https://code.google.com/p/security-onion/wiki/DisablingProcesses
Either my rules modifications were perfect, or nothing's being captured. I infer that ELSA would be the best way to see recent actual basic packet traffic, but Firefox will not let me in. "localhost:3154 uses an invalid security certificate"Have you tried to configure Firefox to accept the self-signed certificate? Of course. Firefox, when it comes upon a private cert, gives the option of getting out, or going into Technical Details. I click the latter, and it immediately gives the "localhost:3154 uses an invalid security certificate" with nothing to click nor any path forward. I've never seen it do this. Chromium is by G**gle and I can't use that. http://oi58.tinypic.com/2hmn4hz.jpg
I'm not a Firefox user, but there must be a way to configure it to accept the self-signed cert.
... much less do I know how to determine whether my backups are excluded from packet capture. I can't do backups until I'm sure the packets are -not- being captured. It's been almost a week now since my last backups.Have you tried my previous BPF suggestion? Would it help to simplify the BPF by removing "src"? So something like this? not(tcp host 192.168.1.4 and tcp port 8027) You could test your BPF using tcpdump in real time while running a test backup. It's not clear to me whether tcpdump -causes- the traffic monitor, or depends on some socket to listen for and print packets.
You can use tcpdump to sniff traffic in real time as follows: sudo tcpdump -nnvvi eth0 'not(host 192.168.1.4 and tcp port 8027)' You can also use tcpdump's -d option to verify/troubleshoot BPF: sudo tcpdump -d 'not(tcp host 192.168.1.4 and tcp port 8027)' tcpdump: 'tcp' modifier applied to host sudo tcpdump -d 'not(host 192.168.1.4 and tcp port 8027)' (000) ldh [12] (001) jeq #0x800 jt 2 jf 16 (002) ld [26] (003) jeq #0xc0a80104 jt 6 jf 4 (004) ld [30] (005) jeq #0xc0a80104 jt 6 jf 16 (006) ldb [23] (007) jeq #0x6 jt 8 jf 16 (008) ldh [20] (009) jset #0x1fff jt 16 jf 10 (010) ldxb 4*([14]&0xf) (011) ldh [x + 14] (012) jeq #0x1f5b jt 15 jf 13 (013) ldh [x + 16] (014) jeq #0x1f5b jt 15 jf 16 (015) ret #0 (016) ret #65535 -- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com Last day to register for 3-Day Training Class in Augusta GA is 12/11! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ignoring Backups - TCP Stateful? colony.three (Dec 03)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 03)
- <Possible follow-ups>
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 03)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 04)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 04)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)