Interface Configuration

209 views
Skip to first unread message

Micky

unread,
Aug 27, 2009, 7:07:57 PM8/27/09
to security-onion
Hi,

I have 2 NIC's in the PC, one for monitoring and one for management.
Whta's the best way/config to use for running the monitoring NIC in
stealth mode - ie with no IP.

I have edited the /etc/network/interfaces and turned off network
manager but am not sure if I have done it correctly as it seems that
sguil stops logging new alerts after a random period of time but all
the processes are running ok.

The Interfaces file looks like this:

auto lo
iface lo inet loopback

auto eth0 eth1
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

iface eth1 inet static
address 10.10.100.250
netmask 255.255.0.0
gateway 10.10.0.1

Thanks,

Mick.

Doug Burks

unread,
Aug 28, 2009, 6:17:51 AM8/28/09
to securit...@googlegroups.com
Hi Mick,

Your configuration looks correct to me. If it starts out running
correctly and then fails at some point after that, I would focus less
on the interface configuration and more on the processes themselves.

Are you running from the LiveCD, or are you running from an actual
installation? If running from the LiveCD, how much RAM do you have?
Is it possible you ran out of RAM and the kernel OOM killer is killing
processes?

Have you verified that all processes are running with "nsm --all
--status"? Keep in mind that there should be not one but TWO snort
processes running (one for alerting and the other for full packet
capture). Have you looked at all the log files in /var/log/ and
specifically /var/log/nsm/?

Thanks,
--
Doug Burks, GCIA Gold, GSEC, CISSP
http://securityonion.blogspot.com
http://twitter.com/dougburks

Micky Bright

unread,
Aug 28, 2009, 4:45:37 PM8/28/09
to securit...@googlegroups.com

 Hi Doug,
 
Thanks for your reply. I installed Sguil from the livecd to the HDD and it all seemed fine until I removed the IP. I've now put the system in place montoring properly on a Span port and it looks like it's working but there still seems to be a lag on displaying the alerts. For instance if i logout of sguil and login later there will be new alerts displayed but the last enry will be a few hours earlier than the current time (at least). All the processes are running but am not sure about the RAM usage (1Gb installed) I'm new to ubuntu and have rudimentary knowledge of linux but will check out all the things you've listed (all a learning curve.)
 
Also, after the problem first reared, I  used NSMnow to learn more about the Sguil installation so I can eventually deploy a distributed architecture - ie multiple sensors reporting back to one server. I think the livecd installs everything to one box so doesn't yet offer the facility to choose which components to deploy. Having said that the livecd is bl**dy fantastic and having initially been discouraged by the complexity of building sguil from scratch I was flawed by the ease of which this cd simplified the process! Anyway I ran the NSMnow script on the already working system and after fighting through a few problems it all installed correctly. I then used the instructions on the web site to get Snort 3.0 working. 
 
Hopefully i'll get there with it all and then move on to an inline configuration fingers crossed.
 
Cheers,
 
Mick.
 
 
> Date: Fri, 28 Aug 2009 06:17:51 -0400
> Subject: Re: Interface Configuration
> From: mub...@gmail.com
> To: securit...@googlegroups.com

Windows Live Messenger: Celebrate 10 amazing years with free winks and emoticons. Get Them Now

Doug Burks

unread,
Aug 29, 2009, 5:19:12 AM8/29/09
to securit...@googlegroups.com
> For instance if i logout
> of sguil and login later there will be new alerts displayed but the last
> enry will be a few hours earlier than the current time (at least).

Not sure if this is related to what you're seeing, but keep in mind
that the timestamps you see in Sguil are GMT and not your timezone.
For further testing of this, I'd recommend using some of the included
tools such as idswakeup and metasploit to generate some alerts and see
when they appear in the Sguil console and what timestamp they have.

>I then used the instructions on the web site to get Snort 3.0 working.

Keep in mind that Snort 3.0 is still in beta and therefore should not
be used in production.

Thanks,
--
Doug Burks
http://securityonion.blogspot.com
http://twitter.com/dougburks

smokey

unread,
Aug 29, 2009, 1:22:13 PM8/29/09
to security-onion
Hi,

i hope i can put my question here. I installed Snort (from Security
onion live CD) before firewall (on public IP), here is how it looks:

[lan-10.1.1.0/26]---------[Firewall]---------public ip-----[switch-
port mirror]---------->internet

|

|

snort (sguil)*

*With tcpdump/wshark i can see all traffic, but snort does not see any
traffic - there is no alarms.
Maybe i didn't configured the snort.conf properly?

I guess that will be better to install snort behind firewall.
Thanks
Dean

On 29 avg., 11:19, Doug Burks <mub...@gmail.com> wrote:
> > For instance if i logout
> > of sguil and login later there will be new alerts displayed but the last
> > enry will be a few hours earlier than the current time (at least).
>
> Not sure if this is related to what you're seeing, but keep in mind
> that the timestamps you see in Sguil are GMT and not your timezone.
> For further testing of this, I'd recommend using some of the included
> tools such as idswakeup and metasploit to generate some alerts and see
> when they appear in the Sguil console and what timestamp they have.
>
> >I then used the instructions on the web site to get Snort 3.0 working.
>
> Keep in mind that Snort 3.0 is still in beta and therefore should not
> be used in production.
>
> Thanks,
> --
> Doug Burkshttp://securityonion.blogspot.comhttp://twitter.com/dougburks

Doug Burks

unread,
Aug 31, 2009, 6:01:14 AM8/31/09
to securit...@googlegroups.com
Hi Dean,

First, I would use the included "idswakeup" tool to send some traffic
across the Snort sensor and see if it generates an alert or not.
Another easy test would be opening a browser and going to
http://testmyids.com. If you're not seeing alerts using these
methods, then you should check your Snort configuration. When you
look at traffic using tcpdump/wireshark, what interface are you
capturing traffic from? Snort is configured to only capture traffic
on eth0 by default. If you're using another port, you can change this
setting in /etc/nsm/sensor1/snort.conf. Also check to see if all
NSMnow processes are running with the command "nsm --all --status".
Note that there should be two snort processes running: one for full
packet capture and the other for alerting. Finally, check the log
files in /var/log/nsm/.

Once you get Snort alerting on idswakeup or testmyids.com, you'll want
to update the Snort ruleset using oinkmaster or pulledpork. Both are
included in Security Onion, but my preference would be pulledpork.

Please let me know if you have any further questions or problems.

Thanks,
Doug

--

Doug Burks

unread,
Aug 31, 2009, 6:47:21 AM8/31/09
to securit...@googlegroups.com
One correction: changing the port that the Sguil sensor listens on
should be done in /etc/nsm/sensortab. You can manually edit this file
OR use /usr/local/sbin/nsm_sensor_edit to change it for you.

Thanks,
Doug

smokey

unread,
Sep 1, 2009, 1:54:09 PM9/1/09
to security-onion
Hi Doug,

i forgot to say that installed SecurityOnion on virtual machine
(virtualbox). Host system is running on Fedora 11 (gnome).
The ethernet interface on virtual machine is eth0 in promisc mode.

I notice few things while i was testing the snortsp

1. When i run "snortsp", there is no warning that some service has
failed,
but when i run: nsm --all --status there is FAIL status on "snort
(alert data)".
I guess this is way i don't get live alerts.

printscr: http://www.shrani.si/f/1g/UX/4Pcc30ru/snort1.jpg
printscr: http://www.shrani.si/f/1r/yk/IHtyqAa/snortr2.jpg


2. Then i created some "bad" traffic and i restarted the "snortsp".
After the restart i can see the alerts.


The log file sancp_agent (snort log: http://www.shrani.si/f/28/5M/1bupg4J5/snortlog.pdf):

Executing: sancp_agent.tcl -c /etc/nsm/sensor1/sancp_agent.conf
Connected to localhost
Sending sguild (sock3) RegisterAgent sancp sensor1 Ext_Net
Sending sguild (sock3) PING
Sensor Data Rcvd: AgentInfo sensor1 sancp Ext_Net 2 0
Sensor Data Rcvd: PONG
PONG received
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Sending sguild (sock3) SancpFile sensor1
parsed.sensor1.stats.eth0.1251826432.20090901 20090901 94
Sensor Data Rcvd: ConfirmSancpFile
parsed.sensor1.stats.eth0.1251826432.20090901
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Checking for sancp stats files in /nsm/sensor_data/sensor1/sancp.
Sensor Data Rcvd:
Socket sock3 closed
Attempting to reconnect.
Unable to connect to localhost on port 7736.
Trying again in 15 seconds
Sguil Cmd Unkown:


Thanks,
Dean
___________

Doug Burks

unread,
Sep 2, 2009, 5:46:44 AM9/2/09
to securit...@googlegroups.com
Hello again Dean,

1. SnortSP is still in beta and therefore should not be used in
production. The SnortSP-Sguil desktop shortcut is meant as a demo and
not a full-time IDS. I'll add a warning message to this effect in the
next release (see
http://code.google.com/p/security-onion/issues/detail?id=8). To
answer your question, when you run SnortSP-Sguil and then run "nsm
--all --status", you are expected to get a FAIL on the "snort (alert
data)" process, because the SnortSP-Sguil launcher replaces the NSMnow
Snort alert process with our own copy of SnortSP that NSMnow is not
aware of.

2. Please try your test again using the Snort-Sguil (not
SnortSP-Sguil) shortcut.

Thanks,

smokey

unread,
Sep 2, 2009, 7:59:33 AM9/2/09
to security-onion
OK, thank you for your help. I will try with Snort-Sguil.
Bye
Dean


On Sep 2, 11:46 am, Doug Burks <mub...@gmail.com> wrote:
> Hello again Dean,
>
> 1.  SnortSP is still in beta and therefore should not be used in
> production.  The SnortSP-Sguil desktop shortcut is meant as a demo and
> not a full-time IDS.  I'll add a warning message to this effect in the
> next release (seehttp://code.google.com/p/security-onion/issues/detail?id=8).  To
> answer your question, when you run SnortSP-Sguil and then run "nsm
> --all --status", you are expected to get a FAIL on the "snort (alert
> data)" process, because the SnortSP-Sguil launcher replaces the NSMnow
> Snort alert process with our own copy of SnortSP that NSMnow is not
> aware of.
>
> 2.  Please try your test again using the Snort-Sguil (not
> SnortSP-Sguil) shortcut.
>
> Thanks,
> --
> Doug Burkshttp://securityonion.blogspot.comhttp://twitter.com/dougburks
> ...
>
> read more »

Mick Bright

unread,
Sep 23, 2009, 6:16:31 AM9/23/09
to securit...@googlegroups.com
Hi Doug,

I've setup sguil using NSMnow and worked through most of the problems but
there's one thing I'm not sure on. I start the processes using nsm --all
--start and everything looks ok apart from log_packets.sh

If I run this script manually from the cli, snort logging with a BPF filter
is shown in the list of processes (ps -ef | grep snort). If I use nsm --all
--start snort logging is also working but without the BPF filter. I have
added log_packets.sh to crontab but that would mean two snort logging
processes would run.

Have you got any ideas?

Thanks,

Mick.

Doug Burks

unread,
Sep 23, 2009, 6:48:07 AM9/23/09
to security-onion
Please contact the developers of NSMnow:
http://www.securixlive.com/about.php

They are quick to respond and quite helpful.

Thanks,
Doug

On Sep 23, 6:16 am, "Mick Bright" <mickybri...@hotmail.com> wrote:
> Hi Doug,
>
> I've setup sguil using NSMnow and worked through most of the problems but
> there's one thing I'm not sure on. I start the processes using nsm --all
> --start and everything looks ok apart from log_packets.sh
>
> If I run this script manually from the cli, snort logging with a BPF filter
> is shown in the list of processes (ps -ef | grep snort).  If I use nsm --all
> --start snort logging is also working but without the BPF filter. I have
> added log_packets.sh to crontab but that would mean two snort logging
> processes would run.
>
> Have you got any ideas?
>
> Thanks,
>
> Mick.
>
>
>
> -----Original Message-----
> From: securit...@googlegroups.com
>
> [mailto:securit...@googlegroups.com] On Behalf Of Doug Burks
> Sent: 02 September 2009 10:47
> To: securit...@googlegroups.com
> Subject: Re: Interface Configuration
>
> Hello again Dean,
>
> 1.  SnortSP is still in beta and therefore should not be used in
> production.  The SnortSP-Sguil desktop shortcut is meant as a demo and
> not a full-time IDS.  I'll add a warning message to this effect in the
> next release (seehttp://code.google.com/p/security-onion/issues/detail?id=8).  To
> answer your question, when you run SnortSP-Sguil and then run "nsm
> --all --status", you are expected to get a FAIL on the "snort (alert
> data)" process, because the SnortSP-Sguil launcher replaces the NSMnow
> Snort alert process with our own copy of SnortSP that NSMnow is not
> aware of.
>
> 2.  Please try your test again using the Snort-Sguil (not
> SnortSP-Sguil) shortcut.
>
> Thanks,
> --
> Doug Burkshttp://securityonion.blogspot.comhttp://twitter.com/dougburks
> ...
>
> read more »

Mick Bright

unread,
Sep 23, 2009, 7:07:13 AM9/23/09
to securit...@googlegroups.com
Thanks Doug will do.

Frank

unread,
Nov 8, 2009, 5:23:09 PM11/8/09
to security-onion
Doug,

I installed NX-Server from No Machine on my Security Onion box, so
that I can remotely connect from my laptop running Windows XP. I've
been using Wireshark just fine, but tried using Snort-Sguil and it
fails. All the services start, then the last message I can read is
"Disk Space currently at 2%"... then some quick error messages which I
am unable to read... then the command window closes. When I run Snort-
Sguil locally, it runs fine.

I'm very new to linux. Any help would be appreciated.

Thanks.

Frank
> ...
>
> read more »- Hide quoted text -
>
> - Show quoted text -

Doug Burks

unread,
Nov 8, 2009, 9:47:45 PM11/8/09
to securit...@googlegroups.com
Hi Frank,

It's been a while since I've used NX Server (and certainly have never
tried it with Security Onion and/or Sguil), but my guess is that it's
a font issue. Quoting from the NoMachine website:

"NOTE: The additional fonts are only needed when running very old Unix
applications, requiring the use of client-side fonts."

The Sguil client is written in Tcl/Tk, which falls into the category
of "very old Unix applications". Please try installing the additional
fonts packages from the NoMachine website:
http://www.nomachine.com/download-client-windows.php

Please let me know whether or not that helps.

Reply all
Reply to author
Forward
0 new messages