Elastic Stack : CapMe error could not find this ID
bug...@gmail.com
I am getting some errors with CapMe for some event I am pivoting from Kibana.
From the Bro - Notices dashboard.
I identified a number of : "SSL certificate validation failed with (self signed certificate in certificate chain)"
they come from my Apple devices and going to an Apple server: courier.push.apple.com
I get the same alert from 3 different local IP / Devices, connected to the same WIFI AP.
If I look at the last 10 events (within a period of time of about 45 minutes:
- All link to UID works (indicator)
- However, only f 1x of those 3 IP do I get the PCAP through CapMe / _ID link
I get the following error in Capme:
Second ES query couldn't find this ID.
When I look at the events, they have the same message:
NOT GETTING PCAP:
1505826664.766263 CAabJj3LI7c3suliEj 192.168.1.31 50606 17.252.140.87 5223 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (self signed certificate in certificate chain) C=US,O=Apple Inc.,OU=APNS SRE,CN=courier.push.apple.com 192.168.1.31 17.252.140.87 5223 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
GETTING PCAP:
1505826543.892870 CWBHyK2UYBrUPoJIJl 192.168.1.81 50299 17.252.236.208 5223 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (self signed certificate in certificate chain) C=US,O=Apple Inc.,OU=APNS SRE,CN=courier.push.apple.com 192.168.1.81 17.252.236.208 5223 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
The only difference is:
Source IP
Destination IP
and a 2 minutes timestamp difference
I pivoted on the IP address where I had a problem to get the PCAP and can get other events to generate PCAP.
I have also noticed that there are other events where there are no PCAP so it isn't just a problem with that type of event.
In Bro Notice, my drop packets is around 3%.
Anyone else has this issue?
Other issues with PCAPME not being found, this time in the NIDS dashboard:
- Getting a lot of "GPL ICMP_INFO PING BSDtype" event, when I click on _ID I get an error stating "Missing destination port.", indeed in the event there is no destination port, just Source and Destination IP
- "ET POLICY Dropbox Client Broadcasting" , CAPME Error is "Second ES query couldn't find this ID"
Now on that last error with the Dropbox Broadcast, I checked and with Squert for the same event I can get to the CAPME.
But on Kibana I get the "Second ES Query coudln't find this ID" error.
Not sure if this is a transient error anymore.
B.
Doug Burks
Replies inline.
On Tue, Sep 19, 2017 at 9:47 AM, <bug...@gmail.com> wrote:
> Hi,
>
> I am getting some errors with CapMe for some event I am pivoting from Kibana.
> From the Bro - Notices dashboard.
> I identified a number of : "SSL certificate validation failed with (self signed certificate in certificate chain)"
>
> they come from my Apple devices and going to an Apple server: courier.push.apple.com
>
> I get the same alert from 3 different local IP / Devices, connected to the same WIFI AP.
> If I look at the last 10 events (within a period of time of about 45 minutes:
> - All link to UID works (indicator)
> - However, only f 1x of those 3 IP do I get the PCAP through CapMe / _ID link
>
> I get the following error in Capme:
> Second ES query couldn't find this ID.
>
>
> When I look at the events, they have the same message:
> NOT GETTING PCAP:
> 1505826664.766263 CAabJj3LI7c3suliEj 192.168.1.31 50606 17.252.140.87 5223 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (self signed certificate in certificate chain) C=US,O=Apple Inc.,OU=APNS SRE,CN=courier.push.apple.com 192.168.1.31 17.252.140.87 5223 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
>
> GETTING PCAP:
> 1505826543.892870 CWBHyK2UYBrUPoJIJl 192.168.1.81 50299 17.252.236.208 5223 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (self signed certificate in certificate chain) C=US,O=Apple Inc.,OU=APNS SRE,CN=courier.push.apple.com 192.168.1.81 17.252.236.208 5223 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
>
>
> The only difference is:
> Source IP
> Destination IP
> and a 2 minutes timestamp difference
>
> I pivoted on the IP address where I had a problem to get the PCAP and can get other events to generate PCAP.
>
> I have also noticed that there are other events where there are no PCAP so it isn't just a problem with that type of event.
>
> In Bro Notice, my drop packets is around 3%.
because CapMe has to find a bro_conn log for the TCP/UDP traffic in
question. That being said, there are some known issues with pivoting
from Kibana to CapMe that we plan to work on for the next release
(Beta):
https://github.com/Security-Onion-Solutions/security-onion/issues/1130
> Anyone else has this issue?
>
> Other issues with PCAPME not being found, this time in the NIDS dashboard:
> - Getting a lot of "GPL ICMP_INFO PING BSDtype" event, when I click on _ID I get an error stating "Missing destination port.", indeed in the event there is no destination port, just Source and Destination IP
source port and destination port to find the traffic, so this doesn't
work for ICMP, only TCP and UDP.
> - "ET POLICY Dropbox Client Broadcasting" , CAPME Error is "Second ES query couldn't find this ID"
>
> Now on that last error with the Dropbox Broadcast, I checked and with Squert for the same event I can get to the CAPME.
> But on Kibana I get the "Second ES Query coudln't find this ID" error.
> Not sure if this is a transient error anymore.
Doug Burks
id1010...@gmail.com
"Second ES query coulnd't find this ID" persists with the latest update of Elastic SO.
Doug Burks
Instead of replying to resurrecting old threads, please start a new
thread and include full sostat info.
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks