More than 11 entries in sensortab breaks so-elasticsearch due to taking 9200/9300 for snort_agent.tcl

22 views
Skip to first unread message

Kevin Branch

unread,
Dec 12, 2018, 1:02:43 PM12/12/18
to securit...@googlegroups.com
Dynamic generation of snort_agent.tcl listening ports starts at 8000 and jumps by increments of 100, which means if you have 12 or more interfaces in /etc/nsm/sensortab, that the 12th one will use 9200 which will put a tcp/9200 listener on localhost that will prevent so-elasticsearch from starting up since it needs to use that port.  This will happen if the 12th sensortab entry is an active sensor interface, even if the preceding 11 entries are not configured at all.

The same issue comes up for the 12th entry in sensortab stealing listening port 9300 from Elasticsearch.

PR to fix this submitted:
I tested this by running sosetup and then inspecting sensortab.  Ports 9200 and 9300 were cleanly skipped over.

Kevin


Wes

unread,
Dec 12, 2018, 4:21:33 PM12/12/18
to security-onion
Hi Kevin,

Nice catch! I've created the following issue for this:

https://github.com/Security-Onion-Solutions/security-onion/issues/1397

Thanks!
Wes

Kevin Branch

unread,
Dec 12, 2018, 8:59:49 PM12/12/18
to securit...@googlegroups.com
You are welcome.  Also, I updated the PR to skip more, now from 9200-9600 because I just found minutes ago that this same issue comes up when a snort_agent port is 9600.  Logstash requires that port.  It makes so-status just freeze forever after this:

Status: Elastic stack
  * so-elasticsearch                                                                                              [  OK  ]

The port conflict only became evident when directly trying to start it with so-logstash-start.

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Doug Burks

unread,
Dec 27, 2018, 10:43:18 AM12/27/18
to securit...@googlegroups.com
Thanks for the PR, Kevin!  The updated package has been published:
--
Doug Burks
CEO
Security Onion Solutions, LLC
Reply all
Reply to author
Forward
0 new messages