Snort displaying alerts on console

104 views
Skip to first unread message

Eric Vanderveer

unread,
Sep 5, 2019, 11:04:09 AM9/5/19
to security-onion
How can I turn this off.  I am not sure how it got turned on but my ssh session is filling up with snort alerts.
Thanks!

Wes

unread,
Sep 5, 2019, 12:02:21 PM9/5/19
to security-onion
Hi Eric,

This may be related to the following:


Thanks,
Wes

Eric Vanderveer

unread,
Sep 5, 2019, 1:08:50 PM9/5/19
to security-onion
I was hoping it was, but sadly, it's still doing it.


On Thursday, September 5, 2019 at 11:04:09 AM UTC-4, Eric Vanderveer wrote:

Wes Lambert

unread,
Sep 5, 2019, 1:28:26 PM9/5/19
to securit...@googlegroups.com
Could it be that you are still seeing a backlog of alerts?

You could try running so-clear-backlog to see if it helps.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/6f4e49fb-3176-4829-8959-5171d921a4fd%40googlegroups.com.


--

Eric Vanderveer

unread,
Sep 5, 2019, 1:41:08 PM9/5/19
to securit...@googlegroups.com
I thought that was the answer in the link you gave me to read.  Did I miss something?

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6GgO-%2BdKeqi9CY9nJs5oM2D%3DTUOF1FKNq14s6dJuu%2B-gw%40mail.gmail.com.

Steven J

unread,
Sep 5, 2019, 2:35:15 PM9/5/19
to securit...@googlegroups.com

Hi Eric,

I take it you ran so-clear-backlog ?

My opinion:

edit /etc/nsm/rules/threshold.conf and add this line.
suppress gen_id 129, sig_id 20

Save the file then run   
sudo so-clear-backlog

When complete, edit /etc/nsm/rules/threshold.conf and remove this line.
suppress gen_id 129, sig_id 20

Finally run, sudo nsm_sensor_ps-start --only-snort-alert



To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAAX_m9Fhq4VkSqxFKvx7BLAXSurOhwYBm213ce8eXmEwmAN4jQ%40mail.gmail.com.

Eric Vanderveer

unread,
Sep 5, 2019, 2:36:42 PM9/5/19
to securit...@googlegroups.com
Yes, I did.  I will try this.  Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAKHG%3D-%2BUnrw1bS_E9BcTH0ZMiQR-3q-UHneDgmAqhS1i_T8grw%40mail.gmail.com.

Wes Lambert

unread,
Sep 5, 2019, 2:41:04 PM9/5/19
to securit...@googlegroups.com
Eric,

The assumption was that you already tried to suppress the alert(s).  The only thing so-clear-backlog will do is remove the current alert data that is being processed -it won't prevent new alerts from coming in.

Thanks,
Wes

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAAX_m9E%3DzK-Ne3Fed-mD%3D8H3oYaKMyD%3DQzgd173a-Dge%3DGBJtw%40mail.gmail.com.

Eric Vanderveer

unread,
Sep 5, 2019, 3:52:04 PM9/5/19
to securit...@googlegroups.com
Well, I want the alerts, I just want to have them stop showing on my console.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6GB62792PEdiUwPuGhhadqoof6Gwv22Hg0wcH0KNC%2B69Q%40mail.gmail.com.

Eric Vanderveer

unread,
Sep 6, 2019, 1:29:41 PM9/6/19
to security-onion
Any other ideas, I looked through the snort config and don't see where there is a setting to display alerts on the terminal.


On Thursday, September 5, 2019 at 3:52:04 PM UTC-4, Eric Vanderveer wrote:
Well, I want the alerts, I just want to have them stop showing on my console.

On Thu, Sep 5, 2019, 2:41 PM Wes Lambert <wlamb...@gmail.com> wrote:
Eric,

The assumption was that you already tried to suppress the alert(s).  The only thing so-clear-backlog will do is remove the current alert data that is being processed -it won't prevent new alerts from coming in.

Thanks,
Wes

On Thu, Sep 5, 2019 at 2:36 PM Eric Vanderveer <eric.vanderveer@intricatesecurity.com> wrote:
Yes, I did.  I will try this.  Thanks!

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.


--

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.


--

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

Steven J

unread,
Sep 6, 2019, 1:32:21 PM9/6/19
to securit...@googlegroups.com

Are you wanting them to not show in Squert/Sguil, Kibana, or where in the console do you want them to be present but not visible?

On Fri, Sep 6, 2019 at 1:29 PM Eric Vanderveer <eric.va...@intricatesecurity.com> wrote:
Any other ideas, I looked through the snort config and don't see where there is a setting to display alerts on the terminal.

On Thursday, September 5, 2019 at 3:52:04 PM UTC-4, Eric Vanderveer wrote:
Well, I want the alerts, I just want to have them stop showing on my console.

On Thu, Sep 5, 2019, 2:41 PM Wes Lambert <wlamb...@gmail.com> wrote:
Eric,

The assumption was that you already tried to suppress the alert(s).  The only thing so-clear-backlog will do is remove the current alert data that is being processed -it won't prevent new alerts from coming in.

Thanks,
Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.


--

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.


--

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/4e7f4086-813a-4405-b9bc-5ff4ff285c81%40googlegroups.com.

Eric Vanderveer

unread,
Sep 6, 2019, 1:34:54 PM9/6/19
to securit...@googlegroups.com
When I log into SO with terminal access they are showing on my screen using ssh.  I need to stop it from showing there.  Its frustrating when you are trying to type and it pops up an alert  

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAKHG%3D-JtX2xDjJSMAERcKpTuO%2B_Ryh%3DoiP1%3DU2a-8zoBrYkH3g%40mail.gmail.com.

Steven J

unread,
Sep 6, 2019, 1:44:15 PM9/6/19
to securit...@googlegroups.com

Ahhh, that is a completely different kind of madness. 

Alerts should not generally go to a CLI screen, I wonder if they have been piped there instead of their usual destination?
I don't know atm where this could have been reconfigured from, but I'll see what I can think of until someone else chimes in. 

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAAX_m9H5P%2B-Pbh12w0MaH0z7BojyNLXg%3Drwfh1M82L_k_e-v2Q%40mail.gmail.com.

Jim Hranicky

unread,
Sep 6, 2019, 3:05:54 PM9/6/19
to securit...@googlegroups.com
Can this be fixed with a simple

dmesg -n 1

?

https://askubuntu.com/questions/97256/how-do-i-disable-messages-or-logging-from-printing-on-the-console-virtual-termin

--
Jim Hranicky
Data Security Specialist
UF Information Technology
720 SW 2nd Avenue Suite 450, North Tower, Gainesville, FL 32605
352-273-1341

Eric Vanderveer

unread,
Sep 6, 2019, 3:07:19 PM9/6/19
to securit...@googlegroups.com
No, just tried it.  Thanks for that thought though. 

Eric Vanderveer CISSO, CPEH, CPTE, GMON
President
Intricate Security


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/1fa8a85f-066f-024e-12c9-e612315cf8ac%40gmail.com.

Steven J

unread,
Sep 6, 2019, 3:57:35 PM9/6/19
to securit...@googlegroups.com

You can force outputs to a terminal screen using 
-A console
as a command line option, but I'm not sure where to look to see if this has been changed in your case.
Would this show up at the bottom of
sostat-redacted  ?


To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAAX_m9FqK2Q60507RtJoL2GS%3DUMU-Wy%2BEFAHaxnyJzuYazjiMw%40mail.gmail.com.

Eric Vanderveer

unread,
Sep 6, 2019, 6:08:13 PM9/6/19
to securit...@googlegroups.com
Worth a check.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAKHG%3D-LLfAcW-xXgpro7J8MhM_uDYRis5PS87g9Vbmitcz-hfA%40mail.gmail.com.

Eric Vanderveer

unread,
Sep 9, 2019, 9:04:14 AM9/9/19
to security-onion
So, after looking at the redacted output I didn't see anything about snort config sending to console, but I did see that an upgrade was available.  I did another upgrade to SO and a reboot and now it has stopped.  Not sure what turned it on at the last upgrade but we are good.  Thanks for all the help everyone!


On Thursday, September 5, 2019 at 11:04:09 AM UTC-4, Eric Vanderveer wrote:

Steven J

unread,
Sep 9, 2019, 10:02:37 AM9/9/19
to securit...@googlegroups.com
Sweet, glad it got sorted :-)

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/8b249cc1-2b14-41a3-bee7-a71d0fba99ea%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages