Re: [security-onion] pcap_agent fail everything else is working.

[Doug Burks]

Hi Rod,

Is this a standalone deployment or do you have separate server and sensors?

Have you tried the following on the sensor in question?
sudo nsm_sensor_ps-restart

If you need further help, please send the output of the following
(redacting sensitive info as necessary):
sudo sostat

Thanks,
Doug

On Wed, Feb 13, 2013 at 2:31 PM, Rod Kelsey <rodney...@gmail.com> wrote:
> Went to open a file via SGuil - got an error that pcap_agent wasn't running. Tried stoppin/starting - no improvement. Attached is the log file, and copy of the pcap_agent.conf (hasn't been modified). Missing file?
>
> Executing: pcap_agent.tcl -c /etc/nsm/JMST-IDS-eth0/pcap_agent.conf
> Connected to localhost
> Sending sguild (sock3) RegisterAgent pcap JMST-IDS-eth0 JMST-IDS-eth0
> Sending sguild (sock3) DiskReport /nsm/sensor_data/JMST-IDS-eth0 50%
> Sending sguild (sock3) PING
> Sensor Data Rcvd: AgentInfo JMST-IDS-eth0 pcap JMST-IDS-eth0 2 0
> Error: can't read "logFile": no such variable
> can't read "logFile": no such variable
> while executing
> "file stat $logFile fileStat"
> (procedure "CheckLastPcapFile" line 25)
> invoked from within
> "CheckLastPcapFile 1"
> (procedure "AgentInfo" line 6)
> invoked from within
> "AgentInfo [lindex $data 1] [lindex $data 2] [lindex $data 3] [lindex $data 4] "
> (procedure "SguildCmdRcvd" line 27)
> invoked from within
> "SguildCmdRcvd sock3"
>
>
> pcap_agent.conf
> # pcap_agent.conf: auto-generated by NSMnow Administration on Wed Jan 9 18:28:31 UTC 2013
> # DEBUG is VERY chatty. Use it only when needed (1=on, 0=off)
> set DEBUG 1
> # Run in background (1=yes, 0=no)
> set DAEMON 0
> # Name of sguild server
> set SERVER_HOST localhost
> # Port sguild listens on for sensor connects
> set SERVER_PORT 7736
> # Local hostname (sensors monitoring multiple interfaces need to use a unique 'hostname' for each interface)
> set HOSTNAME JMST-IDS-eth0
> # The net id is used to correlate data from different agents.
> set NET_GROUP JMST-IDS-eth0
> # The root of your log dir for data like pcap, portscans, sessions, etc
> set LOG_DIR /nsm/sensor_data
> # Where raw/pcap files are being logged to and will be read from.
> set RAW_LOG_DIR ${LOG_DIR}/${HOSTNAME}/dailylogs
> # Path to tcpdump. Used for parsing pcap files.
> set TCPDUMP "/usr/sbin/tcpdump"
> # If you do VLAN tagging then set this to 1 so the right filter is passed to tcpdump.
> # As of Security Onion 20120224, VLAN should always be 0. Please do not change!
> # http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.html
> set VLAN 0
> # Directory to store the temp pcap files
> set TMP_DIR "/tmp"
> # sensor agent reports current disk use up to sguild
> set WATCH_DIR ${LOG_DIR}/${HOSTNAME}
> # Delay in milliseconds for doing different functions.
> set FILE_CHECK_IN_MSECS 300000
> # Disk space
> set DISK_CHECK_DELAY_IN_MSECS 1800000
> # Keep a heartbeat going w/PING PONG in milliseconds. (0 to disable)
> set PING_DELAY 300000
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--
Doug Burks
http://securityonion.blogspot.com

[Doug Burks]

If you need further help, please send the output of the following
(redacting sensitive info as necessary):
sudo sostat

Thanks,
Doug

On Fri, Feb 15, 2013 at 9:00 AM, Rod Kelsey <rodney...@gmail.com> wrote:
> Good Morning Doug,
> This is a Standalone deployment. Yes, I have tried the restart command - I keep getting a fail message on pcap_agent (first post has the log message that keeps getting generated. The only modification I have made outside of snort rules is the SQL DAYSTOKEEP setting down to 30 from 365. This event happened around the time that the cleanup should have kicked in. Disc space is at 50%.

[Doug Burks]

I don't see anything too suspicious in your sostat output. Please
send the output of the following:

date
sudo nsm_sensor_ps-restart --only-pcap
sudo nsm_sensor_ps-restart --only-pcap-agent

Also send fresh copies of the pcap_agent and netsniff-ng log files.

Thanks,
Doug

On Fri, Feb 15, 2013 at 9:24 AM, Rod Kelsey <rodney...@gmail.com> wrote:

[Doug Burks]

Why does your date command show "Tue Feb 19", but your netsniff log
shows that it's trying to write to 2013-01-29?
Doug

On Tue, Feb 19, 2013 at 1:52 PM, Rod Kelsey <rodney...@gmail.com> wrote:
> Tue Feb 19 18:37:50 GMT 2013
>
> [1;34mRestarting: SECONION-eth0 [0;39m [0;39m
>
> [0;34m* [0;39m restarting with overlap: netsniff-ng (full packet data) [0;39m
>
> [0;34m* [0;39m starting: netsniff-ng (full packet data)
> [80C [8D [0;39m[ [1;32m OK [0;39m]
>
> [0;34m- [0;39m stopping old process: netsniff-ng (full packet data)
> [80C [8D [0;39m[ [1;32m OK [0;39m]
>
> [1;34mRestarting: SECONION-eth0 [0;39m [0;39m
>
> [0;34m* [0;39m starting: pcap_agent (sguil)
> [80C [8D [0;39m[ [1;32m OK [0;39m]
>
> Executing: pcap_agent.tcl -c /etc/nsm/SECONION-eth0/pcap_agent.conf
> Connected to localhost
> Sending sguild (sock3) RegisterAgent pcap SECONION-eth0 SECONION-eth0
> Sending sguild (sock3) DiskReport /nsm/sensor_data/SECONION-eth0 50%
> Sending sguild (sock3) PING
> Sensor Data Rcvd: AgentInfo SECONION-eth0 pcap SECONION-eth0 2 0

> Error: can't read "logFile": no such variable
> can't read "logFile": no such variable
> while executing
> "file stat $logFile fileStat"
> (procedure "CheckLastPcapFile" line 25)
> invoked from within
> "CheckLastPcapFile 1"
> (procedure "AgentInfo" line 6)
> invoked from within
> "AgentInfo [lindex $data 1] [lindex $data 2] [lindex $data 3] [lindex $data 4] "
> (procedure "SguildCmdRcvd" line 27)
> invoked from within
> "SguildCmdRcvd sock3"

> Executing: netsniff-ng -i eth0 -o /nsm/sensor_data/SECONION-eth0/dailylogs/2013-01-29 -s --prefix snort.log. --interval 150MiB
> [1mnetsniff-ng 0.5.8 [0m
> BPF JIT
> RX: 23.83 MiB, 12200 Frames, each 2048 Byte allocated
> PROMISC
> BPF:
> L0: ret #0xffffffff
> MD: RX scatter-gather lf64 realtime: prio 4
>
> .(+306806/-0).(+337843/-0).(+581853/-0).(+284642/-0).(+260836/-0).(+213662/-0).(+234141/-0).(+295284/-0).(+253385/-0).(+280882/-0).(+280321/-0).(+266512/-0).(+206505/-0).(+202082/-0).(+221764/-0)

[Rod Kelsey]

Good question.  I'll check the date on the computer when I get back in, but I'm pretty sure it's correct.  should this command line be a variable? 

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/27VWj6QivzI/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

[Doug Burks]

Here's the relevant code snippet from /usr/sbin/nsm_sensor_ps-start.
It creates a directory based on today's date and then starts
netsniff-ng and tells it to write pcaps to today's directory.

# start packet logger
TODAY=$(date $DATE_OPTIONS "+%Y-%m-%d") #-u option sets TZ to GMT
if [ ! -d "$SENSOR_LOG_DIR/dailylogs/$TODAY" ]; then
mkdir -p $SENSOR_LOG_DIR/dailylogs/$TODAY
chown $SENSOR_USER:$SENSOR_GROUP
$SENSOR_LOG_DIR/dailylogs/$TODAY
chmod 775 $SENSOR_LOG_DIR/dailylogs/$TODAY
fi

#snip

[ -z "$SKIP_PCAP" ] && process_start "netsniff-ng" "-i
$SENSOR_INTERFACE_SHORT -o $SENSOR_LOG_DIR/dailylogs/$TODAY -s
--prefix snort.log. --interval 150MiB $PCAP_OPTIONS $BPF_OPTION"
"$PROCESS_PID_DIR/$SENSOR/netsniff-ng.pid"
"$PROCESS_LOG_DIR/$SENSOR/netsniff-ng.log" "netsniff-ng (full packet
data)"