Re: [security-onion] Security Onion no longer showing events in any of the tools
337 views
Skip to first unread message
Message has been deleted
Scott Runnels
May 14, 2013, 3:12:42 PM5/14/13
to securit...@googlegroups.com
You can try running tcpdump or tshark on the sniffing interface and check for traffic.
You can restart all the NSM processes with:
sudo service nsm restart
Scott Runnels
On Tue, May 14, 2013 at 2:50 PM, sbr...@jec.coop <sbr...@jec.coop> wrote:
Is there a way to check to see if it is still capturing traffic or is there a way to "restart" all the processes with out restarting the boxes?
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Sid Brown
May 16, 2013, 2:14:16 PM5/16/13
to securit...@googlegroups.com
I restarted the processes and snorby is still not showing any data/events. Everything else seems to be working.
Doug Burks
May 16, 2013, 2:21:44 PM5/16/13
to securit...@googlegroups.com
Hi Sid,
Please send the output of the following (redacting sensitive info as necessary):
sudo sostat
Thanks,
Doug
Doug Burks
http://securityonion.blogspot.com
Please send the output of the following (redacting sensitive info as necessary):
sudo sostat
Thanks,
Doug
http://securityonion.blogspot.com
Doug Burks
May 16, 2013, 2:49:11 PM5/16/13
to securit...@googlegroups.com
Your snort process is failed:
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next
5-minute interval!
Have you made any changes to the Snort configuration?
What is the output of the following?
tail -100 /var/log/nsm/SOserver1-eth0/snortu-1.log
Thanks,
Doug
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next
5-minute interval!
Have you made any changes to the Snort configuration?
What is the output of the following?
tail -100 /var/log/nsm/SOserver1-eth0/snortu-1.log
Thanks,
Doug
Heine Lysemose
May 16, 2013, 2:52:13 PM5/16/13
to securit...@googlegroups.com
...and there's trouble with pfring!
Regards,
Lysemose
Sid Brown
May 16, 2013, 3:01:14 PM5/16/13
to securit...@googlegroups.com
soadmin@SOserver1:~$ tail -100/var/log/nsm/SOserver1-eth0/snortu-1.log
tail: option used in invalid context -- 1
soadmin@SOserver1:~$ tail -100/var/log/nsm/SOserver1-eth0/snortu-1.log /var/log/nsm/SOserver1-eth0/snortu-1.log
| gen-id=1 sig-id=2010508 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406784 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2403312 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2520056 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406027 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2003930 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2406006 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406531 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406749 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2408011 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406694 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406877 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2010935 type=Limit tracking=src count=5 seconds=60
| gen-id=1 sig-id=2406758 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406037 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406696 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2500049 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2408000 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2403311 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2003267 type=Both tracking=src count=1 seconds=900
| gen-id=1 sig-id=2406879 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406241 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2408052 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2008413 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2404082 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2520101 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2404041 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2403304 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2012141 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2014297 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2520037 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2009159 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406076 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406441 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2003275 type=Both tracking=src count=1 seconds=900
| gen-id=1 sig-id=2406722 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2404100 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2406624 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406764 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406743 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406691 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406766 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406807 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406732 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406029 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2008209 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2406870 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406488 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406469 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2520150 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2015633 type=Limit tracking=src count=1 seconds=300
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option.
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'ET.TorIP' is set but not ever checked.
WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
WARNING: flowbits key 'ET.HTTP.at.SSL' is set but not ever checked.
WARNING: flowbits key 'ET.RBN' is set but not ever checked.
WARNING: flowbits key 'ET.pdf.in.http' is set but not ever checked.
WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
WARNING: flowbits key 'ET.Evil' is set but not ever checked.
WARNING: flowbits key 'ET.iTunes.vuln' is set but not ever checked.
WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
WARNING: flowbits key 'ET.DROPIP' is set but not ever checked.
91 out of 1024 flowbits in use.
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 199
| 1 byte states : 181
| 2 byte states : 18
| 4 byte states : 0
| Characters : 175431
| States : 71727
| Transitions : 3354952
| State Density : 18.3%
| Patterns : 11685
| Match States : 9025
| Memory (MB) : 39.15
| Patterns : 1.23
| Match Lists : 2.83
| DFA
| 1 byte states : 1.16
| 2 byte states : 33.56
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 3337 ]
pfring DAQ configured to passive.
ERROR: Can't initialize DAQ pfring (-1) -
Fatal Error, Quitting..
soadmin@SOserver1:~$
tail: option used in invalid context -- 1
soadmin@SOserver1:~$ tail -100/var/log/nsm/SOserver1-eth0/snortu-1.log /var/log/nsm/SOserver1-eth0/snortu-1.log
| gen-id=1 sig-id=2010508 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406784 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2403312 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2520056 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406027 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2003930 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2406006 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406531 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406749 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2408011 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406694 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406877 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2010935 type=Limit tracking=src count=5 seconds=60
| gen-id=1 sig-id=2406758 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406037 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406696 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2500049 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2408000 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2403311 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2003267 type=Both tracking=src count=1 seconds=900
| gen-id=1 sig-id=2406879 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406241 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2408052 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2008413 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2404082 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2520101 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2404041 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2403304 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2012141 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2014297 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2520037 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2009159 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406076 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406441 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2003275 type=Both tracking=src count=1 seconds=900
| gen-id=1 sig-id=2406722 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2404100 type=Limit tracking=src count=1 seconds=3600
| gen-id=1 sig-id=2406624 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406764 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406743 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406691 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406766 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406807 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406732 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406029 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2008209 type=Limit tracking=src count=2 seconds=300
| gen-id=1 sig-id=2406870 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406488 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2406469 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2520150 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2015633 type=Limit tracking=src count=1 seconds=300
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option.
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'ET.TorIP' is set but not ever checked.
WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
WARNING: flowbits key 'ET.HTTP.at.SSL' is set but not ever checked.
WARNING: flowbits key 'ET.RBN' is set but not ever checked.
WARNING: flowbits key 'ET.pdf.in.http' is set but not ever checked.
WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
WARNING: flowbits key 'ET.Evil' is set but not ever checked.
WARNING: flowbits key 'ET.iTunes.vuln' is set but not ever checked.
WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
WARNING: flowbits key 'ET.DROPIP' is set but not ever checked.
91 out of 1024 flowbits in use.
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 199
| 1 byte states : 181
| 2 byte states : 18
| 4 byte states : 0
| Characters : 175431
| States : 71727
| Transitions : 3354952
| State Density : 18.3%
| Patterns : 11685
| Match States : 9025
| Memory (MB) : 39.15
| Patterns : 1.23
| Match Lists : 2.83
| DFA
| 1 byte states : 1.16
| 2 byte states : 33.56
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 3337 ]
pfring DAQ configured to passive.
ERROR: Can't initialize DAQ pfring (-1) -
Fatal Error, Quitting..
soadmin@SOserver1:~$
Doug Burks
May 16, 2013, 3:03:53 PM5/16/13
to securit...@googlegroups.com
Sid Brown
May 16, 2013, 4:14:25 PM5/16/13
to securit...@googlegroups.com
Had to do some finagling to get the updates to run but think I got it.
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 3654 0 16 May 20:03:35
Status: SOserver1-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 3654 0 16 May 20:03:35
Status: SOserver1-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Doug Burks
May 16, 2013, 4:18:15 PM5/16/13
to securit...@googlegroups.com
Yep, that looks better!
Could you expand on "finagling to get the updates to run"? Normally,
the steps on the page I linked to work fine. If we need to update
that page, please let us know!
Thanks,
Doug
Could you expand on "finagling to get the updates to run"? Normally,
the steps on the page I linked to work fine. If we need to update
that page, please let us know!
Thanks,
Doug
Ben Wright
May 16, 2013, 4:20:32 PM5/16/13
to securit...@googlegroups.com
6054 uncategorized events is a large amount of uncategorized events also
You received this message because you are subscribed to a topic in the
Google Groups "security-onion" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/security-onion/Eh3BAk4rDOs/unsubscribe
?hl=en-US.
To unsubscribe from this group and all its topics, send an email to
or entity named above and may contain information that is confidential, privileged and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution
or use of any of the information contained in this transmission is strictly PROHIBITED.
Google Groups "security-onion" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/security-onion/Eh3BAk4rDOs/unsubscribe
?hl=en-US.
To unsubscribe from this group and all its topics, send an email to
security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at
http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
CONFIDENTIALITY NOTICE: This e-mail transmission, and any attachments, is intended only for the use of the individual
To post to this group, send email to securit...@googlegroups.com.
Visit this group at
http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
or entity named above and may contain information that is confidential, privileged and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution
or use of any of the information contained in this transmission is strictly PROHIBITED.
Sid Brown
May 16, 2013, 4:43:12 PM5/16/13
to securit...@googlegroups.com
It looks like the some of the linux system updates had only partially installed. I was getting errors from the running the updates per the instructions. I went to the gui disabled all SO updates and ran all system updates. When only SO updates were left I went back to your instructions and the errors did not occur and all SO services started. Though barnyard crash on reboot so I did one more sudo service nsm restart and so far all is stable.
Sid Brown
May 16, 2013, 4:44:03 PM5/16/13
to securit...@googlegroups.com
Is there and easy way to get them to categorize?
Heine Lysemose
May 16, 2013, 5:20:15 PM5/16/13
to securit...@googlegroups.com
Hi
You can categories these events from the Sguil client. But I want to correct the statement earlier, 6054 isn't a huge amount of uncategorized events. So they should not and didn't course any of the trouble you saw.
But again you should definitely categories the events in Sguil or you get into more trouble. Sguil operates by loading the uncategorized events into memory and the more uncategorized events you have the longer sguild takes to load/startup.
You can use the feature called auto-categories to help you prevent this from happening. Please the Security Onion wiki page.
Thanks,
Lysemose
Ben Wright
May 17, 2013, 7:21:43 AM5/17/13
to securit...@googlegroups.com
My bad, I thought it was a high number (I’m running older hardware).
Heine Lysemose
May 17, 2013, 7:37:58 AM5/17/13
to securit...@googlegroups.com
Hi Ben
No worries!
Your thought about having too many uncategorised was spot on!
/Lysemose
Reply all
Reply to author
Forward
0 new messages