Suricata (alert data) FAILs

[SolomonW]

Hey,

I have multiple sensors running in production mode up and after the first few days they all stopped picking up events in Snorby. This was followed by the following error.

Status: securityonion
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent (sguil) [ OK ]
* suricata (alert data) [ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2 (spooler, unified2 format) [ OK ]
* prads (sessions/assets) [ OK ]
* sancp_agent (sguil) [ OK ]
* pads_agent (sguil) [ OK ]
* argus [ OK ]
* http_agent (sguil) [ OK ]

I restarted the sensor and suricata starts working for about 5-10 minutes, however I do not receive any events from the majority of our sensors.

Any ideas?

Thanks,

[Matt Gregory]

Hi Solomon,

Could you please post the output of sudo sostat?

Thanks,

Matt

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[SolomonW]

=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager 10.168.1.174 running 29466 3 02 Jul 21:02:02
proxy proxy 10.168.1.174 running 29563 3 02 Jul 21:02:08
snorby10-eth0-1 worker 10.168.1.174 running 29632 2 02 Jul 21:02:10
snorby10-eth0-2 worker 10.168.1.174 running 29631 2 02 Jul 21:02:10
Status: psnorby10-eth0

* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* suricata (alert data)[ FAIL ]

* barnyard2 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:50:56:80:01:0a
inet6 addr: fe80::250:56ff:fe80:10a/64 Scope:Link
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:450683131 errors:0 dropped:3644 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:388591593374 (388.5 GB) TX bytes:210 (210.0 B)

eth1 Link encap:Ethernet HWaddr 00:50:56:80:01:ce
inet addr:10.*.1.1* Bcast:10.168.1.255 Mask:255.255.254.0
inet6 addr: fe80::250:56ff:fe80:1ce/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4177403 errors:0 dropped:1953 overruns:0 frame:0
TX packets:47241 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:326608760 (326.6 MB) TX bytes:9214406 (9.2 MB)

eth2 Link encap:Ethernet HWaddr 00:50:56:80:01:e9
inet addr:10.168.101.178 Bcast:10.168.101.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe80:1e9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:53497181 errors:0 dropped:0 overruns:0 frame:0
TX packets:100325931 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4437532499 (4.4 GB) TX bytes:150819959711 (150.8 GB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:377273 errors:0 dropped:0 overruns:0 frame:0
TX packets:377273 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:996548063 (996.5 MB) TX bytes:996548063 (996.5 MB)

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 54G 22G 30G 43% /
udev 2.9G 4.0K 2.9G 1% /dev
tmpfs 1.2G 324K 1.2G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 2.9G 0 2.9G 0% /run/shm
10.168.101.94:/vol/dc1_06a_nfs_snorby_01_sas_0h_nh_nd_a/snorby10 3.0T 2.4T 633G 80% /nsm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 469 root 6u IPv4 1615 0t0 UDP *:111
rpcbind 469 root 7u IPv4 1616 0t0 UDP *:644
rpcbind 469 root 8u IPv4 1617 0t0 TCP *:111 (LISTEN)
rpcbind 469 root 9u IPv6 1618 0t0 UDP *:111
rpcbind 469 root 10u IPv6 1619 0t0 UDP *:644
rpcbind 469 root 11u IPv6 1620 0t0 TCP *:111 (LISTEN)
rpc.statd 485 statd 4u IPv4 1655 0t0 UDP 127.0.0.1:661
rpc.statd 485 statd 7u IPv4 1660 0t0 UDP *:42155
rpc.statd 485 statd 8u IPv4 1663 0t0 TCP *:47490 (LISTEN)
rpc.statd 485 statd 9u IPv6 1666 0t0 UDP *:43562
rpc.statd 485 statd 10u IPv6 1669 0t0 TCP *:53818 (LISTEN)
sshd 1103 root 3u IPv4 9539 0t0 TCP *:22 (LISTEN)
sshd 1103 root 4u IPv6 9541 0t0 TCP *:22 (LISTEN)
syslog-ng 1275 root 9u IPv4 9694 0t0 TCP *:514 (LISTEN)
syslog-ng 1275 root 10u IPv4 9695 0t0 UDP *:514
mysqld 1413 mysql 10u IPv4 11622 0t0 TCP 127.0.0.1:50000 (LISTEN)
ossec-csy 1441 ossecm 5u IPv4 9078 0t0 UDP 127.0.0.1:54339->127.0.0.1:514
/usr/sbin 1901 root 4u IPv4 11845 0t0 TCP *:443 (LISTEN)
/usr/sbin 1901 root 5u IPv4 11848 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1901 root 6u IPv4 11850 0t0 TCP *:444 (LISTEN)
/usr/sbin 1949 www-data 4u IPv4 11845 0t0 TCP *:443 (LISTEN)
/usr/sbin 1949 www-data 5u IPv4 11848 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1949 www-data 6u IPv4 11850 0t0 TCP *:444 (LISTEN)
/usr/sbin 1950 www-data 4u IPv4 11845 0t0 TCP *:443 (LISTEN)
/usr/sbin 1950 www-data 5u IPv4 11848 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1950 www-data 6u IPv4 11850 0t0 TCP *:444 (LISTEN)
/usr/sbin 1951 www-data 4u IPv4 11845 0t0 TCP *:443 (LISTEN)
/usr/sbin 1951 www-data 5u IPv4 11848 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1951 www-data 6u IPv4 11850 0t0 TCP *:444 (LISTEN)
/usr/sbin 1952 www-data 4u IPv4 11845 0t0 TCP *:443 (LISTEN)
/usr/sbin 1952 www-data 5u IPv4 11848 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1952 www-data 6u IPv4 11850 0t0 TCP *:444 (LISTEN)
/usr/sbin 1953 www-data 4u IPv4 11845 0t0 TCP *:443 (LISTEN)
/usr/sbin 1953 www-data 5u IPv4 11848 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1953 www-data 6u IPv4 11850 0t0 TCP *:444 (LISTEN)
ntpd 2152 ntp 16u IPv4 12284 0t0 UDP *:123
ntpd 2152 ntp 17u IPv6 12285 0t0 UDP *:123
ntpd 2152 ntp 18u IPv4 12291 0t0 UDP 127.0.0.1:123
ntpd 2152 ntp 19u IPv4 12292 0t0 UDP 10.168.1.174:123
ntpd 2152 ntp 20u IPv4 12293 0t0 UDP 10.168.101.178:123
ntpd 2152 ntp 21u IPv6 12294 0t0 UDP [fe80::250:56ff:fe80:10a]:123
ntpd 2152 ntp 22u IPv6 12295 0t0 UDP [fe80::250:56ff:fe80:1ce]:123
ntpd 2152 ntp 23u IPv6 12296 0t0 UDP [fe80::250:56ff:fe80:1e9]:123
ntpd 2152 ntp 24u IPv6 12297 0t0 UDP [::1]:123
ssh 2326 root 3u IPv4 13339 0t0 TCP 10.168.1.174:33292->10.168.1.166:22 (ESTABLISHED)
ssh 2326 root 4u IPv6 12503 0t0 TCP [::1]:3306 (LISTEN)
ssh 2326 root 5u IPv4 12504 0t0 TCP 127.0.0.1:3306 (LISTEN)
ssh 2326 root 6u IPv4 935310 0t0 TCP 127.0.0.1:3306->127.0.0.1:35835 (ESTABLISHED)
sshd 11704 root 3u IPv4 791470 0t0 TCP 10.168.1.174:22->10.85.240.11:52494 (ESTABLISHED)
sshd 11890 selemunw 3u IPv4 791470 0t0 TCP 10.168.1.174:22->10.85.240.11:52494 (ESTABLISHED)
tclsh 28721 root 3u IPv4 927120 0t0 TCP 10.168.1.174:50190->10.168.1.166:7736 (CLOSE_WAIT)
bro 29466 root 4u IPv4 930049 0t0 UDP 10.168.1.174:57606->10.168.0.137:53
bro 29532 root 0u IPv4 930265 0t0 TCP *:47761 (LISTEN)
bro 29532 root 1u IPv6 930266 0t0 TCP *:47761 (LISTEN)
bro 29532 root 2u IPv4 930292 0t0 TCP 10.168.1.174:47761->10.168.1.174:58557 (ESTABLISHED)
bro 29532 root 4u IPv4 930049 0t0 UDP 10.168.1.174:57606->10.168.0.137:53
bro 29532 root 8u IPv4 930506 0t0 TCP 10.168.1.174:47761->10.168.1.174:58558 (ESTABLISHED)
bro 29532 root 10u IPv4 929423 0t0 TCP 10.168.1.174:47761->10.168.1.174:58561 (ESTABLISHED)
bro 29563 root 4u IPv4 930287 0t0 UDP 10.168.1.174:51982->10.168.0.137:53
bro 29570 root 0u IPv4 930291 0t0 TCP 10.168.1.174:58557->10.168.1.174:47761 (ESTABLISHED)
bro 29570 root 1u IPv4 930295 0t0 TCP *:47762 (LISTEN)
bro 29570 root 2u IPv6 930296 0t0 TCP *:47762 (LISTEN)
bro 29570 root 4u IPv4 930287 0t0 UDP 10.168.1.174:51982->10.168.0.137:53
bro 29570 root 7u IPv4 930508 0t0 TCP 10.168.1.174:47762->10.168.1.174:39919 (ESTABLISHED)
bro 29570 root 9u IPv4 930516 0t0 TCP 10.168.1.174:47762->10.168.1.174:39920 (ESTABLISHED)
bro 29631 root 4u IPv4 930415 0t0 UDP 10.168.1.174:46272->10.168.0.137:53
bro 29632 root 4u IPv4 930419 0t0 UDP 10.168.1.174:60194->10.168.0.137:53
bro 29674 root 0u IPv4 930505 0t0 TCP 10.168.1.174:58558->10.168.1.174:47761 (ESTABLISHED)
bro 29674 root 1u IPv4 930507 0t0 TCP 10.168.1.174:39919->10.168.1.174:47762 (ESTABLISHED)
bro 29674 root 2u IPv4 930511 0t0 TCP *:47764 (LISTEN)
bro 29674 root 4u IPv4 930415 0t0 UDP 10.168.1.174:46272->10.168.0.137:53
bro 29674 root 9u IPv6 930512 0t0 TCP *:47764 (LISTEN)
bro 29679 root 0u IPv4 930515 0t0 TCP 10.168.1.174:39920->10.168.1.174:47762 (ESTABLISHED)
bro 29679 root 1u IPv4 930517 0t0 TCP 10.168.1.174:58561->10.168.1.174:47761 (ESTABLISHED)
bro 29679 root 2u IPv4 930520 0t0 TCP *:47763 (LISTEN)
bro 29679 root 4u IPv4 930419 0t0 UDP 10.168.1.174:60194->10.168.0.137:53
bro 29679 root 9u IPv6 930521 0t0 TCP *:47763 (LISTEN)
tclsh 29819 root 4u IPv4 930778 0t0 TCP 127.0.0.1:8000 (LISTEN)
tclsh 29819 root 5u IPv4 934770 0t0 TCP 127.0.0.1:8000->127.0.0.1:51501 (ESTABLISHED)
barnyard2 29967 root 3u IPv4 934769 0t0 TCP 127.0.0.1:51501->127.0.0.1:8000 (ESTABLISHED)
barnyard2 29967 root 4u IPv4 935309 0t0 TCP 127.0.0.1:35835->127.0.0.1:3306 (ESTABLISHED)
tclsh 30194 root 3u IPv4 935166 0t0 TCP 10.168.1.174:50205->10.168.1.166:7736 (CLOSE_WAIT)

=========================================================================
IDS Rules Update
=========================================================================
Tue Jul 2 07:01:01 UTC 2013
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 5 minutes to allow master time to download new rules.
Copying rules from 10.168.1.166.
Restarting Barnyard2.
Restarting: snorby10-eth0
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]

=========================================================================
CPU Usage
=========================================================================
top - 21:40:18 up 22:43, 2 users, load average: 3.63, 3.41, 4.07
Tasks: 169 total, 3 running, 165 sleeping, 0 stopped, 1 zombie
Cpu(s): 71.9%us, 5.2%sy, 6.5%ni, 11.9%id, 0.1%wa, 0.0%hi, 4.5%si, 0.0%st
Mem: 6064708k total, 5708060k used, 356648k free, 49880k buffers
Swap: 6239228k total, 2540k used, 6236688k free, 4431316k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7594 root 20 0 69920 16m 2348 R 73 0.3 0:00.40 perl
7031 root 20 0 184m 119m 3508 R 42 2.0 0:06.05 Suricata-Main
8765 root 20 0 179m 24m 5740 S 27 0.4 302:56.84 Xorg
29631 root 20 0 299m 117m 74m S 10 2.0 3:41.96 bro
29632 root 20 0 298m 115m 74m S 10 2.0 3:30.32 bro
29570 root 25 5 66984 18m 948 S 8 0.3 2:09.64 bro
30010 sguil 20 0 29216 10m 3752 S 8 0.2 2:19.08 prads
6162 selemunw 30 10 32064 1824 1456 S 4 0.0 0:04.10 fuzzyflakes
29679 root 25 5 127m 82m 64m S 4 1.4 1:13.93 bro
29532 root 25 5 137m 18m 944 S 2 0.3 2:02.13 bro
29563 root 20 0 279m 24m 3984 S 2 0.4 0:34.96 bro
29674 root 25 5 127m 82m 64m S 2 1.4 1:15.84 bro
29724 sguil 20 0 281m 255m 239m S 2 4.3 0:33.47 netsniff-ng
30148 sguil 20 0 111m 12m 1140 S 2 0.2 0:57.51 argus
1 root 20 0 24572 2264 1340 S 0 0.0 0:02.10 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:05.89 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.31 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.53 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:02.35 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.88 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:07.83 ksoftirqd/1
11 root RT 0 0 0 0 S 0 0.0 0:00.43 watchdog/1
12 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
13 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
14 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
15 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
16 root 20 0 0 0 0 S 0 0.0 0:01.12 kworker/u:1
17 root 20 0 0 0 0 S 0 0.0 0:00.16 sync_supers
18 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
19 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
21 root 0 -20 0 0 0 S 0 0.0 0:00.01 ata_sff
22 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
23 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
25 root 20 0 0 0 0 S 0 0.0 0:00.04 khungtaskd
26 root 20 0 0 0 0 S 0 0.0 0:28.42 kswapd0
27 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
28 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
29 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
30 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
31 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
41 root 20 0 0 0 0 S 0 0.0 1:32.05 kworker/0:1
43 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
44 root 20 0 0 0 0 S 0 0.0 0:00.02 scsi_eh_1
46 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:2
47 root 0 -20 0 0 0 S 0 0.0 0:00.00 binder
66 root 0 -20 0 0 0 S 0 0.0 0:00.00 deferwq
67 root 0 -20 0 0 0 S 0 0.0 0:00.00 charger_manager
68 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
169 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt_poll_0
170 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt/0
215 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
229 root 20 0 0 0 0 S 0 0.0 0:02.14 jbd2/sda1-8
230 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
322 root 20 0 17232 536 448 S 0 0.0 0:00.09 upstart-udev-br
324 root 20 0 21712 996 824 S 0 0.0 0:00.06 udevd
431 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
450 root 20 0 21472 556 384 S 0 0.0 0:00.00 udevd
469 root 20 0 19200 820 756 S 0 0.0 0:00.09 rpcbind
471 root 20 0 21728 424 336 S 0 0.0 0:00.00 udevd
485 statd 20 0 21504 840 836 S 0 0.0 0:00.00 rpc.statd
492 root 0 -20 0 0 0 S 0 0.0 0:00.00 rpciod
494 root 0 -20 0 0 0 S 0 0.0 0:00.00 nfsiod
585 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
613 messageb 20 0 24040 1192 832 S 0 0.0 0:00.06 dbus-daemon
975 root 20 0 15188 300 196 S 0 0.0 0:00.00 upstart-socket-
1103 root 20 0 50032 2920 2312 S 0 0.0 0:00.13 sshd
1252 root 20 0 15784 944 780 S 0 0.0 0:00.00 getty
1263 root 20 0 15784 940 780 S 0 0.0 0:00.00 getty
1274 root 20 0 26780 432 196 S 0 0.0 0:00.00 syslog-ng
1275 root 20 0 71624 5156 2756 S 0 0.1 0:49.64 syslog-ng
1276 root 20 0 15784 940 780 S 0 0.0 0:00.00 getty
1277 root 20 0 15784 944 780 S 0 0.0 0:00.00 getty
1280 root 20 0 15784 940 780 S 0 0.0 0:00.00 getty
1322 root 20 0 1020m 3876 2716 S 0 0.1 0:00.08 console-kit-dae
1387 whoopsie 20 0 195m 4880 3532 S 0 0.1 0:04.08 whoopsie
1388 root 20 0 4328 688 556 S 0 0.0 0:00.00 acpid
1397 root 20 0 15980 692 512 S 0 0.0 0:07.58 irqbalance
1404 root 20 0 182m 3088 2428 S 0 0.1 0:00.04 polkitd
1410 root 20 0 19112 1016 776 S 0 0.0 0:00.36 cron
1411 daemon 20 0 16908 372 216 S 0 0.0 0:00.00 atd
1413 mysql 20 0 472m 42m 7164 S 0 0.7 0:30.98 mysqld
1441 ossecm 20 0 12916 616 436 S 0 0.0 0:00.51 ossec-csyslogd
1451 root 20 0 12804 516 336 S 0 0.0 0:00.01 ossec-execd
1456 ossec 20 0 14504 2336 708 S 0 0.0 0:02.85 ossec-analysisd
1462 root 20 0 4528 540 408 S 0 0.0 0:00.05 ossec-logcollec
1700 root 20 0 5612 1876 636 S 0 0.0 1:05.02 ossec-syscheckd
1705 ossec 20 0 13068 712 444 S 0 0.0 0:00.06 ossec-monitord
1901 root 20 0 176m 10m 4652 S 0 0.2 0:02.34 /usr/sbin/apach
1911 root 20 0 215m 1828 1536 S 0 0.0 0:00.00 PassengerWatchd
1916 root 20 0 288m 1808 1520 S 0 0.0 0:00.64 PassengerHelper
1921 root 20 0 108m 7292 1260 S 0 0.1 0:00.07 ruby1.9.1
1926 nobody 20 0 165m 4188 3164 S 0 0.1 0:00.19 PassengerLoggin
1942 root 20 0 69268 1964 1460 S 0 0.0 0:00.01 login
1949 www-data 20 0 176m 6732 516 S 0 0.1 0:00.00 /usr/sbin/apach
1950 www-data 20 0 176m 6732 516 S 0 0.1 0:00.00 /usr/sbin/apach
1951 www-data 20 0 176m 6732 516 S 0 0.1 0:00.00 /usr/sbin/apach
1952 www-data 20 0 176m 6732 516 S 0 0.1 0:00.17 /usr/sbin/apach
1953 www-data 20 0 176m 6732 516 S 0 0.1 0:00.00 /usr/sbin/apach
1957 root 20 0 0 0 0 S 0 0.0 0:01.03 flush-8:0
2152 ntp 20 0 37772 2156 1532 S 0 0.0 0:04.89 ntpd
2299 root 20 0 0 0 0 S 0 0.0 0:00.00 lockd
2302 root 20 0 25540 580 344 S 0 0.0 0:00.00 rpc.idmapd
2325 root 20 0 4308 320 216 S 0 0.0 0:00.00 autossh
2326 root 20 0 42340 4024 2484 S 0 0.1 0:00.45 ssh
2661 root 20 0 0 0 0 S 0 0.0 0:15.90 flush-0:21
3401 root 20 0 4340 608 512 S 0 0.0 0:03.57 tail
3609 root 20 0 0 0 0 S 0 0.0 0:01.08 kworker/1:2
3704 selemunw 20 0 209m 10m 8432 S 0 0.2 0:00.08 xfce4-terminal
3707 selemunw 20 0 0 0 0 Z 0 0.0 0:00.00 xfce4-terminal <defunct>
3708 selemunw 20 0 23620 4720 1640 S 0 0.1 0:00.25 bash
4829 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/1:0
5974 root 20 0 4400 612 512 S 0 0.0 0:00.00 sh
5977 root 20 0 4400 320 220 S 0 0.0 0:00.00 sh
5982 root 20 0 4308 356 276 S 0 0.0 0:00.00 sleep
6053 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/1:1
7351 root 20 0 53764 1868 1452 S 0 0.0 0:00.00 sudo
7352 root 20 0 12316 1468 1248 S 0 0.0 0:00.00 sostat
7593 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
7600 root 20 0 17336 1292 916 R 0 0.0 0:00.00 top
8633 selemunw 20 0 27520 8688 1640 S 0 0.1 0:00.44 bash
8745 selemunw 20 0 4400 708 592 S 0 0.0 0:00.00 startx
8764 selemunw 20 0 15956 856 700 S 0 0.0 0:00.00 xinit
8776 selemunw 20 0 12920 728 592 S 0 0.0 0:00.00 ck-launch-sessi
8806 selemunw 20 0 12568 320 0 S 0 0.0 0:00.19 ssh-agent
8815 selemunw 20 0 4400 700 584 S 0 0.0 0:00.00 sh
8818 selemunw 20 0 26560 788 476 S 0 0.0 0:00.00 dbus-launch
8819 selemunw 20 0 24640 1264 620 S 0 0.0 0:00.18 dbus-daemon
8827 selemunw 20 0 47604 2688 2180 S 0 0.0 0:00.17 xfconfd
8833 selemunw 20 0 61860 4892 2012 S 0 0.1 0:00.69 xscreensaver
8835 selemunw 20 0 149m 5888 4636 S 0 0.1 0:00.06 xfce4-session
8841 selemunw 20 0 145m 8456 6652 S 0 0.1 0:00.40 xfwm4
8843 selemunw 20 0 258m 11m 8412 S 0 0.2 0:03.32 xfce4-panel
8844 selemunw 20 0 120m 3236 2148 S 0 0.1 0:00.02 xfsettingsd
8848 selemunw 20 0 229m 11m 8352 S 0 0.2 0:01.99 Thunar
8850 selemunw 20 0 253m 17m 7988 S 0 0.3 0:02.42 xfdesktop
8856 selemunw 20 0 181m 4256 3132 S 0 0.1 0:00.04 polkit-gnome-au
8857 selemunw 20 0 146m 3632 2244 S 0 0.1 0:00.11 xfce4-settings-
8858 selemunw 20 0 219m 6044 4076 S 0 0.1 0:00.08 xfce4-volumed
8860 selemunw 20 0 48180 2376 1976 S 0 0.0 0:00.01 gvfsd
8872 selemunw 20 0 66096 3280 2600 S 0 0.1 0:00.01 gvfs-gdu-volume
8874 root 20 0 116m 3184 2484 S 0 0.1 0:00.04 udisks-daemon
8875 root 20 0 45516 772 420 S 0 0.0 0:00.00 udisks-daemon
8877 selemunw 20 0 141m 6476 5104 S 0 0.1 0:00.09 panel-6-systray
8883 selemunw 20 0 52840 3016 2516 S 0 0.0 0:00.00 gvfsd-trash
11704 root 20 0 86088 4020 3068 S 0 0.1 0:00.04 sshd
11890 selemunw 20 0 86088 1992 1040 S 0 0.0 0:00.21 sshd
11891 selemunw 20 0 27568 8872 1752 S 0 0.1 0:00.64 bash
11935 root 20 0 7196 684 584 S 0 0.0 0:03.15 tail
24782 root 20 0 7196 680 584 S 0 0.0 0:02.90 tail
28721 root 20 0 41908 6364 2736 S 0 0.1 0:00.03 tclsh
28734 root 20 0 7196 612 520 S 0 0.0 0:00.00 tail
29408 root 20 0 12332 1520 1280 S 0 0.0 0:00.00 bash
29466 root 20 0 1197m 23m 3980 S 0 0.4 0:39.53 bro
29550 root 20 0 12336 1520 1280 S 0 0.0 0:00.00 bash
29608 root 20 0 12336 1524 1280 S 0 0.0 0:00.00 bash
29611 root 20 0 12336 1524 1280 S 0 0.0 0:00.00 bash
29771 root 20 0 36592 5556 3036 S 0 0.1 0:00.17 tclsh
29819 root 20 0 35936 4776 2996 S 0 0.1 0:00.06 tclsh
29967 root 20 0 203m 105m 1772 S 0 1.8 2:47.77 barnyard2
30052 root 20 0 35912 4912 3036 S 0 0.1 0:00.94 tclsh
30054 root 20 0 7180 360 280 S 0 0.0 0:00.05 cat
30095 root 20 0 35372 4468 3036 S 0 0.1 0:00.08 tclsh
30128 root 20 0 7196 684 584 S 0 0.0 0:01.31 tail
30194 root 20 0 35956 4916 3020 S 0 0.1 0:00.02 tclsh
30196 root 20 0 7196 684 584 S 0 0.0 0:00.09 tail
30280 root 20 0 7196 680 584 S 0 0.0 0:04.78 tail

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/snorby10-eth0/dailylogs/
561G .
28K ./2013-06-26
158G ./2013-06-27
126G ./2013-06-28
66G ./2013-06-29
27G ./2013-06-30
65G ./2013-07-01
122G ./2013-07-02

/nsm/bro/logs/
88M .
424K ./2013-06-26
1.2M ./2013-06-27
1.2M ./2013-06-28
116K ./2013-06-29
3.9M ./2013-07-01
78M ./2013-07-02
2.9M ./stats

=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/snorby10-eth0/stats.log
tcp.ssn_memcap_drop | RxPFReth02 | 0
tcp.segment_memcap_drop | RxPFReth02 | 0

=========================================================================
pf_ring stats
=========================================================================
Appl. Name : <unknown>
Tot Packets : 3657855
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>
Tot Packets : 2936699
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0

[Matt Gregory]

Is this at all related to your post here?

https://groups.google.com/forum/#!searchin/security-onion/suricata$20fail/security-onion/Bq9BLMOXo2c/Lg6Lu6oYDk8J

It's possible this is an issue with your pf_ring installation.  See:

https://code.google.com/p/security-onion/wiki/RC1#DKMS_unable_to_build_pf_ring_kernel_module

If the reinstalling the pf_ring module doesn't work, don't reinstall Ubuntu and SO just yet as described in that link.  We'll see if we can do some more troubleshooting.

Matt

[SolomonW]

Thank you Matt,

I followed the directions to rebuild the pf_ring on two of my sensors and Suricata (alert data) is still failing.

sw@snorby08:~$ sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot
[sudo] password for sw:
Hit http://us.archive.ubuntu.com precise Release.gpg
Get:1 http://us.archive.ubuntu.com precise-updates Release.gpg [198 B]
Hit http://us.archive.ubuntu.com precise-backports Release.gpg
Hit http://ppa.launchpad.net precise Release.gpg
Get:2 http://security.ubuntu.com precise-security Release.gpg [198 B]
Hit http://us.archive.ubuntu.com precise Release
Hit http://ppa.launchpad.net precise Release
Get:3 http://security.ubuntu.com precise-security Release [49.6 kB]
Get:4 http://us.archive.ubuntu.com precise-updates Release [49.6 kB]
Hit http://ppa.launchpad.net precise/main Sources
Hit http://ppa.launchpad.net precise/main amd64 Packages
Hit http://ppa.launchpad.net precise/main i386 Packages
Ign http://ppa.launchpad.net precise/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports Release
Get:5 http://security.ubuntu.com precise-security/main Sources [82.5 kB]
Hit http://us.archive.ubuntu.com precise/main Sources
Hit http://us.archive.ubuntu.com precise/restricted Sources
Hit http://us.archive.ubuntu.com precise/universe Sources
Hit http://us.archive.ubuntu.com precise/multiverse Sources
Hit http://us.archive.ubuntu.com precise/main amd64 Packages
Hit http://us.archive.ubuntu.com precise/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise/universe amd64 Packages
Hit http://us.archive.ubuntu.com precise/multiverse amd64 Packages
Hit http://us.archive.ubuntu.com precise/main i386 Packages
Hit http://us.archive.ubuntu.com precise/restricted i386 Packages
Hit http://us.archive.ubuntu.com precise/universe i386 Packages
Hit http://us.archive.ubuntu.com precise/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise/main TranslationIndex
Hit http://us.archive.ubuntu.com precise/multiverse TranslationIndex
Hit http://us.archive.ubuntu.com precise/restricted TranslationIndex
Hit http://us.archive.ubuntu.com precise/universe TranslationIndex
Get:6 http://us.archive.ubuntu.com precise-updates/main Sources [399 kB]
Get:7 http://security.ubuntu.com precise-security/restricted Sources [2,494 B]
Get:8 http://security.ubuntu.com precise-security/universe Sources [26.3 kB]
Get:9 http://security.ubuntu.com precise-security/multiverse Sources [1,383 B]
Get:10 http://security.ubuntu.com precise-security/main amd64 Packages [295 kB]
Ign http://ppa.launchpad.net precise/main Translation-en_US
Ign http://ppa.launchpad.net precise/main Translation-en
Get:11 http://security.ubuntu.com precise-security/restricted amd64 Packages [4,627 B]
Get:12 http://security.ubuntu.com precise-security/universe amd64 Packages [77.1 kB]
Get:13 http://security.ubuntu.com precise-security/multiverse amd64 Packages [2,182 B]
Get:14 http://security.ubuntu.com precise-security/main i386 Packages [309 kB]
Get:15 http://security.ubuntu.com precise-security/restricted i386 Packages [4,620 B]
Get:16 http://security.ubuntu.com precise-security/universe i386 Packages [79.8 kB]
Get:17 http://security.ubuntu.com precise-security/multiverse i386 Packages [2,367 B]
Get:18 http://security.ubuntu.com precise-security/main TranslationIndex [74 B]
Get:19 http://security.ubuntu.com precise-security/multiverse TranslationIndex [71 B]
Get:20 http://security.ubuntu.com precise-security/restricted TranslationIndex [72 B]
Get:21 http://security.ubuntu.com precise-security/universe TranslationIndex [73 B]
Hit http://security.ubuntu.com precise-security/main Translation-en
Hit http://security.ubuntu.com precise-security/multiverse Translation-en
Hit http://security.ubuntu.com precise-security/restricted Translation-en
Hit http://security.ubuntu.com precise-security/universe Translation-en
Get:22 http://us.archive.ubuntu.com precise-updates/restricted Sources [5,467 B]
Get:23 http://us.archive.ubuntu.com precise-updates/universe Sources [91.3 kB]
Get:24 http://us.archive.ubuntu.com precise-updates/multiverse Sources [6,571 B]
Get:25 http://us.archive.ubuntu.com precise-updates/main amd64 Packages [644 kB]
Get:26 http://us.archive.ubuntu.com precise-updates/restricted amd64 Packages [10.1 kB]
Get:27 http://us.archive.ubuntu.com precise-updates/universe amd64 Packages [208 kB]
Get:28 http://us.archive.ubuntu.com precise-updates/multiverse amd64 Packages [13.6 kB]
Get:29 http://us.archive.ubuntu.com precise-updates/main i386 Packages [663 kB]
Get:30 http://us.archive.ubuntu.com precise-updates/restricted i386 Packages [10.0 kB]
Get:31 http://us.archive.ubuntu.com precise-updates/restricted i386 Packages [10.0 kB]
Get:32 http://us.archive.ubuntu.com precise-updates/universe i386 Packages [211 kB]
Get:33 http://us.archive.ubuntu.com precise-updates/multiverse i386 Packages [13.8 kB]
Get:34 http://us.archive.ubuntu.com precise-updates/main TranslationIndex [3,564 B]
Get:35 http://us.archive.ubuntu.com precise-updates/multiverse TranslationIndex [2,605 B]
Get:36 http://us.archive.ubuntu.com precise-updates/restricted TranslationIndex [2,461 B]
Get:37 http://us.archive.ubuntu.com precise-updates/universe TranslationIndex [2,850 B]
Hit http://us.archive.ubuntu.com precise-backports/main Sources
Hit http://us.archive.ubuntu.com precise-backports/restricted Sources
Hit http://us.archive.ubuntu.com precise-backports/universe Sources
Hit http://us.archive.ubuntu.com precise-backports/multiverse Sources
Hit http://us.archive.ubuntu.com precise-backports/main amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/universe amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/multiverse amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/main i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/universe i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/multiverse TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/restricted TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise/main Translation-en
Hit http://us.archive.ubuntu.com precise/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise/restricted Translation-en
Hit http://us.archive.ubuntu.com precise/universe Translation-en
Hit http://us.archive.ubuntu.com precise-updates/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise-updates/restricted Translation-en
Hit http://us.archive.ubuntu.com precise-updates/universe Translation-en
Hit http://us.archive.ubuntu.com precise-backports/main Translation-en
Hit http://us.archive.ubuntu.com precise-backports/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise-backports/restricted Translation-en
Hit http://us.archive.ubuntu.com precise-backports/universe Translation-en
Fetched 3,274 kB in 1min 18s (42.0 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
curl libcurl3 libcurl3-gnutls
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 600 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libcurl3-gnutls amd64 7.22.0-3ubuntu4.2 [227 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libcurl3 amd64 7.22.0-3ubuntu4.2 [236 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main curl amd64 7.22.0-3ubuntu4.2 [137 kB]
Fetched 600 kB in 1s (514 kB/s)
(Reading database ... 233358 files and directories currently installed.)
Preparing to replace libcurl3-gnutls 7.22.0-3ubuntu4.1 (using .../libcurl3-gnutls_7.22.0-3ubuntu4.2_amd64.deb) ...
Unpacking replacement libcurl3-gnutls ...
Preparing to replace libcurl3 7.22.0-3ubuntu4.1 (using .../libcurl3_7.22.0-3ubuntu4.2_amd64.deb) ...
Unpacking replacement libcurl3 ...
Preparing to replace curl 7.22.0-3ubuntu4.1 (using .../curl_7.22.0-3ubuntu4.2_amd64.deb) ...
Unpacking replacement curl ...
Processing triggers for man-db ...
Setting up libcurl3-gnutls (7.22.0-3ubuntu4.2) ...
Setting up libcurl3 (7.22.0-3ubuntu4.2) ...
Setting up curl (7.22.0-3ubuntu4.2) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
sw@snorby08:~$
Broadcast message from sw@snorby08
(/dev/pts/0) at 21:50 ...

The system is going down for reboot NOW!
login as: sw
s...@10.168.*.*'s password:
Access denied
s...@10.168.*.*'s password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-34-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information disabled due to load higher than 2.0

0 packages can be updated.
0 updates are security updates.

Last login: Mon Jul 1 21:15:24 2013 from sead504727.perkinscoie.root.loc
sw@snorby08:~$ lsmod | grep pf_ring
pf_ring 422008 4
sw@snorby08:~$ sudo nsm_sensor_ps-status

Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started

manager manager 10.*.1.* running 4076 3 02 Jul 21:52:02
proxy proxy 10.*.1.* running 4292 3 02 Jul 21:52:08
snorby08-eth0-1 worker 10.*.1.* running 4601 2 02 Jul 21:52:10
snorby08-eth0-2 worker 10..1.167 running 4602 2 02 Jul 21:52:10
Status: dc1svpsnorby08-eth0

* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent (sguil) [ OK ]

* suricata (alert data) [ OK ]

* barnyard2 (spooler, unified2 format) [ OK ]
* prads (sessions/assets) [ OK ]
* sancp_agent (sguil) [ OK ]
* pads_agent (sguil) [ OK ]
* argus [ OK ]
* http_agent (sguil) [ OK ]

sw@dc1svpsnorby08:~$ sudo nsm_sensor_ps-status

Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started

manager manager 10..1.1 running 4076 3 02 Jul 21:52:02
proxy proxy 10..1.1 running 4292 3 02 Jul 21:52:08
snorby08-eth0-1 worker 10..1.1 running 4601 2 02 Jul 21:52:10
snorby08-eth0-2 worker 10..1.1 running 4602 2 02 Jul 21:52:10
Status: snorby08-eth0

* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent (sguil) [ OK ]
* suricata (alert data) [ FAIL ]

* stale PID file found, process will be restarted at the next 5-minute interval!

[Matt Gregory]

I don't see where you ran the following command to rebuild pf_ring:

sudo apt-get install --reinstall securityonion-pfring-module

Matt

[SolomonW]

My apologies, I have done this command on all boxes before too. But here is what it looks like:

sw@snorby10:~$ sudo apt-get install --reinstall securityonion-pfring-module
[sudo] password for sw:

Reading package lists... Done
Building dependency tree
Reading state information... Done

The following packages were automatically installed and are no longer required:
linux-headers-3.5.0-28-generic linux-headers-3.5.0-23-generic linux-headers-3.5.0-23
linux-headers-3.5.0-28
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/83.7 kB of archives.

After this operation, 0 B of additional disk space will be used.

(Reading database ... 228188 files and directories currently installed.)
Preparing to replace securityonion-pfring-module 20121107-0ubuntu0securityonion9 (using .../securityonion-pfring-module_20121107-0ubuntu0securityonion9_all.deb) ...
Stopping: HIDS
* stopping: ossec_agent (sguil) [ OK ]
Stopping: Bro
stopping snorby10-eth0-1 ...
stopping snorby10-eth0-2 ...
stopping proxy ...
stopping manager ...
Stopping: snorby10-eth0
* stopping: netsniff-ng (full packet data) [ OK ]
* stopping: pcap_agent (sguil) [ OK ]
* stopping: snort_agent (sguil) [ OK ]
* stopping: suricata (alert data) (not running) [ WARN ]
- stale PID file found, deleting!
* stopping: barnyard2 (spooler, unified2 format) [ OK ]
* stopping: prads (sessions/assets) [ OK ]
* stopping: sancp_agent (sguil) [ OK ]
* stopping: pads_agent (sguil) [ OK ]
* stopping: argus [ OK ]
* stopping: http_agent (sguil) [ OK ]
Waiting 5 seconds for processes to terminate gracefully.....
Killing any remaining processes using pf_ring.
Removing pf_ring from /etc/modules...done.
Removing pf_ring from running kernel...done.
Removing pf_ring from DKMS...done.
Unpacking replacement securityonion-pfring-module ...
Setting up securityonion-pfring-module (20121107-0ubuntu0securityonion9) ...

Creating symlink /var/lib/dkms/pf_ring/5/source ->
/usr/src/pf_ring-5

DKMS: add completed.

Kernel preparation unnecessary for this kernel. Skipping...

Building module:
cleaning build area....
make KERNELRELEASE=3.5.0-34-generic -C /lib/modules/3.5.0-34-generic/build M=/var/lib/dkms/pf_ring/5/build........
cleaning build area....

DKMS: build completed.

pf_ring:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/3.5.0-34-generic/updates/dkms/

depmod....

DKMS: install completed.
Starting: HIDS
* starting: ossec_agent (sguil) [ OK ]
Starting: Bro
starting manager ...
starting proxy ...
starting psnorby10-eth0-1 ...
starting psnorby10-eth0-2 ...
Starting: psnorby10-eth0
* starting: netsniff-ng (full packet data) [ OK ]
* starting: pcap_agent (sguil) [ OK ]
* starting: snort_agent (sguil) [ OK ]
* starting: suricata (alert data) [ OK ]
* starting: barnyard2 (spooler, unified2 format) [ OK ]
* starting: prads (sessions/assets) [ OK ]
* starting: pads_agent (sguil) [ OK ]
* starting: sancp_agent (sguil) [ OK ]
* starting: argus [ OK ]
* starting: http_agent (sguil) [ OK ]
* disk space currently at 82%
* disk space is approaching critical levels [ WARN ]
sw@snorby10:~$ sudo nsm_sensor_ps-status

Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started

manager manager 10.168.1.174 running 15603 3 02 Jul 23:28:28
proxy proxy 10.168.1.174 running 15658 3 02 Jul 23:28:30
snorby10-eth0-1 worker 10.168.1.174 running 15724 2 02 Jul 23:28:32
snorby10-eth0-2 worker 10.168.1.174 running 15723 2 02 Jul 23:28:32
Status: snorby10-eth0

* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent (sguil) [ OK ]
* suricata (alert data) [ OK ]

* barnyard2 (spooler, unified2 format) [ FAIL ]

* stale PID file found, process will be restarted at the next 5-minute interval!

* prads (sessions/assets) [ OK ]
* sancp_agent (sguil) [ OK ]

* pads_agent (sguil) [ FAIL ]

* stale PID file found, process will be restarted at the next 5-minute interval!

* argus [ FAIL ]

* stale PID file found, process will be restarted at the next 5-minute interval!

* http_agent (sguil) [ FAIL ]

* stale PID file found, process will be restarted at the next 5-minute interval!

sw@dc1svpsnorby10:~$ sudo nsm_sensor_ps-restart
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
Restarting: Bro
stopping dc1svpsnorby10-eth0-1 ...
stopping dc1svpsnorby10-eth0-2 ...
stopping proxy ...
stopping manager ...
starting manager ...
starting proxy ...
starting dc1svpsnorby10-eth0-1 ...
starting dc1svpsnorby10-eth0-2 ...
Restarting: dc1svpsnorby10-eth0
* restarting with overlap: netsniff-ng (full packet data)
* starting: netsniff-ng (full packet data) [ OK ]
- stopping old process: netsniff-ng (full packet data) [ OK ]
* stopping: pcap_agent (sguil) [ OK ]
* starting: pcap_agent (sguil) [ OK ]
* stopping: snort_agent (sguil) [ OK ]
* starting: snort_agent (sguil) [ OK ]
* stopping: suricata (alert data) [ OK ]
* starting: suricata (alert data) [ OK ]
* stopping: barnyard2 (spooler, unified2 format) [ OK ]
* starting: barnyard2 (spooler, unified2 format) [ OK ]
* stopping: prads (sessions/assets) [ OK ]
* starting: prads (sessions/assets) [ OK ]
* stopping: pads_agent (sguil) [ OK ]
* starting: pads_agent (sguil) [ OK ]
* stopping: sancp_agent (sguil) [ OK ]
* starting: sancp_agent (sguil) [ OK ]
* stopping: argus [ OK ]
* starting: argus [ OK ]
* stopping: http_agent (sguil) [ OK ]
* starting: http_agent (sguil) [ OK ]

What else should I provide to help us get a better understanding of whats going wrong? Thanks.

[Doug Burks]

Hi SolomonW,

Please provide the Suricata log file:
/var/log/nsm/HOSTNAME-INTERFACE/suricata.log

Thanks,
Doug

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Doug Burks
http://securityonion.blogspot.com

[SolomonW]

Hey Doug thank you for responding to my post, your help is appreciated! Here >

[Peter Manev]

On Friday, July 5, 2013 6:54:30 PM UTC+2, SolomonW wrote:
> Hey Doug thank you for responding to my post, your help is appreciated! Here >

Hi Solomon,

From the posted log file there is that err:
"Variable "FILE_DATA_PORTS" is not defined in configuration file"
It seems that you have not defined it in the suricata.yaml.

However this should not be the cause of trouble I think.

Have you tried to start suricata in non daemon mode to see if there are any problems when it stops after 5-10 min (as you mentioned in your first post)?

Could the case be that you are running out of memory , due to insufficient memory or not tuned enough memory settings in suricata.yaml ?

I see that you have only 350M free RAM out of 6 GB -

"Mem: 6064708k total, 5708060k used, 356648k free"

Thanks

[SolomonW]

Hey Peter,

We actually have 3T of memory, thats why I was so confused! But I checked my suricata.yaml config file and I do not have FILE_DATA_PORTS configured. Thank you for pointing that out, I think I checked the wrong config file before. Can you tell me how to configure FILE_DATA_PORTS in suricata? Thank you!

[Peter Manev]

On Mon, Jul 8, 2013 at 7:05 PM, SolomonW <sela...@gmail.com> wrote:
> Hey Peter,
>
> We actually have 3T of memory, thats why I was so confused! But I checked my suricata.yaml config file and I do not have FILE_DATA_PORTS configured. Thank you for pointing that out, I think I checked the wrong config file before. Can you tell me how to configure FILE_DATA_PORTS in suricata? Thank you!
>

Hi ,

1)
I think you just have to find the section in your suricata.yaml that
says "FILE_DATA_PORTS" and configure the correct port numbers.

2) If I read it correctly - 3 TB of RAM :) - can you please try "top
-M" and post the result.

3)
Delete (or move) your stats.log and suricata.log
Stop Suricata and then start it in no daemon mode - skip the "-D"
from the original command and have a look why does it stop , if there
is any more info?
Then after/if it stops , look into the two log files (or you could
send the two files over if you would like).

Thanks






--
Regards,
Peter Manev

[SolomonW]

Hey,

When i mentioned the 3TB i meant the size of our disk space. Also, I have configured all the FILE_DATA_PORTS on our sensors and Suricata is still failing. After stopping the service and running it without daemon, I am still receiving the same log data in suricata and stats.

I am sure I installed everything correctly, I am just confused as to why suricata seems to continuously fail.

[Peter Manev]

Hi,

"We actually have 3T of memory, thats why I was so confused!" - that
left me with the impression you are talking about memory - RAM .

So then I think you could be running out of RAM (memory) - since you
have posted before -
"Mem: 6064708k total, 5708060k used, 356648k free" (output from
the top command) - which would leave you with only 350 MB free RAM.

It is possible that during traffic peaks you would run out of memory
and Suricata (and other software) would stop.

thanks

> --
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/lISuzwWcViM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--

Regards,
Peter Manev

[SolomonW]

On Thursday, July 11, 2013 1:53:38 PM UTC-7, Peter Manev wrote:
> Hi,
>
>
>
> "We actually have 3T of memory, thats why I was so confused!" - that
>
> left me with the impression you are talking about memory - RAM .
>
>
>
> So then I think you could be running out of RAM (memory) - since you
>
> have posted before -
>
> "Mem: 6064708k total, 5708060k used, 356648k free" (output from
>
> the top command) - which would leave you with only 350 MB free RAM.
>
>
>
> It is possible that during traffic peaks you would run out of memory
>
> and Suricata (and other software) would stop.
>
>
>
> thanks
>

Thank you, but the post before was made without our upgraded storage space. Now we have a ton of space to work with, and even still with all the correct configurations based on the Download/Install page on SO, I cannot find a solution.

Even after I reinstall and re-image the whole VM environment, Suricata still fails me. What could be causing this?

[Peter Manev]

Did you run Suricata in non daemon mode and had a look at the
memory(RAM) and CPU statistics as it fails?

--
Regards,
Peter Manev