Pulledpork, rule-update, and several other updates available for Security Onion!
Doug Burks
da...@chauntry.com
1. OSSEC no longer reports on zero packets being received. This appears to be because sostat-interface is no longer in /usr/bin.
2. All of the sostat-* commands have gone from /usr/bin. Some of them are in /usr/sbin but not all.
3. the "sudo sostat-redacted" command returns 2 error lines, "sed: -e expression #1, char 6: unterminated `s' command" and "sed: -e expression #1, char 7: unterminated `s' command".
Thanks,
Dave.
Doug Burks
Replies inline.
On Fri, Jan 6, 2017 at 3:36 AM, <da...@chauntry.com> wrote:
> On Wednesday, 4 January 2017 13:25:18 UTC, Doug Burks wrote:
>> http://blog.securityonion.net/2017/01/pulledpork-rule-update-and-several.html
>>
>> --
>> Doug Burks
>
> Since this update I have encountered a number of problems:
>
> 1. OSSEC no longer reports on zero packets being received. This appears to be because sostat-interface is no longer in /usr/bin.
https://github.com/Security-Onion-Solutions/security-onion/issues/1056
Look for a package update in the near future that will resolve this
automatically.
> 2. All of the sostat-* commands have gone from /usr/bin.
(http://blog.securityonion.net/2017/01/pulledpork-rule-update-and-several.html),
this is part of Issue 1042:
https://github.com/Security-Onion-Solutions/security-onion/issues/1042
> Some of them are in /usr/sbin but not all.
/usr/bin/ to /usr/sbin/:
/usr/bin/sostat-interface
/usr/bin/sostat-interface-delta
/usr/bin/sostat-quick
/usr/bin/sostat-redacted
Are you see something different?
> 3. the "sudo sostat-redacted" command returns 2 error lines, "sed: -e expression #1, char 6: unterminated `s' command" and "sed: -e expression #1, char 7: unterminated `s' command".
you? If so, can you include it in your reply (may need to manually
redact any remaining sensitive info)?
--
Doug Burks
da...@chauntry.com
Hi Doug,
As regards the issues with sostat-redacted, that is all the output I get (the two error lines shown above).
I have found a further issue - the daily stats have failed with the error "/bin/sh: 1: /usr/bin/sostat: not found"
Thanks,
Dave.
Doug Burks
> I have found a further issue - the daily stats have failed with the error "/bin/sh: 1: /usr/bin/sostat: not found"
--
Doug Burks
da...@chauntry.com
Hi Doug,
I have found the problem with sostat-redacted. I had updated OpenSSH to the latest version (we need this because of our PCI accreditation), but the new sshd_config file contains 2 lines that include the word "Port" This causes a problem with the SSH_PORT variable in sostat-redacted. This can be overcome by changing the line that retrieves SSH_PORT to add a space after the word "Port" ...
SSH_PORT=$(grep "Port " /etc/ssh/sshd_config | awk '{print $2}')
Thanks,
Dave.
da...@chauntry.com
Hi Doug,
Sorry, it looks like that has been resolved. the /etc/cron.d/sostat script had been updated to refer to /usr/sbin/sostat, but the change hadn't been picked up by cron.
Thanks,
Dave.
Doug Burks
> Hi Doug,
>
> I have found the problem with sostat-redacted. I had updated OpenSSH to the latest version (we need this because of our PCI accreditation), but the new sshd_config file contains 2 lines that include the word "Port" This causes a problem with the SSH_PORT variable in sostat-redacted. This can be overcome by changing the line that retrieves SSH_PORT to add a space after the word "Port" ...
>
> SSH_PORT=$(grep "Port " /etc/ssh/sshd_config | awk '{print $2}')
https://github.com/Security-Onion-Solutions/security-onion/issues/1057
--
Doug Burks
Roy
Not sure if this is related but getting the following after the update:
I'm having issue with rule-update now:
Running PulledPork.
Error 400 when fetching https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz.md5 at /usr/bin/pulledpork.pl line 534.
Also, snort_alerts starts to fail after a restart with:
/var/log/nsm/sop01-eth2/snortu-20.log
ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/policy-social.so" version 1.0 compiled with dynamic engine library version 2.6 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.0.
Fatal Error, Quitting..
Doug Burks
Have you double-checked your snort.org oinkcode?
If so, please include the full output of "sudo rule-update" in your
reply (redacting sensitive info as necessary).
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Roy
Yes I've double checked the oinkcode and also manually was able to download the files.
I do need to use a proxy and after examining the pulledpork.pl script I notices a -W option for a proxy workaround. I added the -W option to the rule-update PULLEDPORK_OPTIONS and the rule update works now. Is there an alternate place for setting this?
The alert issue appears to be resolved with the successful execution of the rule-update...
Doug Burks
Try adding the following to /etc/nsm/securityonion.conf:
PULLEDPORK_OPTIONS="-W"