Hi Doug,
As regards the issues with sostat-redacted, that is all the output I get (the two error lines shown above).
I have found a further issue - the daily stats have failed with the error "/bin/sh: 1: /usr/bin/sostat: not found"
Thanks,
Dave.
Hi Doug,
I have found the problem with sostat-redacted. I had updated OpenSSH to the latest version (we need this because of our PCI accreditation), but the new sshd_config file contains 2 lines that include the word "Port" This causes a problem with the SSH_PORT variable in sostat-redacted. This can be overcome by changing the line that retrieves SSH_PORT to add a space after the word "Port" ...
SSH_PORT=$(grep "Port " /etc/ssh/sshd_config | awk '{print $2}')
Thanks,
Dave.
Hi Doug,
Sorry, it looks like that has been resolved. the /etc/cron.d/sostat script had been updated to refer to /usr/sbin/sostat, but the change hadn't been picked up by cron.
Thanks,
Dave.
Not sure if this is related but getting the following after the update:
I'm having issue with rule-update now:
Running PulledPork.
Error 400 when fetching https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz.md5 at /usr/bin/pulledpork.pl line 534.
Also, snort_alerts starts to fail after a restart with:
/var/log/nsm/sop01-eth2/snortu-20.log
ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/policy-social.so" version 1.0 compiled with dynamic engine library version 2.6 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.0.
Fatal Error, Quitting..
Yes I've double checked the oinkcode and also manually was able to download the files.
I do need to use a proxy and after examining the pulledpork.pl script I notices a -W option for a proxy workaround. I added the -W option to the rule-update PULLEDPORK_OPTIONS and the rule update works now. Is there an alternate place for setting this?
The alert issue appears to be resolved with the successful execution of the rule-update...