Error: Unable to monitor snort stats.

[Marcus Ledbetter]

I completed an install of Security Onion (first time). The initial install did not have SNORT. I also note the error: Unable to monitor snort stats. I ran sudo so-status in a terminal window and noted fails for Snort (alert Data). The snort_agent gets and OK.

Am I supposed to download Snort and install it separately or did something go wrong with my Security Onion install?

Thanks in advance for any help you can provide.

[Wes Lambert]

Marcus,

Please attach the output of sostat-redacted, attaching as a plain text file or using a service like Pastebin.com.

You do not need to download Snort separately.

Try checking the Snort log(s) in /var/log/nsm/hostname-interface/ for clues.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Marcus Ledbetter]

On Thursday, May 31, 2018 at 7:29:17 AM UTC-4, Wes wrote:
> Marcus,
>
>
> Please attach the output of sostat-redacted, attaching as a plain text file or using a service like Pastebin.com.
>
>
> You do not need to download Snort separately.
>
>
> Try checking the Snort log(s) in /var/log/nsm/hostname-interface/ for clues.
>
>
> Thanks,
> Wes
>
>
> On Wed, May 30, 2018 at 4:41 PM, Marcus Ledbetter <mdle...@gmail.com> wrote:
> I completed an install of Security Onion (first time). The initial install did not have SNORT. I also note the error: Unable to monitor snort stats. I ran sudo so-status in a terminal window and noted fails for Snort (alert Data).  The snort_agent gets and OK.
>
>
>
> Am I supposed to download Snort and install it separately or did something go wrong with my Security Onion install?
>
>
>
> Thanks in advance for any help you can provide.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

Wes,

I have attached sostat-redacted_31052018.txt. I'll take a look a the logs for clues. Thanks for your help!

-Marc

[Wes Lambert]

Marcus,

Is there any reason the time zone would not be in UTC?  Did you change this?

=========================================================================
Time Zone
=========================================================================
WARNING! Timezone is NOT set to UTC!
Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TimeZones

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Marcus Ledbetter]

I believe I may have. I went back into Ubuntu and changed the time to UTC. I noticed Squert UTC. Is there anywhere else I need to change it?

Thanks!

[Marcus Ledbetter]

In addition to setting the time to UTC, I updated the rules and restarted SO, but no joy. I continue to see Snort data fail. I also noted the two below errors. I'm not sure what to do next.

Start-Date: 2018-05-21  15:47:46
Commandline: apt-get install snort
Install: oinkmaster:amd64 (2.0-4, automatic), snort-common:amd64 (X.X.X.X-0ubuntu1, automatic), libdaq2:amd64 (2.0.2-0ubuntu2, automatic), snort-rules-default:amd64 (X.X.X.X-0ubuntu1, automatic), snort:amd64 (X.X.X.X-0ubuntu1), snort-common-libraries:amd64 (X.X.X.X-0ubuntu1, automatic)
Error: Sub-process /usr/bin/dpkg returned an error code (1)
End-Date: 2018-05-21  15:47:52

Running PulledPork.

file /tmp//snortrules-snapshot-2990.tar.gz does not exist!
 at /usr/bin/pulledpork.pl line 2085.

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/t0GQvjWpDwg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Marcus Ledbetter]

Reference new sostat-redacted file I created after resetting time to UTC. I reset the time to UTC and have updated SO and rebooted. I am still receiving SNORT errors. However, I no longer see the Time Zone error.

* snort-1 (alert data)[ FAIL ]
* snort-2 (alert data)[ FAIL ]
* snort-3 (alert data)[ FAIL ]
* snort-4 (alert data)[ FAIL ]
* snort-5 (alert data)[ FAIL ]
* snort-6 (alert data)[ FAIL ]
* snort-7 (alert data)[ FAIL ]
* snort-8 (alert data)[ FAIL ]
* snort-9 (alert data)[ FAIL ]
* snort-10 (alert data)[ FAIL ]
* snort-11 (alert data)[ FAIL ]

[Wes Lambert]

From you sostat output:

LOCAL_NIDS_RULE_TUNING is enabled.
This will cause PulledPork to use the existing rules in /opt/emergingthreats/
instead of downloading new rules from the Internet.
If you want PulledPork to download new rules from the Internet,
set the following in /etc/nsm/securityonion.conf:
LOCAL_NIDS_RULE_TUNING=no

Did you not have internet access when you installed/ran setup?  You may want to try the adjustment recommended above, run rule-update, and restart services.

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Marcus Ledbetter]

Thanks for the help!

When I completed the install, I should have been connected to the Internet unless there was a short outage I was unware of.

I changed LOCAL_NIDS_RULE_TUNING=no. I sudo rule-update and sudo so-restart. Unfortunately, I am still getting Snort (alert-data) fail. The log showed: Sending sguild (sock95efc0) SystemMessage {Error: Unable to monitor snort stats. File /nsm/sensor_data/nwhqonion-eth1/snort-1.stats does not exist

The sostat-redacted log (attached) shows: An error occurred: ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/protocol-scada.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 2.1.
An error occurred: Fatal Error, Quitting..