Aanval shows old Snort events only.
110 views
Skip to first unread message
Sal Ila
Jan 12, 2014, 4:16:18 PM1/12/14
to aan...@googlegroups.com
Hello Team,
My Aanval console doesn't show new Snort events. This is a better description of the environment:
- Red Hat 5.3 with MySQL server, Aanval DB, Snort DB and Barnyard2;
- Aanval "aanval-7-latest-stable.tar". BPU Version: 7.0.700;
- snort-2.9.5.5;
- barnyard2-1.9;
- Snort sensor on eth0 10.X.X.X. Events are logged in /var/log/snort and listed:
1 snort snort 0 Jan 3 10:52 snort.log
1 snort snort 5258 Dec 28 12:31 snort.log.1388229379
1 snort snort 6304 Dec 29 18:18 snort.log.1388235421
1 snort snort 0 Jan 12 15:15 snort.log.1388343157
1 snort snort 4794 Jan 3 00:56 snort.log.1388672358
1 snort snort 0 Jan 3 15:35 snort.log.1388763342
1 snort snort 8668 Jan 10 00:27 snort.log.1388765130
Aanval configuration:
Configuration/Device Management ---> device Snort IP Address ETH0 10.X.X.X
Snort Settings ---------> The Snort Database in the localhost
Sensor Configuration ---------> SMT 12345678901 Last Event 12-29-2013 18:18:10 (NOTE. Last event exactly matches the snort.log.1388235421) User Permission is ON.
Snort Management ----------->
The sensor status check doesn't return anything.
The problem is that Aanval doesn't seem to have control of the sensor during the Sensor Management and therefore it doesn't show events stored in the recent snort.log.XXXXX
Do you have an idea what the problem might be?
Thanks.
Regards
Sal
My Aanval console doesn't show new Snort events. This is a better description of the environment:
- Red Hat 5.3 with MySQL server, Aanval DB, Snort DB and Barnyard2;
- Aanval "aanval-7-latest-stable.tar". BPU Version: 7.0.700;
- snort-2.9.5.5;
- barnyard2-1.9;
- Snort sensor on eth0 10.X.X.X. Events are logged in /var/log/snort and listed:
1 snort snort 0 Jan 3 10:52 snort.log
1 snort snort 5258 Dec 28 12:31 snort.log.1388229379
1 snort snort 6304 Dec 29 18:18 snort.log.1388235421
1 snort snort 0 Jan 12 15:15 snort.log.1388343157
1 snort snort 4794 Jan 3 00:56 snort.log.1388672358
1 snort snort 0 Jan 3 15:35 snort.log.1388763342
1 snort snort 8668 Jan 10 00:27 snort.log.1388765130
Aanval configuration:
Configuration/Device Management ---> device Snort IP Address ETH0 10.X.X.X
Snort Settings ---------> The Snort Database in the localhost
Sensor Configuration ---------> SMT 12345678901 Last Event 12-29-2013 18:18:10 (NOTE. Last event exactly matches the snort.log.1388235421) User Permission is ON.
Snort Management ----------->
| Last SMT Status Check | 01-01-1970 00:00:00 (1389561075 seconds ago) |
| Last SMT Heartbeat | 01-01-1970 00:00:00 (1389561075 seconds ago) |
| SMT Heartbeat Count | 0 |
The sensor status check doesn't return anything.
The problem is that Aanval doesn't seem to have control of the sensor during the Sensor Management and therefore it doesn't show events stored in the recent snort.log.XXXXX
Do you have an idea what the problem might be?
Thanks.
Regards
Sal
Sal Ila
Jan 12, 2014, 4:35:39 PM1/12/14
to aan...@googlegroups.com
I forgot to add few errors in the Aanval log:
Jan 12 21:30:23 [ERROR] [XXX.XXX.XXX.XXX] [user01 : 1] MySQL Query Error: Table 'aanval.idsDataStore_1001_Master' doesn't exist
| Jan 12 21:30:33 [ERROR] XXX.XXX.XXX.XXX] [user01 : 1] MySQL Query Error: Table 'aanval.idsDataStore_1001_Master' doesn't exist |
| Jan 12 21:30:33 [ERROR] [XXX.XXX.XXX.XXX] [ : ] MySQL Query Error: Table 'aanval.idsDataStore_1001_Master' doesn't exist |
| Jan 12 21:30:31 [ERROR] [] [ : ] MySQL Query Error: Table 'aanval.idsDataStore_1001_Master' doesn't exist |
| Jan 12 21:30:31 [ERROR] [] [ : ] MySQL Query Error: Table 'aanval.idsDataStore_1001_Master' doesn't exist |
| Jan 12 21:30:27 [ERROR] [] [BPU Core : 0] Scan results returned invalid data |
| Jan 12 21:30:27 [ERROR] [] [BPU Core : 0] Scan results returned invalid data |
SuperheroSmith
Jan 12, 2014, 5:24:12 PM1/12/14
to aan...@googlegroups.com
Has your console shown Snort events in the past? The first places to look would be Console Configuration > Snort Module > Sensor Configuration and ensure the sensor is Enabled and the User Permissions checked; otherwise, with an active sensor you can't see events.
A second place to check is Snort itself. Looks like the snort.logs stopped on the 10th. I would check to ensure Snort is running. First check it in the foreground and look for any possible errors. Once satisfied, run it in daemon mode.
The sensor status check won't return anything if the Sensor Management Tools are not installed on the sensor, running, and the Sensor Management Tool ID (SMT ID) entered on the console under Sensor Configuration. The SMTs are not required for Aanval to run, but they do add great functionality (ability to modify snort.conf and signatures, especially, on a manual and an automated basis). I would recommend referencing the following article to get the SMTs installed, configured, and running: http://wiki.aanval.com/wiki/Aanval:Sensor_Management_Tool
Regarding the most recent post and the errors found, "MySQL Query Error: Table 'aanval.idsDataStore_1001_Master' doesn't exist," I would check to ensure those tables exist and are not corrupt. Aanval starts writing logs on datastore 1000. 1001 would be the first datastore rotation, and there may be an error if those tables are corrupt or missing. Also, a quick check you can make from the console itself is to navigate to Console Configuration > Console > Maintenance > Repair Datastore Listing.
Sal Ila
Jan 13, 2014, 10:15:39 AM1/13/14
to aan...@googlegroups.com
Hello,
thanks for your help. Please read in line my answers.
thanks for your help. Please read in line my answers.
Has your console shown Snort events in the past?
Yes
First place to look Condole Configuration ........
The sensor is is Enabled and User Permissions checked.
First place to look Condole Configuration ........
The sensor is is Enabled and User Permissions checked.
I would check to ensure Snort is running
Snort is running. ps -ef | grep snort
snort 21980 1 0 Jan03 ? 00:00:05 snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
Sensor management tool not installed ......
Installed!
[root@localhost smt]# php smt.php
Aanval - Sensor Management Tools - v.5.0
---
* Logging disabled
* Connection URL: http://localhost/aanval//console/ws/smt_sensor.php?op=pub_checkMessages&id=12345678901
* Sensor Management ID: 12345678901 (must match sensor settings in console)
---
SMT: Message from console: [SNORTSTATUS] (0 is okay)
SMT: Snort Process Found
---
Success => SMT's appear to be functioning properly.
snort 21980 1 0 Jan03 ? 00:00:05 snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
Sensor management tool not installed ......
Installed!
[root@localhost smt]# php smt.php
Aanval - Sensor Management Tools - v.5.0
---
* Logging disabled
* Connection URL: http://localhost/aanval//console/ws/smt_sensor.php?op=pub_checkMessages&id=12345678901
* Sensor Management ID: 12345678901 (must match sensor settings in console)
---
SMT: Message from console: [SNORTSTATUS] (0 is okay)
SMT: Snort Process Found
---
Success => SMT's appear to be functioning properly.
Regarding the most recent post and the errors found, "MySQL Query Error: Table 'aanval.idsDataStore_1001_
Master' doesn't exist,"......
This is the area where I suspect the problem originates. I see many errors in the log:
Jan 13 14:42:15 [ERROR] [] [BPU Core : 0] Scan results returned invalid data
However, there is no Data_Store_1002_Master but a Primary Datastore 1000 with 11,518 events in data store. I may have tried to rotate a database but I deleted it with the Configuration/Data Management/Delete Database. Maintenance and Repair Datastore listing doesn't seem to have any effect.
Thanks.
Regards
Sal
This is the area where I suspect the problem originates. I see many errors in the log:
| Jan 13 14:42:04 [ERROR] [] [BPU Core : 0] Scan results returned invalid data |
| Jan 13 14:42:10 [ERROR] [] [ : ] MySQL Query Error: Table 'aanval.idsDataStore_1002_Master' doesn't exist |
| Jan 13 14:42:10 [ERROR] [] [BPU Core : 0] Scan results returned invalid data |
| Jan 13 14:42:10 [ERROR] [] [BPU Core : 0] Scan results returned invalid data |
| Jan 13 14:42:15 [ERROR] [] [BPU Core : 0] Scan results returned invalid data |
However, there is no Data_Store_1002_Master but a Primary Datastore 1000 with 11,518 events in data store. I may have tried to rotate a database but I deleted it with the Configuration/Data Management/Delete Database. Maintenance and Repair Datastore listing doesn't seem to have any effect.
Thanks.
Regards
Sal
SuperheroSmith
Jan 13, 2014, 11:55:27 AM1/13/14
to aan...@googlegroups.com
Thank you for those details. Looks like Aanval attempted to rotate/create a new datastore based off a datastore that was deleted. We can fix that. Please contact Tactical FLEX, Inc. directly: support.group [at] tacticalflex [dot] com.
Reply all
Reply to author
Forward
0 new messages