snort agent sid in sguil
105 views
Skip to first unread message
Brian Kellogg
Jan 12, 2015, 3:22:35 PM1/12/15
to securit...@googlegroups.com
I backed off on the number of snort processes running on a sensor (form 4 to 2), but I cannot remove the sids form the sguil DB. I restarted all of the sensor processes via "sudo nsm_sensor_ps-restart".
sudo nsm_server_ps-stop
mysql -uroot -Dsecurityonion_db
SELECT sid,hostname FROM sensor WHERE agent_type = 'snort';
DELETE FROM sensor WHERE sid IN (<a sid>,<another sid>);
sudo nsm_server_ps-start
Open up the Sguil client and I see the sids are re-created, they are two new sids for the two old snort agents.
If I restart the procs on the sensor I only see two snort entries being stopped and started.
What am I missing?
sudo nsm_server_ps-stop
mysql -uroot -Dsecurityonion_db
SELECT sid,hostname FROM sensor WHERE agent_type = 'snort';
DELETE FROM sensor WHERE sid IN (<a sid>,<another sid>);
sudo nsm_server_ps-start
Open up the Sguil client and I see the sids are re-created, they are two new sids for the two old snort agents.
If I restart the procs on the sensor I only see two snort entries being stopped and started.
What am I missing?
Doug Burks
Jan 12, 2015, 3:31:13 PM1/12/15
to securit...@googlegroups.com
Hi Brian,
Instead of deleting the sensor, simply set the "active" field to N:
http://blog.inliniac.net/2007/11/14/deactivating-a-group-of-sensors-in-sguil-070-cvs/
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Instead of deleting the sensor, simply set the "active" field to N:
http://blog.inliniac.net/2007/11/14/deactivating-a-group-of-sensors-in-sguil-070-cvs/
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Brian Kellogg
Jan 12, 2015, 4:07:40 PM1/12/15
to securit...@googlegroups.com
Thanks Doug,
Unfortunately that didn't work. I tried just deactivating via the hostname and not the net_name as I assume the later will set the ones that are still active as inactive. I did restart Sguil server.
Unfortunately that didn't work. I tried just deactivating via the hostname and not the net_name as I assume the later will set the ones that are still active as inactive. I did restart Sguil server.
Doug Burks
Jan 12, 2015, 4:12:08 PM1/12/15
to securit...@googlegroups.com
When you decreased the number of snort processes from 4 to 2, did you
follow the instructions here?
https://code.google.com/p/security-onion/wiki/PF_RING#Snort/Suricata
Specifically, did you run nsm_sensor_ps-stop before modifying
sensor.conf? If not, then the old agents are still running. You can
either find their processes and kill them manually or just reboot the
box.
On Mon, Jan 12, 2015 at 4:07 PM, Brian Kellogg <thef...@gmail.com> wrote:
> Thanks Doug,
>
> Unfortunately that didn't work. I tried just deactivating via the hostname and not the net_name as I assume the later will set the ones that are still active as inactive. I did restart Sguil server.
>
follow the instructions here?
https://code.google.com/p/security-onion/wiki/PF_RING#Snort/Suricata
Specifically, did you run nsm_sensor_ps-stop before modifying
sensor.conf? If not, then the old agents are still running. You can
either find their processes and kill them manually or just reboot the
box.
On Mon, Jan 12, 2015 at 4:07 PM, Brian Kellogg <thef...@gmail.com> wrote:
> Thanks Doug,
>
> Unfortunately that didn't work. I tried just deactivating via the hostname and not the net_name as I assume the later will set the ones that are still active as inactive. I did restart Sguil server.
>
Brian Kellogg
Jan 12, 2015, 4:26:48 PM1/12/15
to securit...@googlegroups.com
Yeah, that fixed it. Should of known...
Reply all
Reply to author
Forward
0 new messages