Upgrade HWE remove PF_Ring

146 views
Skip to first unread message

Abdulvehhab Agin

unread,
Mar 8, 2017, 2:54:54 AM3/8/17
to security-onion
Hello,


I incidentally upgrade HWE wrongly way (server mode: apt-get install --install-recommends linux-generic-lts-xenial), after it i run soup it causes

dkms: removing: pf_ring 6 (3.19.0-43-generic) (x86_64)

-------- Uninstall Beginning --------
Module: pf_ring
Version: 6
Kernel: 3.19.0-43-generic (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.

pf_ring.ko:
- Uninstallation
- Deleting from: /lib/modules/3.19.0-43-generic/updates/dkms/
- Original module
- No original module was found for this module on this kernel.
- Use the dkms install command to reinstall any previous module version.

and remove some modules


how can i reinstall pf_ring etc?


Thanx

Abdulvehhab Agin

unread,
Mar 8, 2017, 7:28:04 AM3/8/17
to security-onion

I run this command at this moment.

sudo apt-get install --install-recommends linux-generic-lts-xenial xserver-xorg-core-lts-xenial xserver-xorg-lts-xenial xserver-xorg-video-all-lts-xenial xserver-xorg-input-all-lts-xenial libwayland-egl1-mesa-lts-xenial


I see
depmod -n | grep pf_ring
results:

updates/dkms/pf_ring.ko:
alias net-pf-27 pf_ring
alias symbol:pf_ring_add_module_dependency pf_ring
alias symbol:pf_ring_inject_packet_to_ring pf_ring

pf_ring was installed

and service nsm status:

* netsniff-ng (full packet data)[ OK ]

* pcap_agent (sguil)[ OK ]

* snort_agent (sguil)[ OK ]

* suricata (alert data)[ OK ]

* barnyard2 (spooler, unified2 format)[ OK ]

looks good.

But suricate agent not working. How can i solve this problem

Wes Lambert

unread,
Mar 8, 2017, 11:21:11 AM3/8/17
to securit...@googlegroups.com
I dont see any issues from your nsm status output.  Keep in mind, snort_agent is used for both Suricata and Snort.  If you are having problems with Suricata specifically, try checking /var/log/nsm/hostname-interface/suricata.log for clues and provide the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Abdulvehhab Agin

unread,
Mar 9, 2017, 9:53:26 AM3/9/17
to security-onion
Thanks Wes,

I found problem; the problem was sguil. I run sguil-db-purge it clear sguil events everty things looks fine.


Two day ago, my managemet server hdd was %100, so some database might corrupt. I run sguil-db-purge, and problem was solved.

But i want to be sure is there any problem, is there any command to purge elsa; or mysql database;

Or how can i purge all of data, logs; check database corruptions ?

And what is the difference between nsm_sensor_clean or nsm_sensor_clear?




8 Mart 2017 Çarşamba 19:21:11 UTC+3 tarihinde Wes yazdı:
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

Wes Lambert

unread,
Mar 9, 2017, 10:57:00 AM3/9/17
to securit...@googlegroups.com
You can check databse corruption with:

sudo mysqlcheck -A

You can purge the ELSA DB with:

sudo securityonion-elsa-reset

Thanks,
Wes



To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Abdulvehhab Agin

unread,
Mar 10, 2017, 8:35:58 AM3/10/17
to security-onion
sudo securityonion-elsa-reset, sguildb-purge

doesn't remove

securityonion_db.event_***_20170308

tables ?



Is it normal ??


9 Mart 2017 Perşembe 18:57:00 UTC+3 tarihinde Wes yazdı:

Wes

unread,
Mar 10, 2017, 8:39:53 AM3/10/17
to security-onion
For sguil-db-purge, prior to running, you'll want to adjust your DAYSTOKEEP variable in /etc/nsm/securityonion.conf to a value like "1".

Try adjusting the value, then re-running sguil-db-purge.

Thanks,
Wes

Abdulvehhab Agin

unread,
Mar 15, 2017, 11:39:03 AM3/15/17
to security-onion
Thanks I removed old tables;

When i run securityonion-elsa-reset, there is an error

Deleting database tables...
ERROR 1051 (42S02) at line 1: Unknown table 'syslogs_archive_1'
ERROR 1051 (42S02) at line 1: Unknown table 'syslogs_index_1'

Cleaning up old database files...
rm: cannot remove ‘/nsm/elsa/data/elsa/mysql/syslogs_archive_1*’: No such file or directory
rm: cannot remove ‘/var/lib/mysql/syslog_data/syslogs_archive_1*’: No such file or directory
rm: cannot remove ‘/nsm/elsa/data/elsa/mysql/syslogs_index_1*’: No such file or directory
rm: cannot remove ‘/var/lib/mysql/syslog_data/syslogs_index_1*’: No such file or directory


How can i solve this problem?




10 Mart 2017 Cuma 16:39:53 UTC+3 tarihinde Wes yazdı:
Reply all
Reply to author
Forward
0 new messages