Re: [security-onion] Snort (alert data) (not running)
510 views
Skip to first unread message
Doug Burks
May 23, 2013, 9:42:55 PM5/23/13
to securit...@googlegroups.com
Hi jljassos,
Replies inline.
On Thu, May 23, 2013 at 3:45 AM, jljassos <jlja...@gmail.com> wrote:
> Hello,
>
> trying to make snort to send logs to splunk I manage to make that snort creates the "alert.full" file.
>
> However it was empty.
>
> Also I disabled the dropbox rules using the using the "sids" and the proper file
What "proper file" did you modify? What changes did you make?
>, but when I restarted pulled pork to apply changes, I noticed this:
>
>
> Restarting: securitymonitor-eth0
> * stopping: snort-1 (alert data) (not running) [ WARN ]
> - stale PID file found, deleting!
>
> i tried to restart the process but it doesn't seems to work. Any suggestion?
Have you looked at /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log?
Snort should tell you why it failed.
--
Doug Burks
http://securityonion.blogspot.com
Replies inline.
On Thu, May 23, 2013 at 3:45 AM, jljassos <jlja...@gmail.com> wrote:
> Hello,
>
> trying to make snort to send logs to splunk I manage to make that snort creates the "alert.full" file.
>
> However it was empty.
>
> Also I disabled the dropbox rules using the using the "sids" and the proper file
What "proper file" did you modify? What changes did you make?
>, but when I restarted pulled pork to apply changes, I noticed this:
>
>
> Restarting: securitymonitor-eth0
> * stopping: snort-1 (alert data) (not running) [ WARN ]
> - stale PID file found, deleting!
>
> i tried to restart the process but it doesn't seems to work. Any suggestion?
Have you looked at /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log?
Snort should tell you why it failed.
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
May 24, 2013, 11:15:24 AM5/24/13
to securit...@googlegroups.com
On Fri, May 24, 2013 at 10:24 AM, jljassos <jlja...@gmail.com> wrote:
> Hello Doug, thank you very much for the quick response.
> Replies inline as well:
>
> # Dropbox rules (May 22, 2013)
> 1:2012647,1:2012648,1:2014313,1:2014928
>
>
> And in the /etc/nsm/securitymonitor-eth0/snort.conf I added in the section "Step #6: Configure output plugins
>
> # alert full - for splunk
> output alert_full: alert.full
Have you considered doing this in barnyard2 instead of in snort?
>> Have you looked at /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log?
>>
>
> Thanks for the advise, I didn't know about it, I'm really novice on this. I found this at the end at the end of the file:
>
> [ Number of patterns truncated to 20 bytes: 3335 ]
> pfring DAQ configured to passive.
> ERROR: Can't initialize DAQ pfring (-1) -
> Fatal Error, Quitting..
>
> I tried as in this thread:
> https://groups.google.com/forum/?fromgroups#!topic/security-onion/eFz_GI0TtP8
>
> sudo apt-get install --reinstall securityonion-pfring-module
> sudo service nsm restart
> reboot
>
> With the apt-get install --reinstall securityonion-pfring-module I got:
>
> Unpacking replacement securityonion-pfring-module ...
> Setting up securityonion-pfring-module (20121107-0ubuntu0securityonion7) ...
>
> Creating symlink /var/lib/dkms/pf_ring/5/source ->
> /usr/src/pf_ring-5
>
> DKMS: add completed.
> Error! Your kernel headers for kernel 3.2.0-43-generic cannot be found.
> Please install the linux-headers-3.2.0-43-generic package,
Have you tried installing the linux-headers-3.2.0-43-generic package?
Doug
> Hello Doug, thank you very much for the quick response.
> Replies inline as well:
>
> El viernes, 24 de mayo de 2013 03:42:55 UTC+2, Doug Burks escribió:
>>
>> What "proper file" did you modify? What changes did you make?
>
> Sorry for only put "proper file", I wasn't sure if the name of the file was the one I remembered, but someone told me "it was the right one". For the rules, I add on the /etc/nsm/pulledpork/disablesid.conf at the end of the file:
> El viernes, 24 de mayo de 2013 03:42:55 UTC+2, Doug Burks escribió:
>>
>> What "proper file" did you modify? What changes did you make?
>
>
> # Dropbox rules (May 22, 2013)
> 1:2012647,1:2012648,1:2014313,1:2014928
>
>
> And in the /etc/nsm/securitymonitor-eth0/snort.conf I added in the section "Step #6: Configure output plugins
>
> # alert full - for splunk
> output alert_full: alert.full
Have you considered doing this in barnyard2 instead of in snort?
>> Have you looked at /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log?
>>
>
>
> [ Number of patterns truncated to 20 bytes: 3335 ]
> pfring DAQ configured to passive.
> ERROR: Can't initialize DAQ pfring (-1) -
> Fatal Error, Quitting..
>
> I tried as in this thread:
> https://groups.google.com/forum/?fromgroups#!topic/security-onion/eFz_GI0TtP8
>
> sudo apt-get install --reinstall securityonion-pfring-module
> sudo service nsm restart
> reboot
>
> With the apt-get install --reinstall securityonion-pfring-module I got:
>
> Unpacking replacement securityonion-pfring-module ...
> Setting up securityonion-pfring-module (20121107-0ubuntu0securityonion7) ...
>
> Creating symlink /var/lib/dkms/pf_ring/5/source ->
> /usr/src/pf_ring-5
>
> DKMS: add completed.
> Error! Your kernel headers for kernel 3.2.0-43-generic cannot be found.
> Please install the linux-headers-3.2.0-43-generic package,
Have you tried installing the linux-headers-3.2.0-43-generic package?
Doug
Doug Burks
May 27, 2013, 7:28:54 AM5/27/13
to securit...@googlegroups.com
> For the barnyard which is the file I need to modify? I see there are two of them.
I assume you mean barnyard.conf and barnyard2-1.conf? The first is
used if you're running Suricata and the second is used if you're
running Snort. You may want to update both at the same time in case
you ever decide to switch to Suricata.
> I just use the same command as in snort?
I've never tried it (and we don't officially support it), but I would think so.
> For the theaders:
>
> I tried to install the headers, and it said that "couldn't be installed because pfring modules had already reported errors".
>
> I look for this and found this (https://groups.google.com/forum/?fromgroups#!topic/security-onion/BS6TPEuC0QE)
>
> Following the advise of Boss Advisors, I executed the following as su:
>
> dkms remove -m pf_ring -v 5 -all
> apt-get update
> apt-get upgrade
You might want to try removing the securityonion-pfring-module package
and then try the "dkms remove -m pf_ring -v 5 -all" command again to
ensure that the pfring module files have been removed from DKMS. Then
try installing the kernel headers. If you continue to have issues,
the quickest and easiest solution may be to wipe and reinstall.
Thanks,
I assume you mean barnyard.conf and barnyard2-1.conf? The first is
used if you're running Suricata and the second is used if you're
running Snort. You may want to update both at the same time in case
you ever decide to switch to Suricata.
> I just use the same command as in snort?
I've never tried it (and we don't officially support it), but I would think so.
> For the theaders:
>
> I tried to install the headers, and it said that "couldn't be installed because pfring modules had already reported errors".
>
> I look for this and found this (https://groups.google.com/forum/?fromgroups#!topic/security-onion/BS6TPEuC0QE)
>
> Following the advise of Boss Advisors, I executed the following as su:
>
> dkms remove -m pf_ring -v 5 -all
> apt-get update
> apt-get upgrade
You might want to try removing the securityonion-pfring-module package
and then try the "dkms remove -m pf_ring -v 5 -all" command again to
ensure that the pfring module files have been removed from DKMS. Then
try installing the kernel headers. If you continue to have issues,
the quickest and easiest solution may be to wipe and reinstall.
Thanks,
Reply all
Reply to author
Forward
0 new messages