Adding sensors in snorby

[Emilio]

Hi,

currently I have deployed a central server and a distributed sensor.
In the
snorby interface on the server I only can see one sensor from the own
server but I would
like to see the deployed sensor too.
The official documentation is empty (in progress)
https://github.com/Snorby/snorby/wiki/Adding-sensors

How can I update the sensor in order to see their data on snorby
interface
from server?

Regards
Emilio

[Doug Burks]

Hi Emilio,

Is the "distributed sensor" running Security Onion? Is it running the
latest version? If so, its barnyard2 configuration should have been
updated to send its alerts to the snorby database on the server.
Check /etc/nsm/HOSTNAME-INTERFACE/barnyard2.conf on the sensor and
verify the last line looks like this:
output database: alert, mysql, user=root dbname=snorby host=127.0.0.1

The sensor should also have an ssh tunnel to the server to encrypt
that MySQL traffic. Check to see if the autossh is running:
ps aux |grep autoss[h]

Hope that helps!

Thanks,
Doug Burks

--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Please vote for Security Onion for 2011 Toolsmith Tool of the Year! |
http://goo.gl/PwTDi

[Emilio]

Hi Dourks response inline

On 20 ene, 14:08, Doug Burks <doug.bu...@gmail.com> wrote:
> Hi Emilio,
>
> Is the "distributed sensor" running Security Onion?  Is it running the
> latest version?  If so, its barnyard2 configuration should have been
> updated to send its alerts to the snorby database on the server.
> Check /etc/nsm/HOSTNAME-INTERFACE/barnyard2.conf on the sensor and
> verify the last line looks like this:
> output database: alert, mysql, user=root dbname=snorby host=127.0.0.1
>

Yes, "the distributed sensor" is running the same version of SO than
the server.
The last line looks like you posted. I assume that it has to be:
output database: alert, mysql, user=root dbname=snorby host=IpOfServer

> The sensor should also have an ssh tunnel to the server to encrypt
> that MySQL traffic.  Check to see if the autossh is running:
> ps aux |grep autoss[h]

autossh Is not running.

Regards
Emilio

[Doug Burks]

It's "Doug Burks", not "Dourks" :)

Responses inline.

On Fri, Jan 20, 2012 at 8:43 AM, Emilio <ecas...@gmail.com> wrote:
> Hi Dourks response inline
>
>
> On 20 ene, 14:08, Doug Burks <doug.bu...@gmail.com> wrote:
>> Hi Emilio,
>>
>> Is the "distributed sensor" running Security Onion?  Is it running the
>> latest version?  If so, its barnyard2 configuration should have been
>> updated to send its alerts to the snorby database on the server.
>> Check /etc/nsm/HOSTNAME-INTERFACE/barnyard2.conf on the sensor and
>> verify the last line looks like this:
>> output database: alert, mysql, user=root dbname=snorby host=127.0.0.1
>>
>
> Yes, "the distributed sensor" is running the same version of SO than
> the server.
> The last line looks like you posted. I assume that it has to be:
> output database: alert, mysql, user=root dbname=snorby host=IpOfServer

It should be EXACTLY like this:

output database: alert, mysql, user=root dbname=snorby host=127.0.0.1

The host should be 127.0.0.1 because autossh is going to forward any
traffic received on the local port 3306 to port 3306 on the server
where MySQL is running.

>
>
>> The sensor should also have an ssh tunnel to the server to encrypt
>> that MySQL traffic.  Check to see if the autossh is running:
>> ps aux |grep autoss[h]
>
> autossh Is not running.

That's a problem. Here's the code in /etc/init/securityonion.conf
that starts autossh:

SSH_DIR="/root/.ssh"
SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
if [ -f $SSH_CONF ]
then
# We are a SLAVE
# Stop MySQL
service mysql stop
# Establish persistent SSH tunnel to MASTER.
KEY="$SSH_DIR/securityonion"
# Upstart uses sh instead of bash so we can't use "source"
SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`
/usr/bin/autossh -f -M 61234 -i "$KEY" -N -L
3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME
fi

Please run this code manually and see if it works. If not, please
copy/paste the output so we can help you further.

Thanks,
Doug

[Emilio]

Great!, thanks Doug :-)
I have the sensor visible and working on the web server interface.

Regards
Emilio

[Sean McClanahan]

Hi all -

Finally got the bandwidth to go heads down and get my Security Onion
network configured. So far, so good - almost. I've got one "server
only" box and one "sensor only" box running in my test environment.

I'm having the same problem as Emilio was having. I've tried to
manually run the code above, and it's returning a "permission denied"
error.

I should be running this code on the sensor, correct? The SSH
connection worked when I was doing the installation of the sensor and
it needed to connect to the server.

Sean

[Doug Burks]

Hi Sean,

Yes, you should be running this on the sensor. You'll need to be root, so do a "sudo -i" before running the commands. Watch out for line wrapping when copy/pasting. Please copy/paste all output into your reply email.

Thanks.

[Sean McClanahan]

Howdy folks -

You're right, I wasn't in sudo mode, so I fixed that. However, when I run the command now, it reports nothing. Just a blank line that I can Ctrl-C out of to get back to the prompt.

Here's the command I'm sending. Maybe I've got a stray space in there somewhere?

SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2` SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2` /usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME

Sean

[Doug Burks]

Hi Sean,

What you copy/pasted below does not exactly match the entire code snippet:

SSH_DIR="/root/.ssh"
SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
if [ -f $SSH_CONF ]
then
# We are a SLAVE
# Stop MySQL
service mysql stop
# Establish persistent SSH tunnel to MASTER.
KEY="$SSH_DIR/securityonion"
# Upstart uses sh instead of bash so we can't use "source"

SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`
/usr/bin/autossh -f -M 61234 -i "$KEY" -N -L
3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME

fi

Watch out for line-wrapping on the line starting with "/usr/bin/autossh".

Hope that helps!

Thanks,
Doug

--

[Sean McClanahan]

OK, I've done all of the commands as shown above. The only one that shows an error is "service mysql stop". That one returns a "stop: Unknown instance:" error. Otherwise, here's exactly what I did, with extra line breaks to show the separation of commands issued:

SSH_DIR="/root/.ssh"

SSH_CONF="$SSH_DIR/securityonion_ssh.conf"

service mysql stop

KEY="$SSH_DIR/securityonion"

SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2` SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2` /usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME

When doing this, other than the mysql error I mentioned above, I get no errors. And now, anyway, I go back to a command prompt, as if the box thinks it executed a command and is waiting for more input (as in, I don't have the blank line like I did before.)

But - still nothing showing up in Snorby.

Going from information in another post, running "ps aux | grep autossh" returns the following:

root 5888 0.0 0.0 3324 808 pts/0 S+ 19:16 0:00 grep --color=auto autossh

Sean

[Doug Burks]

Hi Sean,

It looks like you're putting multiple commands on one line:

SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2` /usr/bin/autossh
-f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306
$SSH_USERNAME@$SERVERNAME

This should actually be three individual lines as shown below (I've
inserted comment lines prefixed with #):

# First, set the SSH_USERNAME variable

SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`

# Next, set the SERVERNAME variable

SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`

# Finally, execute autossh using the previously defined SSH_USERNAME
and SERVERNAME variables

/usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306
$SSH_USERNAME@$SERVERNAME

Try these three lines and then try "ps aux | grep autoss[h]" to see if
autossh is running.

Thanks,
Doug

--

[Sean McClanahan]

Gotcha. OK, broke the last command I was issuing into their separate ones, and still no dice. Doesn't look like autossh is running, as I still get the response noted before.

Sean

[Doug Burks]

What is the output of the following?
sudo ls -alh /root/.ssh

Also verify the SSH_USERNAME and SERVERNAME variables are correct in
/root/.ssh/securityonion_ssh.conf.

Thanks,
Doug

--

[Sean McClanahan]

On Thursday, February 16, 2012 1:34:50 PM UTC-6, Doug Burks wrote:
> What is the output of the following?
> sudo ls -alh /root/.ssh

total 24K
drwx------ 2 root root 4.0K 2012-02-13 16:46 .
drwx------ 20 root root 4.0K 2012-02-13 21:00 ..
-rw-r--r-- 1 root root 442 2012-02-13 16:46 known_hosts
-rw------- 1 root root 1.7K 2012-02-13 16:46 securityonion
-rw------- 1 root root 400 2012-02-13 16:46 securityonion.pub
-rw-r--r-- 1 root root 39 2012-02-13 16:50 securityonion_ssh.conf

> Also verify the SSH_USERNAME and SERVERNAME variables are correct in
> /root/.ssh/securityonion_ssh.conf.

Yes, those two variables are correct.

Sean

[Doug Burks]

It looks like you have the proper files in place. Try doing a basic
SSH connection to the server as follows:
SSH_DIR="/root/.ssh"
SSH_CONF="$SSH_DIR/securityonion_ssh.conf"

KEY="$SSH_DIR/securityonion"
SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`

ssh -i "$KEY" $SSH_USERNAME@$SERVERNAME

Doug

--

[Sean McClanahan]

That seems to work OK. I get prompted for my password, I enter it, and I'm in.

Sean

[Doug Burks]

No, that's the problem. It's supposed to doing key-based
authentication (-i "$KEY") and NOT prompting for password.

Please look on the SERVER in /home/YOUR_SSH_USERNAME/.ssh/ and see if
there is an authorized_keys file and if it contains the key from your
sensor.

Doug

--

[Sean McClanahan]

Well - that must be the problem. There is no .ssh directory on the server in the user directory. There's a .sudo_as_admin_successful, and .sguilrc, but that's it for the S directories.

Sean

[Doug Burks]

Go back to your sensor and do the following (as root) to try and copy
the key to the server:

SSH_DIR="/root/.ssh"
SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
KEY="$SSH_DIR/securityonion"
SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`

ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME

Then check to see if the .ssh directory got populated correctly in the
user's directory on the server.

Doug

--

[Sean McClanahan]

I believe this looks better. :-)

root@adcseconion02:~/.ssh# ps aux | grep autossh
root 10323 0.0 0.0 1860 440 ? Ss 20:38 0:00 /usr/lib/autossh/autossh -M 61234 -i /root/.ssh/securityonion -N -L 3306:127.0.0.1:3306 se...@10.6.4.17
root 10327 0.0 0.0 3324 808 pts/0 S+ 20:38 0:00 grep --color=auto autossh

Nothing in Snorby just yet, perhaps just have to wait for data to populate now.

Sean

[Doug Burks]

Yes, that does look better :)

Did you restart barnyard2 on the sensor?
sudo nsm_sensor_ps-restart --only-barnyard2

Then verify that all services are running on sensor:
sudo service nsm status

Then create some test traffic:
curl http://testmyids.com

Thanks,
Doug

--

[Sean McClanahan]

Traffic is flowing now. I had not restarted BY2, but I will just to be sure to be sure. Status of all NSM agents looks good.

Thank you, Doug, for all of your assistance. I'm going to start getting boxes set up to roll out across the network over the next few weeks now.

Sean

[Doug Burks]

You're welcome, Sean! I'm glad we got you fixed up. Good luck with
your deployment!

Thanks,
Doug

--

[Ron Peeters]

Op donderdag 16 februari 2012 21:53:29 UTC+1 schreef Doug Burks het volgende:

I seem to have the same issue, traffic seems to be flowing, but after a reboot of the sensor, autossh does not remain running ...

[Doug Burks]

Hi Ron,

Since you started a new thread, I'll answer you over there.

Thanks,
Doug

--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012