"so-import-pcap" not generating anything on Kibana/Squert/etc

[ozzyuh]

Hi,

I setup a SO machine on Evaluation Mode in order to load pcap files using the new "so-import-pcap" script.
I run the "so-import-pcap" script with several different pcap files I downloaded from "Malware-traffic-analysis" and the output indicates that the import completed successfully.
Yet, when I navigate to any of the pcap's relevant time frames, whether its in "Kibana" or "Squert", I cant see any log or alert.

Any idea why this is happening?
Any way of fixing it?

I wish to use SO's toolset to analyze pcap files retroactively.

Thanks

[Wes Lambert]

ozzyuh,

Would you be able to provide an example of one of these pcaps, or a link to it?

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Doug Burks]

Hi wrickaz,

Running "sudo so-import-pcap /opt/samples/evidence03.pcap" appears to work for me:

When I copy the URL at the end of the output into my browser, I see logs in Kibana:

If you continue to have problems, please send full sostat-redacted output.  Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your terminal's scroll buffer OR redirect the output of the command to a file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.

Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.

On Sat, Jun 2, 2018 at 6:00 AM, wrickaz <wri...@gmail.com> wrote:

Hello, I am having the same problem. I tried /opt/samples/evidence03.pcap
and many other but no luck.

On Friday, May 25, 2018 at 2:06:56 PM UTC+3, Wes wrote:
> ozzyuh,
>
>
> Would you be able to provide an example of one of these pcaps, or a link to it?
>
>
> Thanks,
> Wes
>
>
> On Wed, May 23, 2018 at 8:27 AM, ozzyuh <ozzy...@gmail.com> wrote:
> Hi,
>
>
>
> I setup a SO machine on Evaluation Mode in order to load pcap files using the new "so-import-pcap" script.
>
> I run the "so-import-pcap" script with several different pcap files I downloaded from "Malware-traffic-analysis" and the output indicates that the import completed successfully.
>
> Yet, when I navigate to any of the pcap's relevant time frames, whether its in "Kibana" or "Squert", I cant see any log or alert.
>
>
>
> Any idea why this is happening?
>
> Any way of fixing it?
>
>
>
> I wish to use SO's toolset to analyze pcap files retroactively.
>
>
>
> Thanks
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Doug Burks

[Rocky De Wiest]

Op donderdag 24 mei 2018 08:59:29 UTC+4 schreef ozzyuh:

So I actually ran into the same issue (fresh install and installing an evaluation setup) , and figured out logstash was not running, because I did not allocate 8Gb of RAM to the Virtual machine (of course this was not in any logs :)).

Try it out.

[Doug Burks]

Hi Rocky,

When you ran Setup with less than 8GB RAM, did it prompt you with a warning like this?

 

--

Doug Burks
CEO
Security Onion Solutions, LLC

[kjz...@gmail.com]

Hello,

I am having the same issue with a new install in evaluation mode. I checked that logstash is running and I have at least 8GB of RAM. I did not receive any errors when I ran the setup script.

Thanks

[Wes Lambert]

Please start a new thread instead of replying to an old one:

https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.