Re: [security-onion] Ossec Agent fails on server

Heine Lysemose

unread,

May 8, 2013, 2:31:52 PM5/8/13

to securit...@googlegroups.com

Hi Jordan

You have setup your server as a server (only) installation. But your interface status shows that your eth0 has an iPhone address and is set to promiscuous mode. How is that?

/Lysemose

On May 8, 2013 8:15 PM, "Jordan" <webe...@gmail.com> wrote:

I am having difficulty with the ossec_agent on my server. The ossec agents on my sensors are working just fine. Currently ossec_agent starts up on a system restart with the nsm_sensor_ps-start command then not even 5 seconds later it says stale PID restarting in 5 min check /var/log/nsm/ossec_agent.log

~$ tail /var/log/nsm/ossec_agent.log
Executing: /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
Connection Refused.

You can see in sudo sostat that the ossec agent has failed but i cant figure out why. Also tried setting ossec_agent.conf into debug mode and i got nothing.

~$ sudo sostat
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ FAIL ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr XXXXXXXX
inet addr:(SO-Server) Bcast: XXXXXXXX Mask: XXXXXXXXXX
inet6 addr: xxxxxxxxxxxxxxxx Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:17013 errors:0 dropped:0 overruns:0 frame:0
TX packets:11040 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3678682 (3.6 MB) TX bytes:1196345 (1.1 MB)
Interrupt:16

eth1 Link encap:Ethernet HWaddr XXXXXXXXX
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:xxxxxx
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:210 errors:0 dropped:0 overruns:0 frame:0
TX packets:210 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:28296 (28.2 KB) TX bytes:28296 (28.2 KB)

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 452G 39G 390G 9% /
udev 3.0G 4.0K 3.0G 1% /dev
tmpfs 1.2G 736K 1.2G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.0G 0 3.0G 0% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 755 root 3r IPv6 8348 0t0 TCP *:22 (LISTEN)
sshd 755 root 4u IPv4 8350 0t0 TCP *:22 (LISTEN)
cupsd 899 root 8u IPv6 8481 0t0 TCP [::1]:631 (LISTEN)
cupsd 899 root 9u IPv4 8482 0t0 TCP 127.0.0.1:631 (LISTEN)
avahi-dae 902 avahi 13u IPv4 8078 0t0 UDP *:5353
avahi-dae 902 avahi 14u IPv6 8079 0t0 UDP *:5353
avahi-dae 902 avahi 15u IPv4 8080 0t0 UDP *:60304
avahi-dae 902 avahi 16u IPv6 8081 0t0 UDP *:36908
mysqld 1158 mysql 10u IPv4 10600 0t0 TCP 127.0.0.1:3306 (LISTEN)
dnsmasq 1334 nobody 4w IPv4 10409 0t0 UDP 127.0.0.1:53
dnsmasq 1334 nobody 5u IPv4 10410 0t0 TCP 127.0.0.1:53 (LISTEN)
sshd 1661 root 3r IPv4 14821 0t0 TCP (SO-Server):22->(Me):61228 (ESTABLISHED)
/usr/sbin 1805 root 4u IPv4 21822 0t0 TCP *:443 (LISTEN)
/usr/sbin 1805 root 5u IPv4 21825 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1805 root 6u IPv4 21827 0t0 TCP *:3154 (LISTEN)
/usr/sbin 1805 root 7u IPv4 23309 0t0 TCP *:444 (LISTEN)
sshd 1976 (Server Account) 3u IPv4 14821 0t0 TCP (SO-Server):22->(Me):61228 (ESTABLISHED)
/usr/sbin 2025 www-data 4u IPv4 21822 0t0 TCP *:443 (LISTEN)
/usr/sbin 2025 www-data 5u IPv4 21825 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2025 www-data 6u IPv4 21827 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2025 www-data 7u IPv4 23309 0t0 TCP *:444 (LISTEN)
/usr/sbin 2026 www-data 4u IPv4 21822 0t0 TCP *:443 (LISTEN)
/usr/sbin 2026 www-data 5u IPv4 21825 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2026 www-data 6u IPv4 21827 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2026 www-data 7u IPv4 23309 0t0 TCP *:444 (LISTEN)
/usr/sbin 2027 www-data 4u IPv4 21822 0t0 TCP *:443 (LISTEN)
/usr/sbin 2027 www-data 5u IPv4 21825 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2027 www-data 6u IPv4 21827 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2027 www-data 7u IPv4 23309 0t0 TCP *:444 (LISTEN)
/usr/sbin 2028 www-data 4u IPv4 21822 0t0 TCP *:443 (LISTEN)
/usr/sbin 2028 www-data 5u IPv4 21825 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2028 www-data 6u IPv4 21827 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2028 www-data 7u IPv4 23309 0t0 TCP *:444 (LISTEN)
/usr/sbin 2029 www-data 4u IPv4 21822 0t0 TCP *:443 (LISTEN)
/usr/sbin 2029 www-data 5u IPv4 21825 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2029 www-data 6u IPv4 21827 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2029 www-data 7u IPv4 23309 0t0 TCP *:444 (LISTEN)
sshd 2279 root 3r IPv4 22225 0t0 TCP (SO-Server):22->(SO-Sensor-3):46657 (ESTABLISHED)
sshd 2281 root 3r IPv4 22245 0t0 TCP (SO-Server):22->(SO-Sensor-2):56804 (ESTABLISHED)
sshd 2474 (SO-Sensor-3) 3u IPv4 22225 0t0 TCP (SO-Server):22->(SO-Sensor-3):46657 (ESTABLISHED)
sshd 2550 (SO-Sensor-2) 3u IPv4 22245 0t0 TCP (SO-Server):22->(SO-Sensor-2):56804 (ESTABLISHED)
sshd 2551 root 3r IPv4 22488 0t0 TCP (SO-Server):22->(SO-Sensor-1):50223 (ESTABLISHED)
sshd 2686 (SO-Sensor-1) 3u IPv4 22488 0t0 TCP (SO-Server):22->(SO-Sensor-1):50223 (ESTABLISHED)
tclsh 4398 root 13u IPv4 34160 0t0 TCP *:7734 (LISTEN)
tclsh 4398 root 14u IPv4 34161 0t0 TCP *:7736 (LISTEN)
tclsh 4398 root 15u IPv4 34163 0t0 TCP (SO-Server):7736->(SO-Sensor-1):36085 (ESTABLISHED)
tclsh 4398 root 16u IPv4 34167 0t0 TCP (SO-Server):7736->(SO-Sensor-3):47695 (ESTABLISHED)
tclsh 4398 root 17u IPv4 34168 0t0 TCP (SO-Server):7736->(SO-Sensor-3):47696 (ESTABLISHED)
tclsh 4398 root 18u IPv4 33447 0t0 TCP (SO-Server):7736->(SO-Sensor-2):35071 (ESTABLISHED)
tclsh 4398 root 19u IPv4 33448 0t0 TCP (SO-Server):7736->(SO-Sensor-2):35072 (ESTABLISHED)
tclsh 4398 root 20u IPv4 33455 0t0 TCP (SO-Server):7736->(SO-Sensor-3):47697 (ESTABLISHED)
tclsh 4398 root 21u IPv4 33456 0t0 TCP (SO-Server):7736->(SO-Sensor-3):47698 (ESTABLISHED)
tclsh 4398 root 22u IPv4 33457 0t0 TCP (SO-Server):7736->(SO-Sensor-2):35073 (ESTABLISHED)
tclsh 4398 root 23u IPv4 34173 0t0 TCP (SO-Server):7736->(SO-Sensor-2):35074 (ESTABLISHED)
tclsh 4398 root 24u IPv4 34175 0t0 TCP (SO-Server):7736->(SO-Sensor-3):47699 (ESTABLISHED)
tclsh 4398 root 25u IPv4 34176 0t0 TCP (SO-Server):7736->(SO-Sensor-2):35075 (ESTABLISHED)
tclsh 4398 root 26u IPv4 33461 0t0 TCP (SO-Server):7736->(SO-Sensor-1):36086 (ESTABLISHED)
tclsh 4398 root 27u IPv4 33462 0t0 TCP (SO-Server):7736->(SO-Sensor-1):36087 (ESTABLISHED)
tclsh 4398 root 28u IPv4 34177 0t0 TCP (SO-Server):7736->(SO-Sensor-1):36088 (ESTABLISHED)
tclsh 4398 root 29u IPv4 34178 0t0 TCP (SO-Server):7734->(Me):61232 (ESTABLISHED)
tclsh 4398 root 30u IPv4 34207 0t0 TCP (SO-Server):7736->(SO-Sensor-1):36089 (ESTABLISHED)
ntpd 5398 ntp 16u IPv4 30123 0t0 UDP *:123
ntpd 5398 ntp 17u IPv6 30124 0t0 UDP *:123
ntpd 5398 ntp 18u IPv4 30130 0t0 UDP 127.0.0.1:123
ntpd 5398 ntp 19u IPv4 30131 0t0 UDP (SO-Server):123
ntpd 5398 ntp 20u IPv6 30132 0t0 UDP [fe80::221:9bff:fefc:988c]:123
ntpd 5398 ntp 21u IPv6 30133 0t0 UDP [::1]:123

=========================================================================
IDS Rules Update
=========================================================================
Wed May 8 07:01:01 UTC 2013
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2941.tar.gz....
They Match
Done!
Prepping rules from snortrules-snapshot-2941.tar.gz for work....
Done!
Reading rules...
Reading rules...
Reading rules...
Activating balanced rulesets....
Done
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 517 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------1
Deleted:---1
Enabled Rules:----3524
Dropped Rules:----0
Disabled Rules:---13757
Total Rules:------17281
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

=========================================================================
CPU Usage
=========================================================================
top - 17:57:27 up 7 min, 1 user, load average: 0.13, 0.46, 0.31
Tasks: 122 total, 2 running, 120 sleeping, 0 stopped, 0 zombie
Cpu(s): 6.5%us, 1.7%sy, 0.0%ni, 75.4%id, 16.3%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 6112720k total, 1387272k used, 4725448k free, 99768k buffers
Swap: 9343712k total, 0k used, 9343712k free, 775336k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4398 root 20 0 143m 24m 3892 R 8 0.4 0:08.82 tclsh
1158 mysql 20 0 1313m 144m 8064 S 6 2.4 0:14.67 mysqld
332 root 20 0 0 0 0 S 2 0.0 0:00.58 jbd2/sda1-8
1 root 20 0 24588 2592 1372 S 0 0.0 0:01.10 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.07 ksoftirqd/0
4 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0
5 root 20 0 0 0 0 S 0 0.0 0:00.45 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.15 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:00.05 ksoftirqd/1
11 root 20 0 0 0 0 S 0 0.0 0:00.19 kworker/0:1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
13 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
14 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
15 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
16 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
17 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:1
18 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
19 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
23 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
25 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/1:1
26 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
27 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
28 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
29 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
30 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
31 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
41 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
42 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
63 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
238 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt_poll_0
241 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt/0
246 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
247 root 20 0 0 0 0 S 0 0.0 0:00.08 kworker/1:2
256 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
333 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
541 root 20 0 17608 1120 532 S 0 0.0 0:00.04 upstart-udev-br
550 root 20 0 22076 1892 824 S 0 0.0 0:00.04 udevd
702 root 20 0 22072 1456 384 S 0 0.0 0:00.00 udevd
703 root 20 0 22072 1412 340 S 0 0.0 0:00.00 udevd
755 root 20 0 50032 2900 2292 S 0 0.0 0:00.00 sshd
757 root 20 0 0 0 0 S 0 0.0 0:00.25 kworker/0:3
778 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
779 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
780 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
784 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
786 syslog 20 0 243m 1560 1124 S 0 0.0 0:00.04 rsyslogd
834 messageb 20 0 24272 1456 800 S 0 0.0 0:00.06 dbus-daemon
875 root 20 0 21188 1704 1428 S 0 0.0 0:00.00 bluetoothd
899 root 20 0 101m 3684 2728 S 0 0.1 0:00.00 cupsd
902 avahi 20 0 32304 1704 1400 S 0 0.0 0:00.00 avahi-daemon
904 avahi 20 0 32180 472 216 S 0 0.0 0:00.00 avahi-daemon
913 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
916 root 20 0 0 0 0 S 0 0.0 0:00.06 flush-8:0
1002 root 20 0 79040 3172 2384 S 0 0.1 0:00.01 modem-manager
1034 root 20 0 15188 392 200 S 0 0.0 0:00.00 upstart-socket-
1079 root 20 0 235m 5696 4576 S 0 0.1 0:00.05 NetworkManager
1090 root 20 0 20024 960 804 S 0 0.0 0:00.00 getty
1094 root 20 0 20024 964 804 S 0 0.0 0:00.00 getty
1104 root 20 0 207m 4836 3624 S 0 0.1 0:00.03 polkitd
1107 root 20 0 20024 964 804 S 0 0.0 0:00.00 getty
1108 root 20 0 20024 964 804 S 0 0.0 0:00.00 getty
1111 root 20 0 20024 968 804 S 0 0.0 0:00.00 getty
1133 root 20 0 4460 812 552 S 0 0.0 0:00.00 acpid
1135 root 20 0 19112 1024 780 S 0 0.0 0:00.00 cron
1136 daemon 20 0 16908 380 220 S 0 0.0 0:00.00 atd
1137 root 20 0 280m 4272 3508 S 0 0.1 0:00.01 lightdm
1161 root 20 0 15980 684 504 S 0 0.0 0:00.02 irqbalance
1186 root 20 0 156m 19m 9836 S 0 0.3 0:00.46 Xorg
1196 root 20 0 12804 540 352 S 0 0.0 0:00.00 ossec-execd
1210 root 20 0 1018m 4008 2852 S 0 0.1 0:00.06 console-kit-dae
1212 ossec 20 0 14508 2340 780 S 0 0.0 0:00.96 ossec-analysisd
1216 root 20 0 4524 556 420 S 0 0.0 0:00.01 ossec-logcollec
1329 root 20 0 185m 4684 3696 S 0 0.1 0:00.00 lightdm
1332 root 20 0 132m 4384 3680 S 0 0.1 0:00.02 accounts-daemon
1334 nobody 20 0 33060 1280 1056 S 0 0.0 0:00.00 dnsmasq
1368 root 20 0 5196 1204 492 S 0 0.0 0:03.58 ossec-syscheckd
1375 ossec 20 0 13060 548 364 S 0 0.0 0:00.00 ossec-monitord
1408 lightdm 20 0 4400 616 508 S 0 0.0 0:00.00 lightdm-greeter
1413 lightdm 20 0 23948 692 448 S 0 0.0 0:00.00 dbus-daemon
1414 lightdm 20 0 244m 13m 10m S 0 0.2 0:00.54 lightdm-gtk-gre
1459 lightdm 20 0 52420 2392 1992 S 0 0.0 0:00.00 gvfsd
1565 lightdm 20 0 215m 3608 2996 S 0 0.1 0:00.00 gvfs-fuse-daemo
1661 root 20 0 101m 4404 3352 S 0 0.1 0:00.01 sshd
1805 root 20 0 176m 12m 6608 S 0 0.2 0:00.06 /usr/sbin/apach
1810 root 20 0 215m 2060 1764 S 0 0.0 0:00.00 PassengerWatchd
1813 root 20 0 288m 2284 2000 S 0 0.0 0:00.00 PassengerHelper
1815 root 20 0 108m 8180 2148 S 0 0.1 0:00.05 ruby1.9.1
1818 nobody 20 0 165m 4668 3640 S 0 0.1 0:00.00 PassengerLoggin
1976 sguilina 20 0 101m 1992 940 S 0 0.0 0:00.01 sshd
1977 sguilina 20 0 31032 8072 1732 S 0 0.1 0:00.30 bash
1980 root 20 0 214m 4296 3336 S 0 0.1 0:00.07 upowerd
2025 www-data 20 0 176m 6908 660 S 0 0.1 0:00.00 /usr/sbin/apach
2026 www-data 20 0 176m 6908 660 S 0 0.1 0:00.00 /usr/sbin/apach
2027 www-data 20 0 176m 6908 660 S 0 0.1 0:00.00 /usr/sbin/apach
2028 www-data 20 0 176m 6908 660 S 0 0.1 0:00.00 /usr/sbin/apach
2029 www-data 20 0 176m 6908 660 S 0 0.1 0:00.00 /usr/sbin/apach
2080 root 20 0 94656 2584 1900 S 0 0.0 0:00.00 lightdm
2229 root 20 0 20024 956 800 S 0 0.0 0:00.00 getty
2279 root 20 0 101m 4364 3328 S 0 0.1 0:00.00 sshd
2281 root 20 0 101m 4368 3328 S 0 0.1 0:00.00 sshd
2474 srvranal 20 0 101m 1616 580 S 0 0.0 0:00.00 sshd
2550 wrkstnse 20 0 101m 1620 580 S 0 0.0 0:00.00 sshd
2551 root 20 0 101m 4364 3328 S 0 0.1 0:00.00 sshd
2686 dmzanaly 20 0 101m 1616 580 S 0 0.0 0:00.00 sshd
5211 root 20 0 126m 4284 976 S 0 0.1 0:00.00 tclsh
5212 root 20 0 125m 4040 736 S 0 0.1 0:00.00 tclsh
5398 ntp 20 0 37772 2248 1616 S 0 0.0 0:00.02 ntpd
7313 www-data 20 0 428m 93m 3848 S 0 1.6 0:02.85 ruby
7541 root 19 -1 14888 1932 308 S 0 0.0 0:00.00 dema
8068 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:2
8179 root 20 0 78152 2384 1776 S 0 0.0 0:00.00 sudo
8180 root 20 0 16556 1472 1248 S 0 0.0 0:00.00 sostat
8245 root 20 0 17336 1224 896 R 0 0.0 0:00.00 top

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

Heine Lysemose

unread,

May 8, 2013, 2:33:07 PM5/8/13

to securit...@googlegroups.com

Stupid autocomplete, that have been IP address!!

Heine Lysemose

unread,

May 8, 2013, 3:01:56 PM5/8/13

to securit...@googlegroups.com

Just to point out that you don't need a monitoring interface on a server-only installation.

/Lysemose

On May 8, 2013 8:57 PM, "Jordan" <webe...@gmail.com> wrote:

That is odd... I have it set up as a server only, but I didn't notice that before. Eth0 i believe is supposed to be the management interface and Eth1 is supposed to be the monitor interface. Thanks for pointing that out i completely missed that. I will try resetting up the interfaces and see if that does the trick.

Doug Burks

unread,

May 9, 2013, 4:34:44 PM5/9/13

to securit...@googlegroups.com

Hi Jordan,

I don't think promiscuous mode has anything to do with this
ossec_agent issue, but please send the contents of your
/etc/network/interfaces file anyway.

If ossec_agent is getting connection refused, then I wonder if Sguil
is still in the process of initializing. When you run "sudo sostat",
what is the number under "Sguil Uncategorized Events"? A high number
would indicate a long startup time for Sguil before it would allow
ossec_agent to connect.

Thanks,
Doug

On Thu, May 9, 2013 at 8:47 AM, Jordan <webe...@gmail.com> wrote:
> Alright I reconfigured the network interfaces and both came back as promiscuous mode when I restarted. Will simply turning off promiscuous mode on eth0 do the trick? I am still getting the same error of connection refused.

>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Doug Burks
http://securityonion.blogspot.com

Doug Burks

unread,

May 10, 2013, 9:07:16 AM5/10/13

to securit...@googlegroups.com

Replies inline.

On Fri, May 10, 2013 at 8:11 AM, Jordan <webe...@gmail.com> wrote:
<snip>
> auto eth1
> iface eth1 inet manual
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up ethtool -G $IFACE rx 511; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
> post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

Based on this, it looks like when you ran Setup, you told it that you
were going to be using eth1 for sniffing. If you don't want the
interface going into promiscuous mode, then you can remove the lines
containing "promisc". If you don't need the interface at all, you can
probably just remove the entire eth1 stanza.

> And here is my uncategorized events:
>
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+
> | 465 |
> +----------+
>
> Is that a lot of uncategorized events? I have read that some people were having upwards of thousands and that was the cause to many problems.

No, that's not a lot. Take a look at your sguild log file
(/var/log/nsm/securityonion/sguild.log) for any potential clues as to
why ossec_agent is getting "Connection Refused.".

Thanks,

Doug Burks

unread,

May 11, 2013, 7:28:40 AM5/11/13

to securit...@googlegroups.com

Looks like sguild is refusing the connection based on the access
control settings in sguild.access. Have you made any changes to
/etc/nsm/securityonion/sguild.access?

Thanks,
Doug

On Fri, May 10, 2013 at 9:39 AM, Jordan <webe...@gmail.com> wrote:
> I re-set up the interfaces to only have a management interface on Eth0 and turned off Eth1 since I was not doing any sniffing with it. I then searched through the sguild.log file and found this at the start of the new log after a restart.
>
> Sguild Initialized.
> 2013-05-10 13:30:37 pid(7826) Sensor agent connect from (ServerIP):50412 sock15
> 2013-05-10 13:30:37 pid(7826) Validating sensor access: (ServerIP) :
> 2013-05-10 13:30:37 pid(7826) Sending sock15: Connection Refused.
> 2013-05-10 13:30:37 pid(7826) Invalid access attempt from (ServerIP)
>
> And that is the only info i get from the server trying to connect to itself. Ossec agent is still failing with this error.
> ~$ Executing: /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
> ~$ Error: can't read "sguildSocketID": no such variable
> ~$ Error: can't read "sguildSocketID": no such variable
> ~$ Connection Refused.

>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Doug Burks

unread,

May 13, 2013, 8:30:11 AM5/13/13

to securit...@googlegroups.com

Yep!
Doug

On Mon, May 13, 2013 at 8:13 AM, Jordan <webe...@gmail.com> wrote:
> Yes i had altered that file when i initially installed SO. I had a honeypot giving the server issues so i limited the connectable sensor access. Do i need to add the server to the sensor IP allow list so that ossec can connect to it?

Doug Burks

unread,

May 16, 2013, 8:24:39 AM5/16/13

to securit...@googlegroups.com

It's possible that the ossec_agent hasn't had any logs to send to
sguild in a while and is therefore marked DOWN. Can you try forcing
some events to happen that will generate OSSEC alerts to send to
sguild?

Thanks,
Doug

On Thu, May 16, 2013 at 8:15 AM, Jordan Weber <webe...@gmail.com> wrote:
> Ok so the sguil client shows that each of the ossec agents on my 3 sensors and my server are down. however when i run a nsm_sensor_ps-status in the command line everything says its running fine. no errors in the log files either.

Reply all

Reply to author

Forward