Re: [security-onion] SGUIL, Snorby, Squert not showing any events

[Heine Lysemose]

Hi

Your hardware specs are a bit of...

* You need two network interfaces. One Management and one for sniffing/monitoring
* You need at least 3GB of memory

Checking Elsa
        sudo ps aux| | grep delayed_job

This actually checks for a Snorby process not ELSA

Regards,
Lysemose

On Dec 4, 2014 1:49 PM, "Juanma Lainez" <juanma...@gmail.com> wrote:

Hi There,

Just finished a little lab following the instructionwalktrough from: https://code.google.com/p/security-onion/wiki/IntroductionWalkthrough

I run updates using the "sudo soup" script and run a sudo rule-update

It's installed on a VM with access to internet and LAN, our network is using a different IP range that the private RFC1918, therefore I changed the sensor configuration found in /etc/nsm/Sec0n-eth1 and I updated:

The HOME_net variable of snort.con and prads.conf accordingly
Bro's network configuration hold in /opt/bro/etc/networks.cfg

I restarted the sensors with sudo nsm_sensors_ps-restart and run few checks:

Checking NSM system
        sudo sostat-quick

Checking Elsa
        sudo ps aux| | grep delayed_job

Checking Snort
        sudo ps aux | grep snort | grep -v grep

Checking Sensors
        sudo nsm_sensor_ps-status

Everything looks good and all sensors reported ok, I run a "sostat | less" and got some questions, I am really newby in Linux, IDS and PenTesting, I am trying to improve that lack of skills.

According with the report I think that there is a big amount of traffic on the monitor sensor eth1, there are Bro stats, but no sguil nor snorby events neither.

If I disconnect the machine from the network and run "sudo tcpreplay -i eth1 -M10 /opt/samples/*.pcap", funny enough reports start to flow to Snorby and Sguil

Any help will be very much appreciated, it's the second third time that I tried to install it without success

I tried to run the "curl http:testmyids.com" few times, but nothing shows on sguil or snorby when working normally with LAN/Internet connection

An extract from the report:

========================================================================
Service Status
=========================================================================
Status: securityonion
  * sguil server[  OK  ]
Status: HIDS
  * ossec_agent (sguil)[  OK  ]
Status: Bro
Name         Type       Host          Status    Pid    Peers  Started
bro          standalone localhost     running   14632  0      04 Dec 10:15:31
Status: SecOn-eth1
  * netsniff-ng (full packet data)[  OK  ]
  * pcap_agent (sguil)[  OK  ]
  * snort_agent-1 (sguil)[  OK  ]
  * snort-1 (alert data)[  OK  ]
  * barnyard2-1 (spooler, unified2 format)[  OK  ]
  * prads (sessions/assets)[  OK  ]
  * sancp_agent (sguil)[  OK  ]
  * pads_agent (sguil)[  OK  ]
  * argus[  OK  ]
  * http_agent (sguil)[  OK  ]
========================================================================
Interface Status
=========================================================================
eth1      Link encap:Ethernet
          UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:100620 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36089781 (36.0 MB)  TX bytes:168 (168.0 B)
========================================================================
Link Statistics
=========================================================================
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    RX: bytes  packets  errors  dropped overrun mcast
    36089781   100620   0       0       0       0
    RX errors: length  crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    168        2        0       0       0       0
    TX errors: aborted fifo    window  heartbeat
               0        0       0       0
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 5911
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

        bro: 1417695060.790516 recvd=71959 dropped=0 link=71959

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SecOn-eth1/snort-1.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version          : 6.0.2 ($Revision: $)
Total rings              : 2

Standard (non DNA) Options
Ring slots               : 4096
Slot version             : 16
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

/proc/net/pf_ring/14632-eth1.14
Appl. Name         : <unknown>
Tot Packets        : 71965
Tot Pkt Lost       : 0
TX: Send Errors    : 0
Reflect: Fwd Errors: 0
Min Num Slots      : 4096
Num Free Slots     : 4096

/proc/net/pf_ring/18168-eth1.21
Appl. Name         : snort-cluster-52-socket-0
Tot Packets        : 56297
Tot Pkt Lost       : 0
TX: Send Errors    : 0
Reflect: Fwd Errors: 0
Min Num Slots      : 4098
Num Free Slots     : 4095

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
0

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Total
0

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1426 supervising syslog-ng
1427 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1731 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1504 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
-rw-r--r-- 1 root root  1153 Dec  4 12:11 /nsm/elsa/data/elsa/tmp/buffers/1417695053.17752
-rw-r--r-- 1 root root 25095 Dec  4 12:10 /nsm/elsa/data/elsa/tmp/buffers/1417694993.17048
-rw-r--r-- 1 root root    69 Dec  4 12:10 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv

ELSA Directory Sizes:
126M    /nsm/elsa/data
2.5M    /var/lib/mysql/syslog
4.3M    /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start)      MAX(end)
2014-10-20 11:42:27     2014-12-04 12:09:47

=========================================================================
CPU Usage
=========================================================================
top - 12:11:00 up  2:42,  1 user,  load average: 0.09, 0.09, 0.16
Tasks: 197 total,   3 running, 192 sleeping,   0 stopped,   2 zombie
Cpu(s): 10.1%us,  3.7%sy,  0.1%ni, 82.4%id,  3.6%wa,  0.0%hi,  0.2%si,  0.0%st
Mem:   2049604k total,  1876104k used,   173500k free,    13592k buffers
Swap:  3119900k total,  1185864k used,  1934036k free,   133784k cached

=========================================================================
Disk Usage
=========================================================================
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        57G  6.0G   49G  11% /
udev            987M  4.0K  987M   1% /dev
tmpfs           201M  776K  200M   1% /run
none            5.0M     0  5.0M   0% /run/lock
none           1001M   80K 1001M   1% /run/shm




--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Heine Lysemose]

Hi

Could you please send the output of sudo sostat-redacted so we can have full detail of the system.

Regards,

Lysemose

On Thu, Dec 4, 2014 at 9:28 PM, Juanma Lainez <juanma...@gmail.com> wrote:

Hi Heine,

I am newby, but Iknow that you need at least two interfaces. I just copy and pasted an extract not full copy from the "sostat | less" results reports, with the most relevant information.

There are two interfaces one eth0 network and eth1 for sensor, I just omitted few not relevant data from the report

Thanks for your comment about "sudo ps aux| | grep delayed_job" checking snorby and not elsa, I will update my notes.

I will try to upgrade memory tomorrow morning.