pf_ring

459 views
Skip to first unread message

Demar Joseph

unread,
Aug 4, 2016, 4:53:08 AM8/4/16
to security-onion
So I have been battling SO for a few days now, non iSO, installed on top of Ubuntu. Everything is working but suricata, dies after starting nsm. I have tried all the "fixes", different kernel, reinstall pf_ring module.

suricata.log

4/8/2016 -- 03:19:12 - <Error> - [ERRCODE: SC_ERR_PF_RING_OPEN(34)] - Failed to open tun0: pfring_open error. Check if tun0 exists and pf_ring module is loaded.
4/8/2016 -- 03:19:12 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-tun0" closed on initialization.
4/8/2016 -- 03:19:12 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

sostat-redacted(interesting parts)

grep: /proc/net/pf_ring/*-*: No such file or directory
grep: /proc/net/pf_ring/*-*: No such file or directory
grep: /proc/net/pf_ring/*-*: No such file or directory
awk: cmd. line:2: (FILENAME=- FNR=1) fatal: division by zero attempted


Status: SO-server-tun0
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2 (spooler, unified2 format)[ OK ]

=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 0

Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0



Last update
=========================================================================

Start-Date: 2016-08-03 17:55:16
Commandline: apt-get install --reinstall securityonion-pfring-module
Reinstall: securityonion-pfring-module:amd64 (20121107-0ubuntu0securityonion28)
End-Date: 2016-08-03 17:55:52

Start-Date: 2016-08-04 03:15:44
Commandline: apt-get install --reinstall securityonion-pfring-module
Reinstall: securityonion-pfring-module:amd64 (20121107-0ubuntu0securityonion28)
End-Date: 2016-08-04 03:17:09

=================================



The sostat grep errors are weird because the path does contain files:

xxxxx:/proc/net/pf_ring# ls
dev info plugins_info stats



Now frustrated,
Thanks!

Doug Burks

unread,
Aug 4, 2016, 5:13:01 AM8/4/16
to securit...@googlegroups.com
Hi Demar,

Does tun0 exist?

Are you able to provide the full sostat-redacted output?

Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.

Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

Demar Joseph

unread,
Aug 8, 2016, 11:24:42 AM8/8/16
to security-onion

Hey Doug,

Thanks. Yes tun0 exist. log attached.

Best Regards,

sostat.txt

Doug Burks

unread,
Aug 8, 2016, 11:41:04 AM8/8/16
to securit...@googlegroups.com
Hi Demar,

What is the full output of the following?

uname -a

sudo apt-get install --reinstall securityonion-pfring-module

sudo soup

Demar Joseph

unread,
Aug 8, 2016, 1:20:21 PM8/8/16
to security-onion
uname -a : 3.13.0-92-generic #139-Ubuntu SMP Tue Jun 28 20:42:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


pf reinstall:

Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/87.5 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 87757 files and directories currently installed.)
Preparing to unpack .../securityonion-pfring-module_20121107-0ubuntu0securityonion28_all.deb
...
Stopping: HIDS
* stopping: ossec_agent (sguil) [ OK ]
Stopping: Bro
stopping vps90275.vps.ovh.ca-tun0-1 ...
stopping proxy ...
stopping manager ...
Stopping: vps90275.vps.ovh.ca-tun0
* stopping: snort_agent (sguil) [ OK ]
* stopping: suricata (alert data) (not running) [ WARN ]
- stale PID file found, deleting!
* stopping: barnyard2 (spooler, unified2 format) [ OK ]
Waiting up to 30 seconds for processes to terminate gracefully.
Removing pf_ring from /etc/modules...done.
Attempting to remove pf_ring from running kernel...done.
Removing pf_ring from DKMS...done.
Unpacking securityonion-pfring-module (20121107-0ubuntu0securityonion28) over (20121107-0ubun
tu0securityonion28) ...
Setting up securityonion-pfring-module (20121107-0ubuntu0securityonion28) ...
Loading new pf_ring-6 DKMS files...
First Installation: checking all kernels...
Building only for 3.13.0-92-generic
Building for architecture x86_64
Building initial module for 3.13.0-92-generic
Done.

pf_ring:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/3.13.0-92-generic/updates/dkms/

depmod....

DKMS: install completed.
Starting: HIDS
* starting: ossec_agent (sguil) [ OK ]
Starting: Bro
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
starting manager ...
starting proxy ...
starting vps90275.vps.ovh.ca-tun0-1 ...
Starting: vps90275.vps.ovh.ca-tun0
* starting: snort_agent (sguil) [ OK ]
* starting: suricata (alert data) [ OK ]
* starting: barnyard2 (spooler, unified2 format) [ OK ]

soup:

###########################################################################
This script will automatically install all available updates
and remove any old kernels (keeping at least two kernels).

For distributed deployments, please ensure this script is
run on the master server before updating sensors.

If mysql-server updates are available, it will stop sensor processes
to ensure a clean update.

At the end of the script, if mysql-server and/or kernel updates
were installed, you will be prompted to reboot.
###########################################################################

Press Enter to continue or Ctrl-C to cancel.

Checking for kernels that can be removed...
No kernels are eligible for removal

Checking for updates...
Reading package lists... Done
Building dependency tree
Reading state information... Done
securityonion-pfring-module is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
###########################################################################
All updates have been installed.

Demar Joseph

unread,
Aug 8, 2016, 1:51:01 PM8/8/16
to security-onion

uname -a : 3.13.0-92-generic #139-Ubuntu SMP Tue Jun 28 20:42:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Demar Joseph

unread,
Aug 10, 2016, 11:19:30 AM8/10/16
to security-onion


and * starting: suricata (alert data) fails 2 mins later......

Demar Joseph

unread,
Aug 17, 2016, 4:25:05 PM8/17/16
to security-onion

Since I can get no furthr help, does anyone know a stable kernel version that works with latest pfring?

Wes

unread,
Aug 17, 2016, 6:07:57 PM8/17/16
to security-onion

Sorry for the late response.

Have you tried reverting to a previous OS kernel and seeing if it helps any? I wouldn't think it would matter, as I hadn't heard of anyone having issues with this particular kernel, but it may help.

Thanks,
Wes

Strix

unread,
Apr 7, 2018, 9:23:50 AM4/7/18
to security-onion
I installed Security Onion on my ubuntu 14.04.5 VPS and I am getting the following error.

Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 7685 07 Apr 12:07:14
proxy proxy localhost running 7857 07 Apr 12:07:15
onion-br0-1 worker localhost running 8038 07 Apr 12:07:17
Status: onion-br0
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort_agent-2 (sguil) [ OK ]
* snort-1 (alert data) [ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort-2 (alert data) [ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2-1 (spooler, unified2 format) [ OK ]
* barnyard2-2 (spooler, unified2 format) [ OK ]


Here is more info on my server.

Linux onion 4.13.13-4-pve #1 SMP PVE 4.13.13-35 (Mon, 8 Jan 2018 10:26:58 +0100) x86_64 x86_64 x86_64 GNU/Linux


I have followed the cloud client guide on github to set it up. It was successful when I tried it with Ubuntu 14.04.5 Digital Ocean droplets. I have noticed that the Digital Ocean Droplet had a lower kernel version.

I have attached the sostat-redacted in a txt file.

And my apache2 is also not running.
sostat-redacted.txt

Wes Lambert

unread,
Apr 7, 2018, 9:34:27 AM4/7/18
to securit...@googlegroups.com
Strict,

Please start new thread instead of replying to an old one.

Thanks,
Wes

Strix

unread,
Apr 7, 2018, 9:44:27 AM4/7/18
to security-onion
Thank you Wes for the quick response.

As per your suggestion, I have started a new thread.

Regards,

Strix

Reply all
Reply to author
Forward
0 new messages