Re: [security-onion] No event on my sensor
2,910 views
Skip to first unread message
Matt Gregory
Mar 11, 2013, 5:48:42 PM3/11/13
to securit...@googlegroups.com
Hi Alhaji,
A couple of things to check:
- Run sudo service nsm status and post the output here.
- Are you not getting any alerts whatsoever? Or just for your local.rules? If it's the former, then there is likely a larger overall problem; if it's the latter, then it's probably something to do with your local.rules.
- Is traffic you expect to see actually being sent to your monitor interface (e.g., is the tapped segment connected, port mirroring configured correctly, etc.)? On the Security Onion box that should be seeing the traffic, run tcpdump -nnt -i <interface_name> to see if it's actually seeing traffic (hit Ctrl-C after some traffic has blitzed across your screen).
- If the problem is just not getting alerts on your local.rules, are the rules written correctly (i.e., correct syntax)?
- Assuming your rules are written correctly, has there actually been any traffic to the monitor interface that would trigger the rule?
~Matt
On Mon, Mar 11, 2013 at 4:42 PM, Alhaji Kargbo <albs...@gmail.com> wrote:
I have followed the instructions and have done some local.rules, including the default downloaded rules, but have not seen any live event for the past couple of days, unless a command that I ran on the 5th that show some events, which are the same ones showing up. What should I do?
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Heine Lysemose
Mar 12, 2013, 10:21:25 AM3/12/13
to securit...@googlegroups.com
Hi
Try this and post any error log if available.
sudo nsm_sensor_ps-restart --only-snort-alert
/Lysemose
On Tue, Mar 12, 2013 at 3:11 PM, Alhaji Kargbo <albs...@gmail.com> wrote:
Thanks Matt for your response. This is what I get after running the command you suggested above:
securityadmin@UHC-IDS:/etc/nsm/rules$ sudo service nsm status
[sudo] password for securityadmin:
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 32569 0 11 Mar 20:08:45
Status: UHC-IDS-eth1
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ FAIL ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
* prads (sessions/assets) [ OK ]
* sancp_agent (sguil) [ OK ]
* pads_agent (sguil) [ OK ]
* argus [ OK ]
* http_agent (sguil) [ OK ]
I guess I am not getting no alerts whatsoever at the moment. I did ran a command on the 5th that gave me some alerts. After that I have not seen no other alerts since that day. I also created my local.rules after that day. These are the rules I have so far in my local.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Sending SMTP request!"; reference: url,http://emailrelay.sourceforge.net; flow:to_server; conte$
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; refe$
alert tcp $EXTERNAL_NET ANY -> $HOME_NET 21 (msg:"Attempted anonymous ftp login"; content:"Anonymous";)
alert tcp $EXTERNAL_NET ANY -> $HOME_NET 22 (msg:"Attempted anonymous ssh login"; content:"Anonymous";)
alert udp $HOME_NET any -> !$OVERACTIVE any (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; refer$
alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,e$
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; con$
alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET TROJAN Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:iss$
Thanks again for your help
mark seiden
Mar 12, 2013, 1:32:54 PM3/12/13
to Alhaji Kargbo, securit...@googlegroups.com
so, you see that it looks like UHC-IDS-eth1 is not running for some reason?
try looking in
/var/log/nsm/snort-*/snortu-*log
for a diagnostic.
there should be a logfile dated very close to your last restart attempt,
and the failure should be at the end of the logfile.
(it's really easy to get something tiny wrong and the system is currently very
unforgiving. i got a netmask wrong in my bpf.conf yesterday and spent
quite a long time doing binary search to find it because the diagnostic
output does not even tell you the erroneous line.)
On Mar 12, 2013, at 9:46 AM, Alhaji Kargbo <albs...@gmail.com> wrote:
> securityadmin@UHC-IDS:/etc/nsm/rules$ sudo nsm_sensor_ps-restart --only-snort-alert
> Restarting: UHC-IDS-eth1
> * stopping: snort-1 (alert data) (not running) [ WARN ]
> - stale PID file found, deleting!
> * starting: snort-1 (alert data) [ FAIL ]
try looking in
/var/log/nsm/snort-*/snortu-*log
for a diagnostic.
there should be a logfile dated very close to your last restart attempt,
and the failure should be at the end of the logfile.
(it's really easy to get something tiny wrong and the system is currently very
unforgiving. i got a netmask wrong in my bpf.conf yesterday and spent
quite a long time doing binary search to find it because the diagnostic
output does not even tell you the erroneous line.)
On Mar 12, 2013, at 9:46 AM, Alhaji Kargbo <albs...@gmail.com> wrote:
> securityadmin@UHC-IDS:/etc/nsm/rules$ sudo nsm_sensor_ps-restart --only-snort-alert
> Restarting: UHC-IDS-eth1
> * stopping: snort-1 (alert data) (not running) [ WARN ]
> - stale PID file found, deleting!
> * starting: snort-1 (alert data) [ FAIL ]
Alhaji Kargbo
Mar 13, 2013, 12:49:23 PM3/13/13
to securit...@googlegroups.com
The distination ip address are not even my network
On Mar 13, 2013 12:44 PM, "Alhaji Kargbo" <albs...@gmail.com> wrote:
I did looked at the log file and found the error messages, and they were all related to my rules.local. I had to comment out few rules that I thought was the problem, and the warning and Fail messages disappeared. I have everything looking OK now, but still can't see no current event except for the one on the 5th. Please see attached screenshot.
Matt Gregory
Mar 13, 2013, 6:23:28 PM3/13/13
to securit...@googlegroups.com
Hi Alhaji,
Although the destination IP addresses for the GPL NETBIOS SMB-DS alerts are not on your network, is it possible the machines at the source IPs for those alerts at some point connected to SMB shares at those destination IPs (on your network or another)? If so, they may still be trying to do so now even if those IPs don't exist anymore. You can pivot to a packet transcript for those alerts to see if there are any clues, such as SMB share directories, machine names, etc.
Regarding your local.rules file, is there any reason there are 'ET' and 'GPL' rules in there (assuming those are valid ET and GPL rules; I haven't checked)? ET rules are from Emerging Threats, which are automatically downloaded and updated if you chose that rule set during setup. GPL rules are those from Sourcefire distributed under the GPL license, which again are downloaded automatically depending on the rule sets you chose. Neither of these rules should be in your local.rules file, which is for creating your own environment-specific rules that PulledPork won't overwrite when it does the daily rule update.
You may want to review http://manual.snort.org/node27.html for syntax on writing rules, as some of the ones you have listed are incomplete, and could be related to your troubles. You can also run sudo sostat and check the "IDS Rules Update" section to see if there were any errors that might be related to these rules.
Matt
Reply all
Reply to author
Forward
0 new messages