Tcpreplay failing

68 views
Skip to first unread message

Judd Brown

unread,
Sep 17, 2018, 1:49:32 PM9/17/18
to security-onion
Hello,

Installed 20120722-0ubuntu0securityonion110.

When I run tcpreplay -i ens192 *.pcap in /opt/samples or markofu - on two sensors - I don't see the results in Sguil. In fact my last Sguil alert was two weeks ago.

Snort logs seem plenty hefty in dailylogs.

Any thoughts where I'm going wrong here?

so-stats seem normal without errors.

Thanks, Judd


Judd Brown

unread,
Sep 17, 2018, 3:22:36 PM9/17/18
to security-onion

Additional information. The root directory on my main sensor is at %85 full. I have the sensor set up as a Forwarding device. Why would it be filling up (2T size).

Wes Lambert

unread,
Sep 17, 2018, 8:48:51 PM9/17/18
to securit...@googlegroups.com
Hi Judd,

Please provide the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com.

By default, forward nodes will limit themselves to 90% of disk for the partition/disk on which /nsm resides.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.


--

Judd Brown

unread,
Sep 18, 2018, 9:50:36 AM9/18/18
to security-onion
sostat091718.txt
sostat091818.txt

Judd Brown

unread,
Sep 18, 2018, 9:53:12 AM9/18/18
to security-onion

sostat 091718.txt is sensor, 091818.txt is master.

Wes Lambert

unread,
Sep 19, 2018, 2:08:56 PM9/19/18
to securit...@googlegroups.com
Hi Judd,

For your sostat from the master:

Sguil events summary for yesterday

=========================================================================

Totals GenID:SigID Signature

564 1:27964 MALWARE-CNC Win.Trojan.Gh0st variant outbound connection

206 1:32879 EXPLOIT-KIT Nuclear exploit kit payload delivery

96 1:32390 EXPLOIT-KIT Angler exploit kit landing page detected

60 3:39379 FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt

38 1:34330 EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download

38 1:31902 EXPLOIT-KIT Multiple exploit kit flash file download

32 1:34331 EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download

32 1:28612 EXPLOIT-KIT Multiple exploit kit Silverlight exploit download

28 1:28238 EXPLOIT-KIT Multiple exploit kits malicious pdf download

28 1:29356 MALWARE-CNC Win.Trojan.Cidox variant outbound connection

28 1:34334 EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download

24 1:28809 MALWARE-CNC Win.Trojan.Dofoil inbound connection

24 1:36798 EXPLOIT-KIT GongDa landing page detected

22 1:27816 EXPLOIT-KIT Multiple exploit kit jar file download attempt

22 1:34332 EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download

16 1:44592 MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange

14 1:32585 MALWARE-CNC Win.Trojan.Zeus variant outbound connection

14 1:32770 MALWARE-CNC Win.Trojan.Androm variant outbound connection

12 1:31900 EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode  

It looks like there are events in the Sguil DB.  Are you not seeing them in Sguil/Squert?

Thanks,
Wes 

Judd Brown

unread,
Sep 19, 2018, 2:11:02 PM9/19/18
to securit...@googlegroups.com
They are there if I do a query but are not scrolling into the main page. 8-30 is the last day that page updated.  Thanks Wes.

From: securit...@googlegroups.com <securit...@googlegroups.com> on behalf of Wes Lambert <wlamb...@gmail.com>
Sent: Wednesday, September 19, 2018 1:08:41 PM
To: securit...@googlegroups.com
Subject: Re: [security-onion] Re: Tcpreplay failing
 
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/K7AqzhnGwVE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

Wes Lambert

unread,
Sep 20, 2018, 9:44:03 AM9/20/18
to securit...@googlegroups.com
Hi Judd,

Is this when you look in Sguil/Squert/Kibana?

Thanks,
Wes

Judd Brown

unread,
Sep 20, 2018, 10:12:17 AM9/20/18
to securit...@googlegroups.com
Yes, Sguil.

Sent from my iPad

Wes Lambert

unread,
Sep 20, 2018, 12:02:45 PM9/20/18
to securit...@googlegroups.com
Hi Judd,

Are you sure alerts aren't just being aggregated?  Does the count for the alerts increase?

Thanks.
Wes

Judd Brown

unread,
Sep 20, 2018, 12:43:37 PM9/20/18
to securit...@googlegroups.com
Wouldn’t that require opening all previous alerts to see if a more current event occurred?  A date/time update and a sort to the most current position on the main menu should happen, I assume.

Sent from my iPad

Wes Lambert

unread,
Sep 21, 2018, 8:03:34 AM9/21/18
to securit...@googlegroups.com
Hi Judd,

Try right-clicking the count and clicking "VIew correlated events".

Thanks,
Wes

Judd Brown

unread,
Sep 21, 2018, 9:52:26 AM9/21/18
to securit...@googlegroups.com
Hi Wes,

Yes, that works fine. But how do I know a new alert has occurred without doing that to every alert? Shouldn’t it update the date and sort to the top when a new alert occurs?

Sent from my iPad

Wes Lambert

unread,
Sep 21, 2018, 1:46:53 PM9/21/18
to securit...@googlegroups.com
Hi Judd,

The thought process here is that an analyst should actively be monitoring, processing, and clearing events from the queue.  The original event remains as the primary indicator, and subsequent events follow as correlated events.

Thanks,
Wes 

Judd Brown

unread,
Sep 21, 2018, 1:50:48 PM9/21/18
to securit...@googlegroups.com
OK. Thank you for your help as usual Wes!

Sent from my iPad
Reply all
Reply to author
Forward
0 new messages