using pytbull to test security onion

276 views
Skip to first unread message

Smith

unread,
Apr 4, 2017, 6:08:53 PM4/4/17
to security-onion
Hi everyone,

I am trying to use pytbull ids testing framework to test my security onion implementation, I found some problems with it, I was wondering if anyone tried it before and can help me with it.

Thank you in advance

Doug Burks

unread,
Apr 6, 2017, 9:49:43 PM4/6/17
to securit...@googlegroups.com
Hi mohammed93a,

What specific problems are you having with pytbull?

I usually test using tcpreplay and the pcap samples in /opt/samples like this:
sudo tcpreplay -i eth1 -M10 /opt/samples/*.pcap
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

Mohammed

unread,
Apr 11, 2017, 6:26:00 PM4/11/17
to security-onion
On Friday, April 7, 2017 at 4:49:43 AM UTC+3, Doug Burks wrote:
> Hi mohammed93a,
>
> What specific problems are you having with pytbull?
>
> I usually test using tcpreplay and the pcap samples in /opt/samples like this:
> sudo tcpreplay -i eth1 -M10 /opt/samples/*.pcap
>
> On Tue, Apr 4, 2017 at 6:08 PM, Smith <moha...@gmail.com> wrote:
> > Hi everyone,
> >
> > I am trying to use pytbull ids testing framework to test my security onion implementation, I found some problems with it, I was wondering if anyone tried it before and can help me with it.
> >
> > Thank you in advance
> >
> > --
> > Follow Security Onion on Twitter!
> > https://twitter.com/securityonion
> > ---
> > You received this message because you are subscribed to the Google Groups "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> > To post to this group, send email to securit...@googlegroups.com.
> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks


Dear Mr.Burks,

Thank you so much for your fast response, I am using pytbull instead of tcpreplay because I think I had more realistic attack simulation and final reports organized for research analysis, I had some issues with ftp and other bugs but I managed to solve them through troubleshooting and searching.
Now I am having a connection error each time I run pytbull code, and the attacker machine and security onion can't ping each other for about 5 minutes, then the connection is returned again but when I run the code again the same problem happens!
Is there a rule or something in security onion that prevents the connection when malicious activity happens? I thought it was a firewall problem ; therefore I switched off the ufw firewall but the same problem remained.
I attached the error message screenshot.


Mohammed Ammar,

Capture.PNG

Wes

unread,
Apr 11, 2017, 6:59:04 PM4/11/17
to security-onion

Mohammed,

You may want to try taking a look at the following:

https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC#active-response

https://groups.google.com/d/msg/security-onion/Wg7Xu6ecSR0/2Mb3BREcBAAJ

You are likely triggering OSSEC's active response capability.

Try the above steps and see if it helps.

Thanks,
Wes

Message has been deleted

Mohammed

unread,
Apr 16, 2017, 1:06:50 PM4/16/17
to security-onion


Wes,

It worked thanks a lot, you were right it was OSSEC's active response.
If I may ask, I also had another problem with alert files pulling via ftp, I don't know what is the specific path of alerts in security onion, I tried "/var/log/nsm/mohammed-virtual-machine-eth1/snortu_agent-1.log" but it didn't work out, I also tried "/var/log/nsm/mohammed-virtual-machine-eth1/snortu_agent-1.log/snort-1.stats" also without response.

Thank you,
Mohammed

Capture.PNG

Doug Burks

unread,
Apr 23, 2017, 6:04:25 AM4/23/17
to securit...@googlegroups.com
Hi Mohammed,

Snort writes alerts in unified2 format to the following location
(replacing HOSTNAME with your actual hostname, INTERFACE with your
actual sniffing interface, and TIMESTAMP with the actual timestamp of
the start of the Snort process):
/nsm/sensor_data/HOSTNAME-INTERFACE/snort.unified2.TIMESTAMP


On Sun, Apr 16, 2017 at 1:04 PM, Mohammed <moham...@gmail.com> wrote:
> On Wednesday, April 12, 2017 at 1:59:04 AM UTC+3, Wes wrote:
> Wes,
>
> It worked thanks a lot, you were right it was OSSEC's active response.
> If I may ask, I also had another problem with alert files pulling via ftp, I don't know what is the specific path of alerts in security onion, I tried "/var/log/nsm/mohammed-virtual-machine-eth1/snortu_agent-1.log" but it didn't work out, I also tried "/var/log/nsm/mohammed-virtual-machine-eth1/snortu_agent-1.log/snort-1.stats" also without response.
>
> Thank you,
> Mohammed
>
Reply all
Reply to author
Forward
0 new messages