snort.conf and threshold.conf
Doug Burks
I changed the subject of the email to match the current topic of the thread.
You are correct. You'll want to edit the snort.conf and
threshold.conf that are in the directory of the sensor that you want
to affect (/etc/nsm/eth0/).
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Wed, Feb 2, 2011 at 11:07 PM, Jun Wan <junwe...@hotmail.com> wrote:
>
> Hi Doug,
>
> Thanks for the clarification.
>
> I am going to turn off some alerts via snort.conf and threshold.conf, please see the followings:
>
>
> jwan@SO1:/$ sudo find -name snort.conf
> [sudo] password for jwan:
> ./etc/snort/snort.conf
> ./etc/snort-2.9.0.1/snort.conf
> ./etc/nsm/eth0/snort.conf
> ./etc/nsm/snort.conf
>
> jwan@SO1:/$ sudo find -name threshold.conf
> ./etc/snort/threshold.conf
> ./etc/snort-2.9.0.1/threshold.conf
> ./etc/nsm/threshold.conf
> ./etc/nsm/eth0/threshold.conf
>
>
> My question would be:
>
> which snort.conf and threshold.conf I should use?
>
> I guess I should use "./etc/nsm/eth0/snort.conf" and "./etc/nsm/eth0/threshold.conf", am I right?
>
> Any information and help would be much appreciated.
>
> Regards
>
> john
>
> ----------------------------------------
>> Date: Wed, 2 Feb 2011 06:42:54 -0500
>> Subject: Re: Sguil stops after 15 days
>> From: doug....@gmail.com
>> To: securit...@googlegroups.com
>>
>> Hi John,
>>
>> That's normal for an alert from a preprocessor. That message comes
>> from /usr/local/lib/sguil/extdata.tcl. Sguil only displays rules and
>> signatures for generator ID 1:
>>
>> grep -C10 -i "rules and signatures are not available"
>> /usr/local/lib/sguil/extdata.tcl
>> set win $CUR_SEL_PANE(name)
>> set selectedIndex [$CUR_SEL_PANE(name) curselection]
>>
>> set event_id [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID]
>> set genID $generatorListMap($event_id)
>>
>> if { $genID != "1" } {
>>
>> # For the detection engine only. Generator ID 1.
>> ClearRuleText
>> InsertRuleData "Rules and signatures are not available for
>> the generator ID ${genID}."
>> return
>>
>> }
>>
>> To verify that you are seeing rules and signatures for Snort VRT GID 1
>> alerts, open a terminal and type the following:
>> curl http://testmyids.com
>>
>> You should get an alert in Sguil and the rule should look like this:
>> alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned
>> root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop,
>> policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)
>>
>> The "metadata:policy..." signifies that it's a Snort VRT rule and not
>> an ET rule.
>>
>> Please let us know whether or not that helps.
>>
>> Thanks,
>> --
>> Doug Burks, GSE, CISSP
>> President, Greater Augusta ISSA
>> http://augusta.issa.org
>> http://securityonion.blogspot.com
>>
>>
>> On Tue, Feb 1, 2011 at 6:34 PM, Jun Wan wrote:
>> >
>> > Hi Doug,
>> >
>> > I am unable to find any clue from /var/log/nsm/ and /var/log/ as I don't know how.
>> >
>> > So I reinstalled it by using 20110116 + upgrade script, all good only one thing: I got the followings under "show rule" for all snort rules:
>> >
>> > rules and signatures are not available for the generator ID 129
>> > rules and signatures are not available for the generator ID 138
>> >
>> > Is this because something may be wrong with "gen-msg.map" or "sid-msg.map" or "pulledpork"?
>> >
>> > But Sguil provide details for ET rules.
>> >
>> >
>> > Any information and help would be much appreciated
>> >
>> > Thanks
>> >
>> > Regards
>> >
>> > John
>> >
>> >
>> >
>> > ----------------------------------------
>> >> Date: Sun, 30 Jan 2011 09:40:57 -0500
>> >> Subject: Re: Sguil stops after 15 days
>> >> From: doug....@gmail.com
>> >> To: securit...@googlegroups.com
>> >>
>> >> That's really strange. Take a look at the other logs in /var/log/nsm/
>> >> and /var/log/ for any additional clues.
>> >>
>> >> An alternative to full OS re-installation would be to run nsm_all_del
>> >> to wipe out your Sguil server/sensor configuration and then run Setup
>> >> to configure everything from scratch.
>> >>
>> >> Please let us know what you find out.
>> >>
>> >> Thanks,
>> >> --
>> >> Doug Burks, GSE, CISSP
>> >> President, Greater Augusta ISSA
>> >> http://augusta.issa.org
>> >> http://securityonion.blogspot.com
>> >>
>> >> On Sun, Jan 30, 2011 at 1:05 AM, Jun Wan wrote:
>> >> >
>> >> > Hi Doug,
>> >> >
>> >> > I tried "sudo service nsm restart" and rebooted many times, but the issue remains:Unable to connect the localhost on port 7734
>> >> >
>> >> > In /var/log/nsm/securityonion/sguild.log:
>> >> > .......
>> >> > .......
>> >> > pid(4771) Archived Alert: 0 1 policy-violation br0 {2011-01-25 06:02:13} 3 285983 {GPL P2P BitTorrent transfer} 192.168.108.245 89.243.30.142 6 65405 35091 1 2181 4 20835 20835
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:14} 3 285984 {stream5: Reset outside window} 119.46.206.70 192.168.108.245 6 16884 65416 129 15 1 20836 20836
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:14} 3 285985 {stream5: Reset outside window} 119.46.206.70 192.168.108.245 6 16884 65416 129 15 1 20837 20837
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:15} 3 285986 {stream5: Reset outside window} 72.204.45.78 192.168.108.245 6 20315 65404 129 15 1 20838 20838
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:15} 3 285987 {stream5: Reset outside window} 72.204.45.78 192.168.108.245 6 20315 65404 129 15 1 20839 20839
>> >> > pid(4771) Archived Alert: 0 1 policy-violation br0 {2011-01-25 06:02:15} 3 285988 {GPL P2P BitTorrent transfer} 192.168.108.245 137.226.147.43 6 65426 56352 1 2181 4 20840 20840
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:16} 3 285989 {stream5: Reset outside window} 62.195.177.195 192.168.108.245 6 50831 65113 129 15 1 20841 20841
>> >> > pid(4771) Archived Alert: 0 1 policy-violation br0 {2011-01-25 06:02:16} 3 285990 {GPL P2P BitTorrent transfer} 192.168.108.245 90.212.163.225 6 65423 45682 1 2181 4 20842 20842
>> >> > pid(4771) Archived Alert: 0 1 policy-violation br0 {2011-01-25 06:02:16} 3 285991 {GPL P2P BitTorrent transfer} 192.168.108.245 190.195.73.51 6 65428 32239 1 2181 4 20843 20843
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:21} 3 285992 {stream5: TCP Small Segment Threshold Exceeded} 192.168.108.245 96.63.144.22 6 65269 16039 129 12 1 20844 20844
>> >> > pid(4771) Archived Alert: 0 2 bad-unknown br0 {2011-01-25 06:02:21} 3 285993 {stream5: FIN number is greater than prior FIN} 192.168.108.245 108.75.41.71 6 65256 62512 129 16 1 20845 20845
>> >> > pid(4771) Archived Alert: 0 1 policy-violation br0 {2011-01-25 06:02:21} 3 285994 {GPL P2P BitTorrent transfer} 192.168.108.2
>> >> >
>> >> > So 2011-01-25 06:02:21 was the last timestamp in the log.
>> >> >
>> >> >
>> >> > But The Sguil was working on 26th ~29th of Jan, it's really strange.
>> >> >
>> >> > In Squert, the last alert was on 11-01-29 16:29:13.
>> >> >
>> >> > Any information and help would be much appreciated
>> >> >
>> >> > Thanks
>> >> >
>> >> > Regards
>> >> >
>> >> > John
>> >> >
>> >> >
>> >> > ----------------------------------------
>> >> >> Date: Sat, 29 Jan 2011 23:15:54 -0500
>> >> >> Subject: Re: Sguil stops after 15 days
>> >> >> From: doug....@gmail.com
>> >> >> To: securit...@googlegroups.com
>> >> >>
>> >> >> Have you tried the following command?
>> >> >> sudo service nsm restart
>> >> >>
>> >> >> Have you tried rebooting?
>> >> >>
>> >> >> What is in /var/log/nsm/securityonion/sguild.log?
>> >> >>
>> >> >> Regards,
>> >> >> --
>> >> >> Doug Burks, GSE, CISSP
>> >> >> President, Greater Augusta ISSA
>> >> >> http://augusta.issa.org
>> >> >> http://securityonion.blogspot.com
>> >> >>
>> >> >> On Sat, Jan 29, 2011 at 6:32 PM, Jun Wan wrote:
>> >> >> > Hi Doug,
>> >> >> >
>> >> >> > My Security Onion had been running beautifully until this morning (since
>> >> >> > 15th of Jan. 2011), it just stopped, the Squil window displays nothing, so I
>> >> >> > decided to close Sguil and reopen it again, then I got the following error:
>> >> >> >
>> >> >> > Unable to connect the localhost on port 7734
>> >> >> >
>> >> >> > All other activities seem to be fine:
>> >> >> >
>> >> >> > Internet is okay
>> >> >> > bridge interface is okay
>> >> >> > space is okay, 200G free
>> >> >> > CPU is okay, 60% usage
>> >> >> >
>> >> >> > Then I installed the update script, the Squil issue remains----- Unable to
>> >> >> > connect the localhost on port 7734
>> >> >> >
>> >> >> > Is there anyway I can fix the Squil issue instead of reinstalling Security
>> >> >> > Onion again?
>> >> >> >
>> >> >> > Any information and help would be much appreciated.
>> >> >> >
>> >> >> > Thanks
>> >> >> >
>> >> >> > Regards
>> >> >> >
>> >> >> > John
>> >> >> >
>> >> >> >
Jun Wan
Many thanks Doug!
Regards
John
----------------------------------------
> Date: Thu, 3 Feb 2011 06:19:35 -0500
> Subject: snort.conf and threshold.conf
> From: doug....@gmail.com
> To: securit...@googlegroups.com
>
> Hi John,
>
> I changed the subject of the email to match the current topic of the thread.
>
> You are correct. You'll want to edit the snort.conf and
> threshold.conf that are in the directory of the sensor that you want
> to affect (/etc/nsm/eth0/).
>
> Regards,
> --
> Doug Burks, GSE, CISSP
> President, Greater Augusta ISSA
> http://augusta.issa.org
> http://securityonion.blogspot.com
>