Re: [security-onion] Adding second sensor interface

Matt Gregory

unread,

Feb 14, 2013, 6:01:24 AM2/14/13

to securit...@googlegroups.com

Hi Simon,

When you reran sosetup, did you also rerun the network config, which would have configured the new interface for sniffing?

Please post the output of sudo sostat.

Matt

On Feb 14, 2013 5:38 AM, "Simon" <hall.s...@gmail.com> wrote:

Hi guys,

Just a quick bit of advise if you will got a setup working successfully with 2 security onion VM's 1 acting as Server Second acting as Sensor. The sensor VM I had configured with one monitoring interface which I finally got working with the remote server, I have added a new interface and run through the SOSETUP again and selected both interfaces. Snorby and SGUIL see both sensors and the original sensor is showing events, but the newly added interface is not.

I ran tcpdump on the new interface and the attached network while running a bunch of scans against it and I see all this traffic hitting the interface. Snort -i on that interface also works.

Any ideas?

Cheers

Simon

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

Matt Gregory

unread,

Feb 14, 2013, 8:10:39 PM2/14/13

to securit...@googlegroups.com

I assume by network config you mean the script it runs at the start of the SOSETUP to configure the management interface?

That is correct. The network configuration script that runs (if you choose to do so) at the beginning of the sosetup script will also let you choose your sniffing interface(s). I was wondering if maybe you skipped the network configuration after adding the additional interface, in which case it wouldn't have put it in promiscuous mode. I see that eth1 is in promiscuous (PROMISC) mode, but also appears to have an IP address assigned (based on your redaction), which is odd. Is the eth1 interface in your sostat output the newly added interface?

Just to be clear, your sensor originally had one interface assigned, which was both the management interface and the monitored interface. You then added a second interface, which should be monitored only? Or did you add a third interface?

Snorby and SGUIL see both sensors and the original sensor is showing events, but the newly added interface is not.

Do you have two actual sensor installations, or are you referring to two monitoring interfaces on the same sensor?

Because Snorby and Sguil see traffic on the original interface, and you can see traffic on the new interface with tcpdump, it appears there might be a misconfiguration with the newly added interface.

Can you try re-running sosetup and selecting the option to re-configure the interfaces? Also, make sure all of your interfaces are up via ifconfig before running sosetup. They may not be so if you added an interface after installing Ubuntu.

Matt

On Thu, Feb 14, 2013 at 6:39 AM, Simon <hall.s...@gmail.com> wrote:

Thanks for the response I am fairly new to the setup I assume by network config you mean the script it runs at the start of the SOSETUP to configure the management interface? or is there another one that should be run?

sostat below:

=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager ######### running 18914 3 14 Feb 10:56:26
proxy proxy ######### running 18966 3 14 Feb 10:56:28
Sensor-eth0-1 worker ######## running 19028 2 14 Feb 10:56:30
Sensor-eth1-1 worker ######## running 19029 2 14 Feb 10:56:30
Status: Sensor-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: Sensor-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:0c:29:8d:4b:06
inet addr:########## Bcast:####### Mask:########
inet6 addr: fe80::20c:29ff:fe8d:4b06/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:341453 errors:41 dropped:2 overruns:0 frame:0
TX packets:27319 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69824328 (69.8 MB) TX bytes:7689197 (7.6 MB)
Interrupt:18 Base address:0x2000

eth1 Link encap:Ethernet HWaddr 00:0c:29:8d:4b:10
inet addr:######## Bcast:######## Mask:########
inet6 addr: fe80::20c:29ff:fe8d:4b10/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:484035 errors:217 dropped:4 overruns:0 frame:0
TX packets:310 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31151514 (31.1 MB) TX bytes:33725 (33.7 KB)
Interrupt:16 Base address:0x2080

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8913 errors:0 dropped:0 overruns:0 frame:0
TX packets:8913 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3657235 (3.6 MB) TX bytes:3657235 (3.6 MB)

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 14G 5.9G 7.3G 45% /
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 791M 792K 791M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 0 2.0G 0% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 923 avahi 12u IPv4 9283 0t0 UDP *:5353
avahi-dae 923 avahi 13u IPv6 9284 0t0 UDP *:5353
avahi-dae 923 avahi 14u IPv4 9285 0t0 UDP *:54876
avahi-dae 923 avahi 15u IPv6 9286 0t0 UDP *:51216
cupsd 951 root 8u IPv6 3931 0t0 TCP [::1]:631 (LISTEN)
cupsd 951 root 9u IPv4 3932 0t0 TCP 127.0.0.1:631 (LISTEN)
sshd 1137 root 3r IPv4 4010 0t0 TCP *:22 (LISTEN)
sshd 1137 root 4u IPv6 4012 0t0 TCP *:22 (LISTEN)
ntpd 1199 ntp 16u IPv4 10280 0t0 UDP *:123
ntpd 1199 ntp 17u IPv6 10283 0t0 UDP *:123
ntpd 1199 ntp 18u IPv4 10290 0t0 UDP 127.0.0.1:123
ntpd 1199 ntp 19u IPv4 10292 0t0 UDP #########:123
ntpd 1199 ntp 20u IPv4 10294 0t0 UDP #########:123
ntpd 1199 ntp 21u IPv6 10296 0t0 UDP [fe80::20c:29ff:fe8d:4b10]:123
ntpd 1199 ntp 22u IPv6 10298 0t0 UDP [fe80::20c:29ff:fe8d:4b06]:123
ntpd 1199 ntp 23u IPv6 10300 0t0 UDP [::1]:123
sshd 1204 root 3r IPv4 9409 0t0 TCP #######:22->10.1.0.1:39216 (ESTABLISHED)
syslog-ng 1569 root 9u IPv4 9594 0t0 TCP *:514 (LISTEN)
syslog-ng 1569 root 10u IPv4 9595 0t0 UDP *:514
mysqld 1611 mysql 10u IPv4 11643 0t0 TCP 127.0.0.1:50000 (LISTEN)
ssh 2011 root 3r IPv4 9779 0t0 TCP #######:44303->#######:22 (ESTABLISHED)
ssh 2011 root 4u IPv6 9783 0t0 TCP [::1]:3306 (LISTEN)
ssh 2011 root 5u IPv4 9784 0t0 TCP 127.0.0.1:3306 (LISTEN)
/usr/sbin 3465 root 4u IPv4 15996 0t0 TCP *:443 (LISTEN)
/usr/sbin 3465 root 5u IPv4 15999 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3465 root 6u IPv4 16001 0t0 TCP *:444 (LISTEN)
/usr/sbin 3528 www-data 4u IPv4 15996 0t0 TCP *:443 (LISTEN)
/usr/sbin 3528 www-data 5u IPv4 15999 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3528 www-data 6u IPv4 16001 0t0 TCP *:444 (LISTEN)
/usr/sbin 3529 www-data 4u IPv4 15996 0t0 TCP *:443 (LISTEN)
/usr/sbin 3529 www-data 5u IPv4 15999 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3529 www-data 6u IPv4 16001 0t0 TCP *:444 (LISTEN)
/usr/sbin 3530 www-data 4u IPv4 15996 0t0 TCP *:443 (LISTEN)
/usr/sbin 3530 www-data 5u IPv4 15999 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3530 www-data 6u IPv4 16001 0t0 TCP *:444 (LISTEN)
/usr/sbin 3531 www-data 4u IPv4 15996 0t0 TCP *:443 (LISTEN)
/usr/sbin 3531 www-data 5u IPv4 15999 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3531 www-data 6u IPv4 16001 0t0 TCP *:444 (LISTEN)
/usr/sbin 3532 www-data 4u IPv4 15996 0t0 TCP *:443 (LISTEN)
/usr/sbin 3532 www-data 5u IPv4 15999 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3532 www-data 6u IPv4 16001 0t0 TCP *:444 (LISTEN)
tclsh 4113 root 3u IPv4 21021 0t0 TCP #######:34332->#######:7736 (ESTABLISHED)
tclsh 18172 root 3u IPv4 212998 0t0 TCP #######:34491->#######:7736 (ESTABLISHED)
bro 18914 root 4u IPv4 214309 0t0 UDP #######:45482->8.8.8.8:53
bro 18922 root 0u IPv4 212721 0t0 TCP *:47761 (LISTEN)
bro 18922 root 1u IPv6 212722 0t0 TCP *:47761 (LISTEN)
bro 18922 root 2u IPv4 213298 0t0 TCP #######:47761->#######:56183 (ESTABLISHED)
bro 18922 root 4u IPv4 214309 0t0 UDP #######:45482->8.8.8.8:53
bro 18922 root 8u IPv4 211713 0t0 TCP #######:47761->#######:56184 (ESTABLISHED)
bro 18922 root 10u IPv4 211718 0t0 TCP #######:47761->#######:56187 (ESTABLISHED)
bro 18966 root 4u IPv4 211689 0t0 UDP #######:37722->8.8.8.8:53
bro 18973 root 0u IPv4 214401 0t0 TCP #######:56183->#######:47761 (ESTABLISHED)
bro 18973 root 1u IPv4 214404 0t0 TCP *:47762 (LISTEN)
bro 18973 root 2u IPv6 214405 0t0 TCP *:47762 (LISTEN)
bro 18973 root 4u IPv4 211689 0t0 UDP #######:37722->8.8.8.8:53
bro 18973 root 7u IPv4 211714 0t0 TCP #######:47762->#######:33631 (ESTABLISHED)
bro 18973 root 9u IPv4 211716 0t0 TCP #######:47762->#######:33632 (ESTABLISHED)
bro 19028 root 4u IPv4 211709 0t0 UDP #######:53801->8.8.8.8:53
bro 19029 root 4u IPv4 212736 0t0 UDP #######:53030->8.8.8.8:53
bro 19033 root 0u IPv4 214468 0t0 TCP #######:56184->#######:47761 (ESTABLISHED)
bro 19033 root 1u IPv4 214469 0t0 TCP #######:33631->#######:47762 (ESTABLISHED)
bro 19033 root 2u IPv4 214472 0t0 TCP *:47763 (LISTEN)
bro 19033 root 4u IPv4 211709 0t0 UDP #######:53801->8.8.8.8:53
bro 19033 root 8u IPv6 214473 0t0 TCP *:47763 (LISTEN)
bro 19036 root 0u IPv4 211715 0t0 TCP #######:33632->#######:47762 (ESTABLISHED)
bro 19036 root 1u IPv4 211717 0t0 TCP #######:56187->#######:47761 (ESTABLISHED)
bro 19036 root 2u IPv4 211721 0t0 TCP *:47764 (LISTEN)
bro 19036 root 4u IPv4 212736 0t0 UDP #######:53030->8.8.8.8:53
bro 19036 root 8u IPv6 211722 0t0 TCP *:47764 (LISTEN)
tclsh 19129 root 3u IPv4 214686 0t0 TCP #######:34497->#######:7736 (ESTABLISHED)
tclsh 19169 root 3u IPv4 213546 0t0 TCP #######:34498->#######:7736 (ESTABLISHED)
tclsh 19169 root 4u IPv4 213547 0t0 TCP 127.0.0.1:8001 (LISTEN)
tclsh 19169 root 6u IPv4 216293 0t0 TCP 127.0.0.1:8001->127.0.0.1:50211 (ESTABLISHED)
barnyard2 19272 root 3u IPv4 215504 0t0 TCP 127.0.0.1:50211->127.0.0.1:8001 (ESTABLISHED)
barnyard2 19272 root 4u IPv4 215507 0t0 TCP #######:47014->#######:3306 (ESTABLISHED)
tclsh 19348 root 3u IPv4 215240 0t0 TCP #######:34500->#######:7736 (ESTABLISHED)
tclsh 19384 root 3u IPv4 215031 0t0 TCP #######:34501->#######:7736 (ESTABLISHED)
tclsh 19472 root 3u IPv4 212957 0t0 TCP #######:34504->#######:7736 (ESTABLISHED)
tclsh 19537 root 3u IPv4 216156 0t0 TCP #######:34505->#######:7736 (ESTABLISHED)
tclsh 19576 root 3u IPv4 216269 0t0 TCP #######:34506->#######:7736 (ESTABLISHED)
tclsh 19576 root 4u IPv4 216270 0t0 TCP 127.0.0.1:8101 (LISTEN)
tclsh 19576 root 6u IPv4 216569 0t0 TCP 127.0.0.1:8101->127.0.0.1:58462 (ESTABLISHED)
barnyard2 19681 root 3u IPv4 216568 0t0 TCP 127.0.0.1:58462->127.0.0.1:8101 (ESTABLISHED)
barnyard2 19681 root 4u IPv4 216572 0t0 TCP #######:47020->#######:3306 (ESTABLISHED)
tclsh 19751 root 3u IPv4 216434 0t0 TCP #######:34510->#######:7736 (ESTABLISHED)
tclsh 19787 root 3u IPv4 217230 0t0 TCP #######:34511->#######:7736 (ESTABLISHED)
tclsh 19864 root 3u IPv4 215957 0t0 TCP #######:34512->#######:7736 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Thu Feb 14 07:01:04 UTC 2013
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 5 minutes to allow master time to download new rules.
Copying rules from #######.
Restarting Barnyard2.
Restarting: Sensor-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: Sensor-eth1
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: Sensor-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: Sensor-eth1
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
top - 11:23:25 up 1:37, 1 user, load average: 0.64, 0.73, 0.96
Tasks: 168 total, 6 running, 162 sleeping, 0 stopped, 0 zombie
Cpu(s): 8.9%us, 6.7%sy, 1.3%ni, 82.3%id, 0.6%wa, 0.0%hi, 0.2%si, 0.0%st
Mem: 4049584k total, 2712276k used, 1337308k free, 100692k buffers
Swap: 4119888k total, 0k used, 4119888k free, 1010768k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19028 root 20 0 278m 96m 70m S 22 2.4 4:00.65 bro
19029 root 20 0 274m 92m 68m R 22 2.3 3:55.06 bro
18922 root 25 5 137m 18m 876 R 20 0.5 3:47.84 bro
18973 root 25 5 66912 18m 892 S 20 0.5 3:45.27 bro
19033 root 25 5 127m 82m 64m R 18 2.1 2:48.86 bro
19036 root 25 5 127m 82m 64m R 14 2.1 2:49.16 bro
18914 root 20 0 1428m 22m 3896 R 4 0.6 0:47.60 bro
1 root 20 0 24600 2436 1292 S 0 0.1 0:01.35 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.41 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.44 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.36 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:06.51 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.98 migration/1
9 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:0
10 root 20 0 0 0 0 S 0 0.0 0:00.29 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:22.01 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:01.18 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:00.27 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:22.83 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.50 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.34 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:21.64 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
23 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
25 root 20 0 0 0 0 S 0 0.0 0:02.40 kworker/u:1
26 root 20 0 0 0 0 S 0 0.0 0:00.14 sync_supers
27 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
31 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
33 root 20 0 0 0 0 S 0 0.0 0:04.96 kworker/1:1
34 root 20 0 0 0 0 S 0 0.0 0:02.51 kworker/2:1
35 root 20 0 0 0 0 S 0 0.0 0:00.10 kworker/3:1
36 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
37 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
38 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
39 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
40 root 20 0 0 0 0 S 0 0.0 0:00.01 fsnotify_mark
41 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
42 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
50 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
51 root 20 0 0 0 0 S 0 0.0 0:00.03 scsi_eh_0
52 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_1
73 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
74 root 20 0 0 0 0 S 0 0.0 0:04.40 kworker/2:2
222 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt_poll_0
225 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt/0
266 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
268 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
343 root 20 0 0 0 0 S 0 0.0 0:08.12 jbd2/sda1-8
344 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
426 root 20 0 17232 640 444 S 0 0.0 0:00.10 upstart-udev-br
483 root 20 0 21900 1620 772 S 0 0.0 0:00.09 udevd
623 root 20 0 0 0 0 S 0 0.0 0:04.59 kworker/3:2
626 root 20 0 21896 1200 348 S 0 0.0 0:00.00 udevd
627 root 20 0 21896 1160 308 S 0 0.0 0:00.00 udevd
655 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
656 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
665 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
796 root 20 0 15188 392 200 S 0 0.0 0:00.00 upstart-socket-
903 messageb 20 0 24264 1328 756 S 0 0.0 0:00.08 dbus-daemon
914 root 20 0 21188 1432 1160 S 0 0.0 0:00.00 bluetoothd
923 avahi 20 0 32304 1660 1356 S 0 0.0 0:00.71 avahi-daemon
926 avahi 20 0 32180 472 216 S 0 0.0 0:00.00 avahi-daemon
927 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
951 root 20 0 101m 3604 2652 S 0 0.1 0:00.01 cupsd
1110 root 20 0 0 0 0 S 0 0.0 0:19.38 flush-8:0
1137 root 20 0 49956 2820 2212 S 0 0.1 0:00.02 sshd
1199 ntp 20 0 37696 2188 1560 S 0 0.1 0:08.52 ntpd
1204 root 20 0 101m 4364 3296 S 0 0.1 0:02.33 sshd
1207 root 20 0 2042m 3784 2748 S 0 0.1 0:00.04 console-kit-dae
1274 root 20 0 207m 4740 3536 S 0 0.1 0:00.05 polkitd
1410 root 20 0 27468 4432 1636 S 0 0.1 0:00.41 bash
1540 root 20 0 20008 936 776 S 0 0.0 0:00.00 getty
1545 root 20 0 20008 944 776 S 0 0.0 0:00.00 getty
1561 root 20 0 20008 940 776 S 0 0.0 0:00.00 getty
1563 root 20 0 20008 940 776 S 0 0.0 0:00.00 getty
1567 root 20 0 20008 940 776 S 0 0.0 0:00.00 getty
1568 root 20 0 26780 436 200 S 0 0.0 0:00.00 syslog-ng
1569 root 20 0 74744 4256 2892 S 0 0.1 0:13.25 syslog-ng
1582 root 20 0 280m 4184 3420 S 0 0.1 0:00.02 lightdm
1583 root 20 0 4460 812 552 S 0 0.0 0:00.00 acpid
1595 root 20 0 15980 672 496 S 0 0.0 0:01.73 irqbalance
1599 daemon 20 0 16908 380 216 S 0 0.0 0:00.00 atd
1600 root 20 0 19112 1008 768 S 0 0.0 0:00.04 cron
1611 mysql 20 0 1049m 51m 7976 S 0 1.3 0:25.02 mysqld
1618 root 20 0 166m 17m 9588 S 0 0.4 0:10.78 Xorg
1620 root 20 0 4400 612 508 S 0 0.0 0:00.00 sh
1621 root 20 0 203m 37m 3724 S 0 0.9 0:06.87 perl
1685 root 20 0 12804 528 344 S 0 0.0 0:00.00 ossec-execd
1690 root 20 0 185m 4608 3608 S 0 0.1 0:00.01 lightdm
1693 root 20 0 132m 4236 3568 S 0 0.1 0:04.21 accounts-daemon
1701 ossec 20 0 14508 2352 772 S 0 0.1 0:06.12 ossec-analysisd
1705 root 20 0 4528 536 392 S 0 0.0 0:00.00 ossec-logcollec
1731 lightdm 20 0 4400 612 508 S 0 0.0 0:00.00 lightdm-greeter
1745 lightdm 20 0 23952 688 444 S 0 0.0 0:00.00 dbus-daemon
1746 lightdm 20 0 244m 13m 10m S 0 0.3 0:29.15 lightdm-gtk-gre
1748 lightdm 20 0 52404 2324 1928 S 0 0.1 0:00.01 gvfsd
1750 lightdm 20 0 215m 3580 2916 S 0 0.1 0:00.00 gvfs-fuse-daemo
1758 root 20 0 214m 4180 3220 S 0 0.1 0:00.02 upowerd
1915 root 20 0 5752 2076 604 S 0 0.1 0:26.90 ossec-syscheckd
1919 ossec 20 0 13060 544 364 S 0 0.0 0:00.00 ossec-monitord
1929 root 20 0 94632 2516 1828 S 0 0.1 0:00.00 lightdm
2009 root 20 0 4308 320 216 S 0 0.0 0:00.00 autossh
2011 root 20 0 41448 2964 2292 S 0 0.1 0:00.06 ssh
3465 root 20 0 176m 12m 6472 S 0 0.3 0:05.25 /usr/sbin/apach
3472 root 20 0 215m 1880 1628 S 0 0.0 0:00.00 PassengerWatchd
3478 root 20 0 288m 2236 1944 S 0 0.1 0:02.78 PassengerHelper
3488 root 20 0 108m 8128 2092 S 0 0.2 0:00.11 ruby1.9.1
3491 nobody 20 0 165m 4628 3596 S 0 0.1 0:00.50 PassengerLoggin
3528 www-data 20 0 176m 6844 652 S 0 0.2 0:01.04 /usr/sbin/apach
3529 www-data 20 0 176m 6844 652 S 0 0.2 0:00.00 /usr/sbin/apach
3530 www-data 20 0 176m 6844 652 S 0 0.2 0:00.00 /usr/sbin/apach
3531 www-data 20 0 176m 6844 652 S 0 0.2 0:00.00 /usr/sbin/apach
3532 www-data 20 0 176m 6844 652 S 0 0.2 0:00.00 /usr/sbin/apach
3544 root 20 0 20008 936 776 S 0 0.0 0:00.00 getty
3729 root 20 0 4344 612 516 S 0 0.0 0:00.00 tail
3973 root 20 0 4328 356 280 S 0 0.0 0:00.00 cat
4029 root 20 0 4340 612 516 S 0 0.0 0:00.00 tail
4113 root 20 0 46064 6336 2672 S 0 0.2 0:00.18 tclsh
4156 root 20 0 11420 616 516 S 0 0.0 0:00.00 tail
14648 root 20 0 0 0 0 S 0 0.0 0:00.58 kworker/0:2
18172 root 20 0 46068 6296 2664 S 0 0.2 0:00.02 tclsh
18173 root 20 0 11420 616 516 S 0 0.0 0:00.00 tail
18905 root 20 0 16556 1472 1236 S 0 0.0 0:00.00 bash
18957 root 20 0 16560 1476 1236 S 0 0.0 0:00.00 bash
18966 root 20 0 275m 21m 3892 S 0 0.5 0:42.29 bro
19009 root 20 0 16560 1476 1236 S 0 0.0 0:00.00 bash
19012 root 20 0 16560 1480 1236 S 0 0.0 0:00.00 bash
19090 root 20 0 93644 78m 64m S 0 2.0 0:04.43 netsniff-ng
19129 root 20 0 40492 5124 2948 S 0 0.1 0:00.09 tclsh
19169 root 20 0 40548 5252 2968 S 0 0.1 0:00.26 tclsh
19171 root 20 0 11420 612 512 S 0 0.0 0:00.02 tail
19220 root 20 0 619m 294m 10m S 0 7.4 0:49.40 snort
19272 root 20 0 199m 100m 1732 S 0 2.5 3:50.23 barnyard2
19313 sguil 20 0 25864 7024 3700 S 0 0.2 0:05.56 prads
19348 root 20 0 40064 4824 2944 S 0 0.1 0:00.07 tclsh
19350 root 20 0 11404 360 280 S 0 0.0 0:00.00 cat
19384 root 20 0 41188 6076 2984 S 0 0.2 0:00.25 tclsh
19430 sguil 20 0 111m 6680 1092 S 0 0.2 0:14.25 argus
19472 root 20 0 40604 5324 2952 S 0 0.1 0:00.09 tclsh
19474 root 20 0 11424 664 568 S 0 0.0 0:00.00 tail
19498 root 20 0 93644 78m 64m S 0 2.0 0:02.74 netsniff-ng
19537 root 20 0 40492 5120 2948 S 0 0.1 0:00.05 tclsh
19576 root 20 0 40088 4844 2944 S 0 0.1 0:00.08 tclsh
19578 root 20 0 11420 616 516 S 0 0.0 0:00.01 tail
19632 root 20 0 619m 293m 10m S 0 7.4 0:31.57 snort
19681 root 20 0 199m 100m 1704 S 0 2.5 3:48.65 barnyard2
19716 sguil 20 0 25728 6872 3656 S 0 0.2 0:02.33 prads
19751 root 20 0 40064 4816 2936 S 0 0.1 0:00.03 tclsh
19753 root 20 0 11404 360 280 S 0 0.0 0:00.00 cat
19787 root 20 0 41188 6076 2984 S 0 0.2 0:00.31 tclsh
19826 sguil 20 0 111m 6724 1092 S 0 0.2 0:09.64 argus
19864 root 20 0 40104 4836 2936 S 0 0.1 0:00.02 tclsh
19866 root 20 0 11420 668 568 S 0 0.0 0:00.00 tail
19903 root 20 0 0 0 0 S 0 0.0 0:00.12 kworker/0:0
21639 root 20 0 4400 604 500 S 0 0.0 0:00.00 sh
21642 root 20 0 4400 380 268 S 0 0.0 0:00.00 sh
22850 root 20 0 4308 356 276 S 0 0.0 0:00.00 sleep
22855 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/0:1
23774 root 20 0 203m 34m 804 S 0 0.9 0:00.02 perl
23777 root 20 0 16540 1424 1200 S 0 0.0 0:00.00 sostat
24096 root 20 0 17336 1240 868 R 0 0.0 0:00.00 top

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/Sensor-eth0/dailylogs/
989M .
324M ./2013-02-13
665M ./2013-02-14

/nsm/sensor_data/Sensor-eth1/dailylogs/
427M .
172M ./2013-02-13
255M ./2013-02-14

/nsm/bro/logs/
4.0M .
1.5M ./2013-02-13
1.7M ./2013-02-14
804K ./stats

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/Sensor-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/Sensor-eth1/snort-1.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
Appl. Name : <unknown>
Tot Packets : 63753
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>
Tot Packets : 50064
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-77-socket-0
Tot Packets : 41321
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-77-socket-0
Tot Packets : 52
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0

Matt Gregory

unread,

Feb 15, 2013, 6:51:16 AM2/15/13

to securit...@googlegroups.com

I have to say that I'm at a loss if re-running the entire sosetup, including the network setup, doesn't work. I and many others have run setup numerous times without issue, including on VMs. The setup does in fact configure both sguil and snorby. That of course doesn't preclude some problem in your particular case.

When you ran sosetup, did you select eth1as a monitoring interface?

Did you follow the setup instructions exactly?

On Feb 15, 2013 6:20 AM, "Simon" <hall.s...@gmail.com> wrote:

Thanks for the reply Matt.

Yea after I added the second interface (eth1) I ran through the whole network config and sosetup again. Eth0 is indeed currently my management and monitored interface and is working nicely (This wont be in production)

The IP address on the eth1 interface was just added for connectivity testing really, the aim for production deployment for the sensor will be 3 or more interfaces 1 dedicated link between the management (Security Onion Server) and the Sensor, and 2 or more interfaces connected to different mirror ports obviously without IP's, but I just wanted to get 2 sniffing interfaces working in this test phase.

I'm going to attempted a fresh vm deployment this morning with all the interfaces attached from the start so how we get on.

By sensor at the time I just meant sniffing interface/monitoring interface not sure on the exact term, think Snorby classes it as a new sensor even if its installed on the same sensor box.

I have had issues with the SOSETUP for snorby in this deployment anyway and I have had to manually configure mysql in the barnyard2-1.conf to get the event logging to work for my eth0. My impression so far is that the SOSETUP only configures it for SGUIL, and SGUIL does work nicely so autossh is working. I will attempt redeployment and let you know how on get on.

Any thoughts in the meantime let me know.

Thanks again for the help.

Doug Burks

unread,

Feb 15, 2013, 7:04:50 AM2/15/13

to securit...@googlegroups.com

Please send the output of the following (redacting sensitive info as necessary):
sudo sostat

Thanks,
Doug

On Fri, Feb 15, 2013 at 6:57 AM, Simon <hall.s...@gmail.com> wrote:
> In the previous deployment it didn't appear as an option maybe due to the interface being added after the system had been installed.
>
> On the new deployment with 3 interfaces 2 are in monitor and it appears to be the same issue with unified2 not populating.

>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Doug Burks
http://securityonion.blogspot.com

Doug Burks

unread,

Feb 15, 2013, 7:40:41 AM2/15/13

to securit...@googlegroups.com

eth2 has only seen 85 packets in the same amount of time that eth1 has
seen 323866 packets:

eth1 Link encap:Ethernet HWaddr 00:0c:29:33:ac:cb
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:323866 errors:1 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20864166 (20.8 MB) TX bytes:250 (250.0 B)
Interrupt:19 Base address:0x2080

eth2 Link encap:Ethernet HWaddr 00:0c:29:33:ac:d5
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:85 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11133 (11.1 KB) TX bytes:160 (160.0 B)
Interrupt:16 Base address:0x2400

Are you sure eth2 is seeing traffic that snort should be alerting on?

Doug

On Fri, Feb 15, 2013 at 7:23 AM, Simon <hall.s...@gmail.com> wrote:
> Thanks for looking into this guys.
>
> sostat attached.

Doug Burks

unread,

Feb 15, 2013, 8:23:38 AM2/15/13

to securit...@googlegroups.com

So are you sure that eth1 is seeing traffic that Snort should alert on?
Doug

On Fri, Feb 15, 2013 at 7:53 AM, Simon <hall.s...@gmail.com> wrote:
> Yea sorry this is from the new deployment with 3 interfaces, dedicated management eth0, monitor eth1 monitor eth2. eth2 is just on a new fairly quiet virtual network. But in this new deployment neither eth1 nor eth2 are populating unified2 logs but both are updating snort.log.* in dailylogs.
>
> In my other deployment has 2 interfaces in total out of that 1 was logging events successfully which was the management port.
>
> But both deployments I see this same issue with non working interfaces that dailylogs populate but unified2 doesnt, are there any common causes for this?
>
> Thank you again for taking the time to look at this.

Heine Lysemose

unread,

Feb 15, 2013, 10:49:22 AM2/15/13

to securit...@googlegroups.com

Hi

What if you switch the cables eth1 <=> eth2 and doing a 'sudo nsm_sensor_ps-restart'

Will eth2 start picking up the traffic?

/Lysemose

On Fri, Feb 15, 2013 at 4:40 PM, Simon <hall.s...@gmail.com> wrote:

I'm not just being too impatient am I how long would you expect for unified2.* logs and database to start being populated on first install and is there a way to speed it up?

I have just tested a standalone deployment again with 3 interfaces all being monitored including the management port which I am hammering and not seeing anything in unified2 files again. and the it seems to take a good while before sensors are even added to the database.

Reply all

Reply to author

Forward