Snort Alert File Not Created
271 views
Skip to first unread message
Relax Preppy
Oct 12, 2015, 5:01:49 PM10/12/15
to security-onion
One of my sensor only boxes is not generating an alert file in: /nsm/sensor_data/sensor-eth1/
I have verified that it is generating IDS alerts and I am seeing them in squert. Any ideas? Thanks.
Heine Lysemose
Oct 13, 2015, 2:16:14 AM10/13/15
to securit...@googlegroups.com
Hu
Please post the output from sudo sostat-redacted.
Thanks,
Lysemose
On Oct 12, 2015 11:01 PM, "Relax Preppy" <relax...@gmail.com> wrote:
One of my sensor only boxes is not generating an alert file in: /nsm/sensor_data/sensor-eth1/
I have verified that it is generating IDS alerts and I am seeing them in squert. Any ideas? Thanks.
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Heine Lysemose
Oct 13, 2015, 1:05:40 PM10/13/15
to securit...@googlegroups.com
Hi
Your attached file is only partial... Could you try to attach it again maybe filter out the big Netsniff-ng part.
But you have a lot of dropped packets. You want to look into that problem.
How much bandwidth are you monitoring?
How many rules do you have enabled?
Regards,
Lysemose
Relax Preppy
Oct 14, 2015, 12:29:53 PM10/14/15
to security-onion
snipped the netsniff-ng portion of the log and re-uploaded.
interface sees 5TB/day
9500 enabled ids rules
the only thing I can think of is that we changed the sniffing interface. i updated the /etc/nsm/sensortab file to comment out the old interface and uncomment the new interface - and again, snort is firing off alerts into squert.
Doug Burks
Oct 15, 2015, 6:11:27 AM10/15/15
to securit...@googlegroups.com
On Wed, Oct 14, 2015 at 12:29 PM, Relax Preppy <relax...@gmail.com> wrote:
> snipped the netsniff-ng portion of the log and re-uploaded.
>
> interface sees 5TB/day
> 9500 enabled ids rules
>
> the only thing I can think of is that we changed the sniffing interface. i updated the /etc/nsm/sensortab file to comment out the old interface and uncomment the new interface - and again, snort is firing off alerts into squert.
If Squert is showing alerts from Snort, then what "Snort Alert File"
> snipped the netsniff-ng portion of the log and re-uploaded.
>
> interface sees 5TB/day
> 9500 enabled ids rules
>
> the only thing I can think of is that we changed the sniffing interface. i updated the /etc/nsm/sensortab file to comment out the old interface and uncomment the new interface - and again, snort is firing off alerts into squert.
are you looking for?
By default, Security Onion just configures Snort to output a unified2
file to /nsm/sensor_data/HOSTNAME-INTERFACE/snort-INSTANCE/.
Reply all
Reply to author
Forward
0 new messages