Your configuration looks correct to me. If it starts out running
correctly and then fails at some point after that, I would focus less
on the interface configuration and more on the processes themselves.
Are you running from the LiveCD, or are you running from an actual
installation? If running from the LiveCD, how much RAM do you have?
Is it possible you ran out of RAM and the kernel OOM killer is killing
processes?
Have you verified that all processes are running with "nsm --all
--status"? Keep in mind that there should be not one but TWO snort
processes running (one for alerting and the other for full packet
capture). Have you looked at all the log files in /var/log/ and
specifically /var/log/nsm/?
Thanks,
--
Doug Burks, GCIA Gold, GSEC, CISSP
http://securityonion.blogspot.com
http://twitter.com/dougburks
Not sure if this is related to what you're seeing, but keep in mind
that the timestamps you see in Sguil are GMT and not your timezone.
For further testing of this, I'd recommend using some of the included
tools such as idswakeup and metasploit to generate some alerts and see
when they appear in the Sguil console and what timestamp they have.
>I then used the instructions on the web site to get Snort 3.0 working.
Keep in mind that Snort 3.0 is still in beta and therefore should not
be used in production.
Thanks,
--
Doug Burks
http://securityonion.blogspot.com
http://twitter.com/dougburks
First, I would use the included "idswakeup" tool to send some traffic
across the Snort sensor and see if it generates an alert or not.
Another easy test would be opening a browser and going to
http://testmyids.com. If you're not seeing alerts using these
methods, then you should check your Snort configuration. When you
look at traffic using tcpdump/wireshark, what interface are you
capturing traffic from? Snort is configured to only capture traffic
on eth0 by default. If you're using another port, you can change this
setting in /etc/nsm/sensor1/snort.conf. Also check to see if all
NSMnow processes are running with the command "nsm --all --status".
Note that there should be two snort processes running: one for full
packet capture and the other for alerting. Finally, check the log
files in /var/log/nsm/.
Once you get Snort alerting on idswakeup or testmyids.com, you'll want
to update the Snort ruleset using oinkmaster or pulledpork. Both are
included in Security Onion, but my preference would be pulledpork.
Please let me know if you have any further questions or problems.
Thanks,
Doug
--
Thanks,
Doug
1. SnortSP is still in beta and therefore should not be used in
production. The SnortSP-Sguil desktop shortcut is meant as a demo and
not a full-time IDS. I'll add a warning message to this effect in the
next release (see
http://code.google.com/p/security-onion/issues/detail?id=8). To
answer your question, when you run SnortSP-Sguil and then run "nsm
--all --status", you are expected to get a FAIL on the "snort (alert
data)" process, because the SnortSP-Sguil launcher replaces the NSMnow
Snort alert process with our own copy of SnortSP that NSMnow is not
aware of.
2. Please try your test again using the Snort-Sguil (not
SnortSP-Sguil) shortcut.
Thanks,
I've setup sguil using NSMnow and worked through most of the problems but
there's one thing I'm not sure on. I start the processes using nsm --all
--start and everything looks ok apart from log_packets.sh
If I run this script manually from the cli, snort logging with a BPF filter
is shown in the list of processes (ps -ef | grep snort). If I use nsm --all
--start snort logging is also working but without the BPF filter. I have
added log_packets.sh to crontab but that would mean two snort logging
processes would run.
Have you got any ideas?
Thanks,
Mick.
It's been a while since I've used NX Server (and certainly have never
tried it with Security Onion and/or Sguil), but my guess is that it's
a font issue. Quoting from the NoMachine website:
"NOTE: The additional fonts are only needed when running very old Unix
applications, requiring the use of client-side fonts."
The Sguil client is written in Tcl/Tk, which falls into the category
of "very old Unix applications". Please try installing the additional
fonts packages from the NoMachine website:
http://www.nomachine.com/download-client-windows.php
Please let me know whether or not that helps.
Thanks,
--
Doug Burks
http://securityonion.blogspot.com
http://twitter.com/dougburks