Installation on HD not capturing any Traffic

[pc]

Hi,
I used the live cd to install Security Onion on a test PC (used the
install option from boot). During the install I gave a new username
and password and it seemed to install ok. I then used the setup Icon
and choose to keep the default home variable, did not download new
rules and choose suricata. Sguill seems to start up ok but there is no
traffic captured (generated traffic using ping etc). Any ideas where I
went wrong, is there any changes I need to make to get it working, is
there a stand config document I could use to check my settings?

Thanks

[Doug Burks]

Hi pc,

A few questions for you:
1. Do you have more than one network interface? By default, Snort/
Suricata only listen on eth0.
2. Have you tried using the Setup script to switch back to Snort and
see if you get different results?
3. What exactly did you use for testing traffic? Sguil is not going
to show an alert for every packet, only packets that match the rules
in /etc/snort/rules/snort.rules. Try opening Firefox and clicking the
testmyids.com link. This should match one of the default rules and
create an alert.

Thanks,
Doug Burks

[pc]

Hi,
sorry for the late reply.
I have since wiped the install and reinstalled via the live cd desktop
icon. I removed the spare nic before install so now there is only
eth0.
Once booted up I used the setup Icon and took the default DHCP address
for eth0, I did not download any new rules and choose snort as the
IDS.
I then tested by running a default Nessus scan pointed directly at the
IDS IP address. This seemed to work as it collected alot of alerts/
traffic in sguil.
I then switched to Suricata using the setup Icon, and ran the same
test, I got no traffic or alerts at all in sguil. Is there something I
need to manualy change in Suricata to get it to work with sguil. How
do I check if Suricata is collecting any info at all but just not
passing it to sguil ?

> > Thanks- Hide quoted text -
>
> - Show quoted text -

[Doug Burks]

Hello again pc,

Did you notice if Sguil's CNT column incremented? Since you ran the
same Nessus scan a second time (which would have generated the same
alerts), Sguil should have incremented the CNT column for each of the
alerts that fired.

If you want to see the alerts appear in the Sguil interface as they're
generated, then you can remove the existing alerts from the GUI before
running your Nessus scan. You can do this by either:
-pressing the F8 key while the alert is highlighted
OR
-right-clicking on the ST column for the alert and clicking "Expire
Event as NA"

Please let us know whether or not that helps.

Thanks,
Doug Burks

[pc]

Hi,
The CNT column was not incrementing, I cleared out any entries as you
suggested and ran Nessus again but no traffic was collected.
I then changed back to snort using setup Icon, I then got an error in /
Var/log/nsm/sensor1/snortu.log = Unable to open rules file @etc/nsm/
sensor1/./rules/snort.rules no such file or directory Quitting
So snort is not working now ?????
I also noticed if I try to update to a more advanced ruleset I get the
error /etc/pulledpork/pulledpork.conf: permission denied ??

> > > - Show quoted text -- Hide quoted text -

[Doug Burks]

It sounds like it tried to update the rules and failed, leaving you
with an empty snort.rules file. It should have made a backup copy of
your snort.rules file before overwriting. Take a look at /etc/snort/
rules/ and see if there is a snort.rules file with the date appended
to it (for example: snort.rules.20101021). If so, rename that file to
snort.rules and Snort should then be able to start successfully.

Regarding the permission error, you logged in with the username/
password you created in the installer, right? Does that user have
full sudo privileges? What is the output of "sudo -l"?

Thanks,
Doug Burks

[pc]

Hi,
I renamed the file to snort.rules and ran setup again, I got the same
error and also the ruLes file got renamed to todays date again.
the output for sudo -l for the user is (ALL). ALL

[Doug Burks]

Rename the file to snort.rules again but don't run setup this time.
Just run the following command:
sudo service nsm restart

This should restart all Snort/Sguil services. If everything goes
correctly, Snort should be running and you should be able to login to
Sguil. If not, copy the entire terminal output into your reply email
so I can see what's going on. Then try restarting the box to see if
that helps.

Let's get Snort working again before proceeding to troubleshooting
your rule download.

Thanks,
Doug

[pc]

Hi,
I have been unable to get snort to start again, below is the output
from setup and also error log files:
[sudo] password for user:
Security Onion Setup

Would you like to set HOME_NET to something other than
the current IP address of eth0 (192.168.1.57)? [Y/n] n

Security Onion has a very basic IDS ruleset already installed.
Would you like to download a more advanced IDS ruleset? [Y/n] y
cp: cannot create regular file `/etc/pulledpork/pulledpork.conf':
Permission denied
Would you like to download the VRT ruleset from snort.org?
NOTE: This requires that you already have an Oinkcode.
[Y/n] n
mv: cannot stat `/etc/snort/rules/snort.rules': No such file or
directory

http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.5.0 Dev
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


ERROR: You need to specify an oinkcode, please get one from snort.org!
Usage: /usr/local/bin/pulledpork.pl [-lvvVdnHTn? -help] -c <config
filename> -o <rule output path>
-O <oinkcode> -s <so_rule output directory> -D <Distro> -S
<SnortVer>
-p <path to your snort binary> -C <path to your snort.conf> -t
<sostub output path>
-h <changelog path> -I (security|connectivity|balanced) -i <path to
disablesid.conf>
-b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to
modifysid.conf>

Options:
-c Where the pulledpork config file lives.
-i Where the disablesid config file lives.
-b Where the dropsid config file lives.
-e Where the enablesid config file lives.
-M where the modifysid config file lives.
-o Where do you want me to put generic rules file?
-L Where do you want me to read your local.rules for inclusion in
sid-msg.map
-h path to the sid_changelog if you want to keep one?
-u Where do you want me to pull the rules tarball from
(ET, Snort.org, see pulledpork config rule_url option for value
ideas)
-O What is your Oinkcode?
-I Specify a base ruleset( -I security,connectivity,or balanced,
see README.RULESET)
-T Process text based rules files only, i.e. DO NOT process
so_rules
-m where do you want me to put the sid-msg.map file?
-s Where do you want me to put the so_rules?
-C Path to your snort.conf
-p Path to your Snort binary
-t Where do you want me to put the so_rule stub files? ** Thus MUST
be uniquely
different from the -o option value
-D What Distro are you running on, for the so_rules
Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
FC-5, FC-9, FC-11, FC-12, RHEL-5.0
FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
FreeBSD-8-1
-l Log information to logger rather than stdout messages. **not
yet implemented**
-v Verbose mode, you know.. for troubleshooting and such nonsense.
-vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and
other such nonsense.
-d Do not verify signature of rules tarball, i.e. downloading fron
non VRT or ET locations.
-H Send a SIGHUP to the pids listed in the config file
-n Do everything other than download of new files (disablesid, etc)
-V Print Version and exit
-help/? Print this help info.

Restarting: sensor1
* stopping: barnyard2 (spooler, unified2 format) (not running)
[ WARN ]
* starting: barnyard2 (spooler, unified2 format)
[ FAIL ]
- check /var/log/nsm/sensor1/barnyard2.log for error messages
* disk space currently at 9%

Currently running Snort.
Would you like to switch to Suricata? [Y/n] n
Starting: sensor1
* starting: snort (alert data)
[ FAIL ]
- check /var/log/nsm/sensor1/snortu.log for error messages
* disk space currently at 9%

Setup is complete. Press Enter to exit Setup.

**********************************************8
SNORTU LOGFILE***********
Executing: snort -u sguil -g sguil -c /etc/nsm/sensor1/snort.conf -i
eth0 -l /nsm/sensor_data/sensor1 -U -m 112
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/nsm/sensor1/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 2301
2381 2809 3128 3702 7777 7779 8000 8008 8028 8080 8118 8123 8180 8243
8280 8888 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
ERROR: Unable to open rules file "/etc/nsm/sensor1/./rules/
snort.rules": No such file or directory.
Fatal Error, Quitting..
*****************************************************
BARNYARD LOGFILE**************
Executing: barnyard2 -c /etc/nsm/sensor1/barnyard2.conf -d /nsm/
sensor_data/sensor1 -f snort.unified2 -w /etc/nsm/sensor1/
barnyard2.waldo -U
Running in Continuous mode

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/nsm/sensor1/barnyard2.conf"
Log directory = /nsm/sensor_data/sensor1
sguil: sensor name = sensor1
sguil: agent port = 7735
sguil: Connected to localhost on 7735.

--== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.9-beta1 (Build 251)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/etc/nsm/sensor1/barnyard2.waldo':
spool directory = /nsm/sensor_data/sensor1
spool filebase = snort.unified2
time_stamp = 1287740924
record_idx = 1717
Opened spool file '/nsm/sensor_data/sensor1/snort.unified2.1287740924'
ERROR: sguil: Expected Confirm 1156 and got: Failed to insert 1156:
mysqlexec/db server: Duplicate entry '3-1156' for key 'PRIMARY'

Fatal Error, Quitting..

[Doug Burks]

We've already established that you're having issues with the setup
script, so let's remove it from the equation for now. I'd like to
focus on getting snort working again. Once we've gotten that far,
then we'll determine what's going wrong with the setup script.

Please do the following:

1. Rename the snort.rules.YYYYMMDD file to snort.rules, but do NOT run setup!

2. Run the following commands and copy the output to your reply email:
sudo service nsm restart
ls -al /etc/snort/rules/
ls -al /etc/snort/

Thanks,
--
Doug Burks

[pc]

root@user-ids:/etc/snort/rules# ls -al
total 2988
drwxrwxr-x 3 root root 4096 2010-10-22 15:48 .
drwxrwxr-x 4 root root 4096 2010-10-22 15:52 ..
drwxr-xr-x 2 root root 4096 2010-10-09 17:40 nsmnow
-rw-r--r-- 1 root root 1012698 2010-10-21 16:41 snort.rules
-rw-r--r-- 1 root root 1012698 2010-10-09 21:13 snort.rules.20101022
-rw-r--r-- 1 root root 1013164 2010-10-09 21:13 snort.rules.orig
root@user-ids:/etc/snort/rules# cd ..
root@user-ids:/etc/snort# ls -al
total 532
drwxrwxr-x 4 root root 4096 2010-10-22 15:52 .
drwxr-xr-x 4 root root 4096 2010-10-09 17:20 ..
-rw-r--r-- 1 root root 1281 2010-10-09 20:56 attribute_table.dtd
-rw-r--r-- 1 root root 486 2010-10-09 17:19 barnyard2.conf
-rw------- 1 root root 2056 2010-10-22 10:58 barnyard2.waldo
-rw-r--r-- 1 root root 3519 2010-10-09 20:56 classification.config
-rw-r--r-- 1 root root 1621 2010-10-10 17:31 disablesid.conf
-rw-r--r-- 1 root root 1833 2010-10-10 17:31 dropsid.conf
-rw-r--r-- 1 root root 1620 2010-10-10 17:31 enablesid.conf
-rw-r--r-- 1 root root 24932 2010-10-09 20:56 gen-msg.map
drwxr-xr-x 3 root root 4096 2010-04-29 16:31 hogger
-rw-r--r-- 1 root root 10538 2010-10-09 20:56 Makefile
-rw-r--r-- 1 root root 174 2010-10-09 20:56 Makefile.am
-rw-r--r-- 1 root root 10000 2010-10-09 20:56 Makefile.in
-rw-r--r-- 1 root root 912 2010-10-10 17:31 modifysid.conf
-rw-r--r-- 1 root root 1313 2010-10-09 17:19 pcap_agent.conf
-rw-r--r-- 1 root root 6018 2010-10-22 15:04 pulledpork.conf
-rw-r--r-- 1 root root 6038 2010-10-10 19:52 pulledpork.conf.master
-rw-r--r-- 1 root root 5987 2010-10-10 17:31 pulledpork.conf.orig
-rw-r--r-- 1 root root 605 2010-10-09 20:56 reference.config
drwxrwxr-x 3 root root 4096 2010-10-22 15:48 rules
-rw-r--r-- 1 root root 922 2010-10-09 17:19 sancp_agent.conf
-rw-r--r-- 1 root root 1775 2010-10-09 17:19 sancp.conf
lrwxrwxrwx 1 root root 16 2010-10-20 19:08 sensor1 -> /etc/nsm/
sensor1
-rw-r--r-- 1 root root 826 2010-10-09 17:19 sensor.conf
-rw-r--r-- 1 root root 231874 2010-10-09 22:40 sid-msg.map
-rw-r--r-- 1 root root 1335 2010-10-09 17:19 snort_agent.conf
-rw-r--r-- 1 root root 16898 2010-10-22 15:52 snort.conf
-rw-r--r-- 1 root root 3855 2010-10-09 17:19 snort.conf.nsmnow.orig
-rw-r--r-- 1 root root 18568 2010-10-09 20:56 snort.conf.orig
-rw-r--r-- 1 root root 14813 2010-10-22 15:52 suricata.yaml
-rw-r--r-- 1 root root 16171 2010-10-09 17:38 suricata.yaml.bak
-rw-r--r-- 1 root root 16171 2010-10-09 17:38 suricata.yaml.orig
-rw-r--r-- 1 root root 2335 2010-10-09 20:56 threshold.conf
-rw-r--r-- 1 root root 53841 2010-10-09 20:56 unicode.map
root@user-ids:/etc/snort#

On Oct 24, 2:43 am, Doug Burks <doug.bu...@gmail.com> wrote:
> We've already established that you're having issues with the setup
> script, so let's remove it from the equation for now.  I'd like to
> focus on getting snort working again.  Once we've gotten that far,
> then we'll determine what's going wrong with the setup script.
>
> Please do the following:
>
> 1.  Rename the snort.rules.YYYYMMDD file to snort.rules, but do NOT run setup!
>
> 2.  Run the following commands and copy the output to your reply email:
> sudo service nsm restart
> ls -al /etc/snort/rules/
> ls -al /etc/snort/
>
> Thanks,
> --
> Doug Burks
>

> On Fri, Oct 22, 2010 at 10:09 AM, pc <pcarron1...@gmail.com> wrote:
> > Hi,
> > I have been unable to get snort to start again, below is the output
> > from setup and also error log files:
> > [sudo] password for user:
> > Security Onion Setup
>
> > Would you like to set HOME_NET to something other than
> > the current IP address of eth0 (192.168.1.57)? [Y/n] n
>
> > Security Onion has a very basic IDS ruleset already installed.
> > Would you like to download a more advanced IDS ruleset? [Y/n] y
> > cp: cannot create regular file `/etc/pulledpork/pulledpork.conf':
> > Permission denied
> > Would you like to download the VRT ruleset from snort.org?
> > NOTE: This requires that you already have an Oinkcode.
> > [Y/n] n
> > mv: cannot stat `/etc/snort/rules/snort.rules': No such file or
> > directory
>
> >    http://code.google.com/p/pulledpork/
> >      _____ ____
> >     `----,\    )
> >      `--==\\  /    PulledPork v0.5.0 Dev
> >       `--==\\/
> >     .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings

> >  @_/        /  66\_  cummin...@gmail.com

> ...
>
> read more »

[Doug Burks]

I see the output of "ls -al /etc/snort/rules/" and "ls -al
/etc/snort/", but I don't see the output of "sudo service nsm
restart". Could you please run this command (again, WITHOUT running
setup) and copy the output into your reply?

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[pc]

sorry, here you go
Restarting: server1
* stopping: sguil server
[ OK ]
* starting: sguil server
[ OK ]
Restarting: sensor1
* stopping: pcap_agent (sguil)
[ OK ]
* starting: pcap_agent (sguil)
[ OK ]
* stopping: sancp_agent (sguil)
[ OK ]
* starting: sancp_agent (sguil)
[ OK ]
* stopping: snort_agent (sguil)
[ OK ]
* starting: snort_agent (sguil)
[ OK ]
* stopping: snort (alert data)
[ OK ]

* starting: snort (alert data)

[ OK ]

* stopping: barnyard2 (spooler, unified2 format) (not running)
[ WARN ]
* starting: barnyard2 (spooler, unified2 format)
[ FAIL ]
- check /var/log/nsm/sensor1/barnyard2.log for error messages

* stopping: sancp (session data)
[ OK ]
* starting: sancp (session data)
[ OK ]
* restarting with overlap: snort (full packet data)
* starting: snort (full packet data)
[ OK ]
- stopping old process: snort (full packet data)
[ OK ]

* disk space currently at 9%

@-ids:~$ ls -al /etc/snort/rules

total 2988
drwxrwxr-x 3 root root 4096 2010-10-22 15:48 .
drwxrwxr-x 4 root root 4096 2010-10-22 15:52 ..
drwxr-xr-x 2 root root 4096 2010-10-09 17:40 nsmnow
-rw-r--r-- 1 root root 1012698 2010-10-21 16:41 snort.rules
-rw-r--r-- 1 root root 1012698 2010-10-09 21:13 snort.rules.20101022
-rw-r--r-- 1 root root 1013164 2010-10-09 21:13 snort.rules.orig

@-ids:~$ ls -al /etc/snort/

On Oct 26, 11:11 am, Doug Burks <doug.bu...@gmail.com> wrote:
> I see the output of "ls -al /etc/snort/rules/" and "ls -al
> /etc/snort/", but I don't see the output of "sudo service nsm
> restart".  Could you please run this command (again, WITHOUT running
> setup) and copy the output into your reply?
>
> Thanks,
> --
> Doug Burks, GSE, CISSP

> President, Greater Augusta ISSAhttp://augusta.issa.orghttp://securityonion.blogspot.com

> ...
>
> read more »

[Doug Burks]

Based on that output, it looks like the Snort alert instance is
starting properly now. However, Barnyard2 is failing. If we can
resolve the Barnyard2 issue, then alerts should start appearing in
Sguil again. Barnyard2 may be trying to process data that has already
been processed, so let's try cleaning out the unified2 files from /nsm/
sensor_data/sensor1/. Please copy the output of the following
commands into your reply email (again, please do not run the setup
script):

sudo service nsm stop
sudo ls -alh /nsm/sensor_data/sensor1/
sudo mv /nsm/sensor_data/sensor1/*unified2* /tmp/
sudo service nsm start
cat /var/log/nsm/sensor1/barnyard2.log

Once we get Barnyard2 happy, then we will investigate why the setup
script is failing on your box.

Thanks,
Doug Burks

> > >> >   -e Where the enablesid...
>
> read more »

[pc]

here is the output as requested

root@-ids:~# service nsm stop
Stopping: server1

* stopping: sguil server
[ OK ]

Stopping: sensor1

* stopping: pcap_agent (sguil)
[ OK ]

* stopping: sancp_agent (sguil)
[ OK ]

* stopping: snort_agent (sguil)
[ OK ]

* stopping: snort (alert data)
[ OK ]

* stopping: barnyard2 (spooler, unified2 format) (not running)
[ WARN ]

* stopping: sancp (session data)
[ OK ]

* stopping: snort (full packet data)
[ OK ]
root@-ids:~# ls -alh /nsm/sensor_data/sensor1/
total 2.1M
drwxrwxr-x 5 sguil sguil 4.0K 2010-10-26 13:07 .
drwxr-xr-x 3 root root 4.0K 2010-10-09 17:19 ..
drwxrwxr-x 6 sguil sguil 4.0K 2010-10-26 10:30 dailylogs
drwxrwxr-x 2 sguil sguil 4.0K 2010-10-09 17:19 portscans
drwxrwxr-x 2 sguil sguil 4.0K 2010-10-26 17:56 sancp
-rw-r--r-- 1 root root 16K 2010-10-26 13:07 snort.stats
-rw----rw- 1 sguil sguil 4.5K 2010-10-20 19:27
snort.unified2.1287598984
-rw----rw- 1 sguil sguil 0 2010-10-21 18:05
snort.unified2.1287680742
-rw----rw- 1 sguil sguil 0 2010-10-21 18:08
snort.unified2.1287680909
-rw----rw- 1 sguil sguil 9.5K 2010-10-22 09:50
snort.unified2.1287681256
-rw----rw- 1 sguil sguil 876 2010-10-22 10:24
snort.unified2.1287739411
-rw----rw- 1 sguil sguil 55K 2010-10-22 10:43
snort.unified2.1287740356
-rw----rw- 1 sguil sguil 476K 2010-10-22 10:54
snort.unified2.1287740924
-rw----rw- 1 sguil sguil 319K 2010-10-22 11:31
snort.unified2.1287741512
-rw----rw- 1 sguil sguil 0 2010-10-22 12:20
snort.unified2.1287746439
-rw----rw- 1 sguil sguil 6.4K 2010-10-22 12:23
snort.unified2.1287746486
-rw----rw- 1 sguil sguil 5.1K 2010-10-22 12:26
snort.unified2.1287746677
-rw----rw- 1 sguil sguil 32K 2010-10-22 12:30
snort.unified2.1287746822
-rw----rw- 1 sguil sguil 0 2010-10-22 12:30
snort.unified2.1287747015
-rw----rw- 1 sguil sguil 969K 2010-10-22 12:48
snort.unified2.1287747317
-rw----rw- 1 sguil sguil 0 2010-10-22 12:56
snort.unified2.1287748617
-rw----rw- 1 sguil sguil 26K 2010-10-22 13:01
snort.unified2.1287748735
-rw----rw- 1 sguil sguil 142K 2010-10-22 13:08
snort.unified2.1287748869
-rw----rw- 1 sguil sguil 0 2010-10-22 13:12
snort.unified2.1287749537
-rw----rw- 1 sguil sguil 0 2010-10-22 14:09
snort.unified2.1287752989
-rw----rw- 1 sguil sguil 5.2K 2010-10-22 14:13
snort.unified2.1287753125
-rw----rw- 1 sguil sguil 18K 2010-10-22 15:49
snort.unified2.1287758958
-rw----rw- 1 sguil sguil 2.7K 2010-10-22 15:54
snort.unified2.1287759140
-rw----rw- 1 sguil sguil 0 2010-10-22 15:54
snort.unified2.1287759274
-rw----rw- 1 sguil sguil 0 2010-10-26 10:30
snort.unified2.1288085413
-rw----rw- 1 sguil sguil 686 2010-10-26 10:44
snort.unified2.1288085873
-rw----rw- 1 sguil sguil 0 2010-10-26 13:01
snort.unified2.1288094494
-rw----rw- 1 sguil sguil 2.3K 2010-10-26 17:54
snort.unified2.1288094835
-rw-r--r-- 1 root root 0 2010-10-22 11:31 stats.log
root@-ids:~# mv /nsm/sensor_data/sensor1/*unified2* /tmp/
root@-ids:~# service nsm start
Starting: server1

* starting: sguil server
[ OK ]

Starting: sensor1

* starting: pcap_agent (sguil)
[ OK ]

* starting: sancp_agent (sguil)
[ OK ]

* starting: snort_agent (sguil)
[ OK ]

* starting: snort (alert data)
[ OK ]

* starting: barnyard2 (spooler, unified2 format)

[ OK ]
* starting: sancp (session data)
[ OK ]

* starting: snort (full packet data)
[ OK ]

* disk space currently at 9%

root@ids:~# cat /var/log/nsm/sensor1/barnyard2.log

Executing: barnyard2 -c /etc/nsm/sensor1/barnyard2.conf -d /nsm/
sensor_data/sensor1 -f snort.unified2 -w /etc/nsm/sensor1/
barnyard2.waldo -U
Running in Continuous mode

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/nsm/sensor1/barnyard2.conf"
Log directory = /nsm/sensor_data/sensor1
sguil: sensor name = sensor1
sguil: agent port = 7735
sguil: Connected to localhost on 7735.

--== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.9-beta1 (Build 251)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/etc/nsm/sensor1/barnyard2.waldo':
spool directory = /nsm/sensor_data/sensor1
spool filebase = snort.unified2
time_stamp = 1287740924
record_idx = 1717

Waiting for new spool file
Opened spool file '/nsm/sensor_data/sensor1/snort.unified2.1288112299'
Waiting for new data
root@-ids:~#

[Doug Burks]

Based on that output, it looks like Barnyard2 is now running
correctly. Login to Sguil, send some attack traffic, and you should
see the alerts appear (and/or the CNT column increment). Can you
confirm this?

I found a bug in the setup script. I left off "sudo" in front of "cp /
etc/pulledpork.conf.master /etc/pulledpork/pulledpork.conf". I didn't
catch this in testing because I usually run setup as root. From your
output below, it looks like you're running as root also, so you should
be able to run "setup" from your root prompt and everything should
work fine.

I've created Issue 23 to correct the setup script and it will be fixed
in the next release:
http://code.google.com/p/security-onion/issues/detail?id=23

If you have any further questions or problems, please let me know.

Thanks,
Doug Burks

> > > > /etc/snort/", but I don't see the output of "sudo service nsm...
>
> read more »

[pc]

Hi,
Thanks for that. I ran setup as root from a terminal /usr/local/bin/
setup, I choose snort and did not update the rules. I opened sguil and
pointed nessus at the server and could observe traffic. I then ran
setup again from the terminal as root and changed to suricata, did not
update any rules etc. I could not see any traffic updates when running
suricata, I could change back to snort without any problem. So
suricata does not seem to be working properly.

Thanks

> ...
>
> read more »

[Doug Burks]

Thanks for the update.

When you switch to Suricata, do you see it running in your list of
processes? Or is it dying on startup?

Please run the following commands (as root) and copy the output into
your reply email.

If you haven't already, run setup and switch to Suricata.

Get a list of all processes and search for suricata:
ps aux |grep suricat[a]

If you don't see the suricata process in the output of the previous
command, try starting it manually:
suricata -c /etc/suricata/suricata.yaml -i eth0

If it's dying on startup, then the output of the previous command
should tell us why.

Please also include the following:
ls -alh /var/log/
ls -alh /nsm/sensor_data/sensor1/
uname -a
cat /proc/cpuinfo

Thanks,
--
Doug Burks, GSE, CISSP

President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[pc]

Hi,
sorry for the late reply I have been out of commission for a while and
have just picked up on this again. I followed your instructions but no
Joy, below is the output when logged in as root.
Thanks

root@gtech-ids:/usr/local/bin# suricata -c /etc/suricata/suricata.yaml
-i eth0
[1834] 23/12/2010 -- 17:44:19 - (suricata.c:423) <Info> (main) -- This
is Suricata version 1.0.2
[1834] 23/12/2010 -- 17:44:19 - (util-cpu.c:167) <Info>
(UtilCpuPrintSummary) -- CPUs Summary:
[1834] 23/12/2010 -- 17:44:19 - (util-cpu.c:169) <Info>
(UtilCpuPrintSummary) -- CPUs online: 1
[1834] 23/12/2010 -- 17:44:19 - (util-cpu.c:171) <Info>
(UtilCpuPrintSummary) -- CPUs configured 1
[1834] 23/12/2010 -- 17:44:19 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertFastLog" registered.
[1834] 23/12/2010 -- 17:44:19 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertDebugLog" registered.
[1834] 23/12/2010 -- 17:44:19 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.
[1834] 23/12/2010 -- 17:44:19 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertUnifiedAlert"
registered.
[1834] 23/12/2010 -- 17:44:19 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "Unified2Alert" registered.
[1834] 23/12/2010 -- 17:44:19 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "LogHttpLog" registered.
[1834] 23/12/2010 -- 17:44:19 - (suricata.c:1021) <Info> (main) --
preallocated 50 packets. Total memory 3812000
[1834] 23/12/2010 -- 17:44:19 - (flow.c:746) <Info> (FlowInitConfig)
-- initializing flow engine...
Illegal instruction
**********************************************************************
root@gtech-ids:/usr/local/bin# setup

Security Onion Setup

Would you like to set HOME_NET to something other than
the current IP address of eth0 (192.168.1.57)? [Y/n] n

Security Onion has a very basic IDS ruleset already installed.

Would you like to download a more advanced IDS ruleset? [Y/n] n

Currently running Snort.
sguil 1807 1.3 2.3 77264 48784 pts/1 S 17:41 0:02 snort

-u sguil -g sguil -c /etc/nsm/sensor1/snort.conf -i eth0 -l /nsm/
sensor_data/sensor1 -U -m 112

Would you like to switch to Suricata? [Y/n] Y
[1858] 23/12/2010 -- 17:45:02 - (suricata.c:423) <Info> (main) -- This
is Suricata version 1.0.2
[1858] 23/12/2010 -- 17:45:02 - (util-cpu.c:167) <Info>
(UtilCpuPrintSummary) -- CPUs Summary:
[1858] 23/12/2010 -- 17:45:02 - (util-cpu.c:169) <Info>
(UtilCpuPrintSummary) -- CPUs online: 1
[1858] 23/12/2010 -- 17:45:02 - (util-cpu.c:171) <Info>
(UtilCpuPrintSummary) -- CPUs configured 1
[1858] 23/12/2010 -- 17:45:02 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertFastLog" registered.
[1858] 23/12/2010 -- 17:45:02 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertDebugLog" registered.
[1858] 23/12/2010 -- 17:45:02 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.
[1858] 23/12/2010 -- 17:45:02 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "AlertUnifiedAlert"
registered.
[1858] 23/12/2010 -- 17:45:02 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "Unified2Alert" registered.
[1858] 23/12/2010 -- 17:45:02 - (output.c:60) <Info>
(OutputRegisterModule) -- Output module "LogHttpLog" registered.

Setup is complete. Press Enter to exit Setup.

**************************************************************************

ps aux |grep suricat[a]

root@gtech-ids:/usr/local/bin# ps aux |grep suricat[a]
root 1908 0.0 0.0 3324 800 pts/1 S+ 17:52 0:00 grep
--color=auto suricata
***************************************************************************
ls -alh /var/log/
total 51M
drwxr-xr-x 21 root root 4.0K 2010-12-23 17:24 .
drwxr-xr-x 16 root root 4.0K 2010-10-09 16:15 ..
drwxr-x--- 2 root adm 4.0K 2010-12-19 07:59 apache2
drwxr-xr-x 2 root root 4.0K 2010-03-30 20:59 apparmor
drwxr-xr-x 2 root root 4.0K 2010-11-01 08:03 apt
drwxr-xr-x 2 root root 4.0K 2010-10-10 20:38 argus
-rw-r--r-- 1 syslog adm 78K 2010-12-23 17:45 auth.log
-rw-r--r-- 1 syslog adm 101K 2010-12-19 07:39 auth.log.1
-rw-r--r-- 1 syslog adm 5.6K 2010-12-12 07:39 auth.log.2.gz
-rw-r--r-- 1 syslog adm 5.0K 2010-12-05 07:39 auth.log.3.gz
-rw-r--r-- 1 syslog adm 5.0K 2010-11-28 07:39 auth.log.4.gz
-rw-r--r-- 1 root root 0 2010-10-10 20:38 boot
-rw-r--r-- 1 root root 265 2010-12-23 17:24 boot.log
-rw-r--r-- 1 root root 0 2010-10-10 20:38 bootstrap.log
drwxr-xr-x 2 root root 4.0K 2009-11-05 06:23 chkrootkit
drwxr-xr-x 2 root root 4.0K 2010-12-01 07:54 ConsoleKit
drwxr-xr-x 2 root root 4.0K 2010-12-22 08:02 cups
-rw-r--r-- 1 syslog adm 5.1M 2010-12-23 17:37 daemon.log
-rw-r--r-- 1 syslog adm 76K 2010-12-19 07:45 daemon.log.1
-rw-r--r-- 1 syslog adm 8.0K 2010-12-12 07:38 daemon.log.2.gz
-rw-r--r-- 1 syslog adm 6.8K 2010-12-05 07:27 daemon.log.3.gz
-rw-r--r-- 1 syslog adm 6.6K 2010-11-28 07:51 daemon.log.4.gz
-rw-r--r-- 1 syslog adm 62K 2010-12-23 17:25 debug
-rw-r--r-- 1 syslog adm 30K 2010-12-17 18:03 debug.1
-rw-r--r-- 1 syslog adm 3.6K 2010-12-10 17:14 debug.2.gz
-rw-r--r-- 1 syslog adm 2.6K 2010-12-02 22:31 debug.3.gz
-rw-r--r-- 1 syslog adm 2.6K 2010-11-23 22:31 debug.4.gz
drwxr-xr-x 2 root root 4.0K 2010-04-24 03:29 dist-upgrade
-rw-r--r-- 1 root adm 32K 2010-12-23 17:24 dmesg
-rw-r--r-- 1 root adm 32K 2010-12-23 13:06 dmesg.0
-rw-r--r-- 1 root adm 11K 2010-12-23 12:55 dmesg.1.gz
-rw-r--r-- 1 root adm 11K 2010-12-21 22:14 dmesg.2.gz
-rw-r--r-- 1 root adm 11K 2010-12-21 21:55 dmesg.3.gz
-rw-r--r-- 1 root adm 11K 2010-12-21 17:19 dmesg.4.gz
-rw-r--r-- 1 root root 0 2010-11-01 08:03 dpkg.log
-rw-r--r-- 1 root root 5.3K 2010-10-21 16:10 dpkg.log.1
-rw-r--r-- 1 root root 24K 2010-10-20 19:14 faillog
drwxr-xr-x 2 root root 4.0K 2010-10-10 20:38 fsck
drwxrwx--T 2 root gdm 4.0K 2010-12-23 17:24 gdm
drwxr-x--- 2 honeyd root 4.0K 2009-07-16 06:23 honeypot
drwxr-xr-x 2 root root 4.0K 2010-10-20 19:19 installer
drwx------ 2 root root 4.0K 2009-11-05 08:59 iptraf
-rw-r--r-- 1 root root 0 2010-10-30 07:43 jockey.log
-rw-r--r-- 1 root root 25K 2010-10-30 07:43 jockey.log.1
-rw-r--r-- 1 syslog adm 20M 2010-12-23 17:24 kern.log
-rw-r--r-- 1 syslog adm 151K 2010-12-17 18:03 kern.log.1
-rw-r--r-- 1 syslog adm 32K 2010-12-10 16:36 kern.log.2.gz
-rw-r--r-- 1 syslog adm 21K 2010-12-02 22:31 kern.log.3.gz
-rw-r--r-- 1 syslog adm 21K 2010-11-23 22:31 kern.log.4.gz
-rw-r--r-- 1 root root 286K 2010-10-20 19:14 lastlog
-rw-r--r-- 1 syslog adm 0 2010-10-10 20:38 lpr.log
-rw-r--r-- 1 syslog adm 0 2010-10-10 20:38 mail.err
-rw-r--r-- 1 syslog adm 0 2010-10-10 20:38 mail.info
-rw-r--r-- 1 syslog adm 0 2010-10-10 20:38 mail.log
-rw-r--r-- 1 syslog adm 0 2010-10-10 20:38 mail.warn
-rw-r--r-- 1 syslog adm 251K 2010-12-23 17:33 messages
-rw-r--r-- 1 syslog adm 125K 2010-12-19 07:59 messages.1
-rw-r--r-- 1 syslog adm 28K 2010-12-12 07:40 messages.2.gz
-rw-r--r-- 1 syslog adm 19K 2010-12-05 07:40 messages.3.gz
-rw-r--r-- 1 syslog adm 19K 2010-11-28 08:04 messages.4.gz
drwxr-s--- 2 mysql adm 4.0K 2010-10-20 19:22 mysql
drwxr-xr-x 2 root root 4.0K 2010-10-20 19:22 news
drwxr-xr-x 4 root root 4.0K 2010-10-22 00:00 nsm
drwxr-xr-x 2 ntp ntp 4.0K 2010-04-09 01:28 ntpstats
-rw-r--r-- 1 root root 4.6K 2010-12-23 17:24 pm-powersave.log
-rw-r--r-- 1 root root 2.7K 2010-11-23 22:31 pm-powersave.log.1
-rw-r--r-- 1 root root 234 2010-10-29 12:12 pm-powersave.log.2.gz
drwxr-xr-x 2 root root 4.0K 2010-04-09 16:27 samba
lrwxrwxrwx 1 root root 24 2010-10-20 19:14 snort -> /nsm/
sensor_data/sensor1
lrwxrwxrwx 1 root root 24 2010-10-20 19:14 suricata -> /nsm/
sensor_data/sensor1
-rw-r--r-- 1 syslog adm 5.6M 2010-12-23 17:39 syslog
-rw-r--r-- 1 syslog adm 19M 2010-12-23 07:44 syslog.1
-rw-r--r-- 1 syslog adm 94K 2010-12-22 07:51 syslog.2.gz
-rw-r--r-- 1 syslog adm 2.3K 2010-12-21 07:39 syslog.3.gz
-rw-r--r-- 1 syslog adm 1.8K 2010-12-20 07:49 syslog.4.gz
-rw-r--r-- 1 syslog adm 1.8K 2010-12-19 07:45 syslog.5.gz
-rw-r--r-- 1 syslog adm 16K 2010-12-18 07:57 syslog.6.gz
-rw-r--r-- 1 syslog adm 1.9K 2010-12-17 07:44 syslog.7.gz
-rw-r--r-- 1 root root 180K 2010-12-23 17:24 udev
-rw-r----- 1 syslog adm 0 2010-10-20 19:22 ufw.log
drwxr-xr-x 2 root root 4.0K 2010-03-19 23:44 unattended-upgrades
-rw-r--r-- 1 syslog adm 660 2010-12-23 17:33 user.log
-rw-r--r-- 1 syslog adm 77 2010-12-22 13:04 user.log.1
-rw-r--r-- 1 syslog adm 99 2010-12-17 16:40 user.log.2.gz
-rw-r--r-- 1 syslog adm 145 2010-12-10 17:14 user.log.3.gz
-rw-r--r-- 1 syslog adm 898 2010-10-29 12:38 user.log.4.gz
-rw-rw-r-- 1 root utmp 57K 2010-12-23 17:33 wtmp
-rw-rw-r-- 1 root utmp 24K 2010-11-23 22:31 wtmp.1
-rw-r--r-- 1 root root 45K 2010-12-23 17:25 Xorg.0.log
-rw-r--r-- 1 root root 45K 2010-12-23 17:20 Xorg.0.log.old
-rw-r--r-- 1 root root 11K 2010-12-07 22:40 Xorg.1.log
-rw-r--r-- 1 root root 11K 2010-12-07 22:18 Xorg.1.log.old
-rw-r--r-- 1 root root 11K 2010-12-07 22:41 Xorg.2.log
-rw-r--r-- 1 root root 11K 2010-12-07 22:18 Xorg.2.log.old
-rw-r--r-- 1 root root 48K 2010-12-10 15:26 Xorg.3.log
-rw-r--r-- 1 root root 11K 2010-12-07 22:18 Xorg.3.log.old
-rw-r--r-- 1 root root 27K 2010-12-07 22:18 Xorg.4.log
-rw-r--r-- 1 root root 11K 2010-12-02 22:10 Xorg.4.log.old
-rw-r--r-- 1 root root 11K 2010-12-02 22:10 Xorg.5.log
-rw-r--r-- 1 root root 11K 2010-11-23 22:31 Xorg.5.log.old
-rw-r--r-- 1 root root 27K 2010-12-02 22:10 Xorg.failsafe.log
-rw-r--r-- 1 root root 27K 2010-11-23 22:31 Xorg.failsafe.log.old
***************************************************************************
ls -alh /nsm/sensor_data/sensor1/
total 1.4M
drwxrwxr-x 5 sguil sguil 4.0K 2010-12-23 17:41 .

drwxr-xr-x 3 root root 4.0K 2010-10-09 17:19 ..

drwxrwxr-x 63 sguil sguil 4.0K 2010-12-23 00:00 dailylogs

drwxrwxr-x 2 sguil sguil 4.0K 2010-10-09 17:19 portscans

drwxrwxr-x 2 sguil sguil 4.0K 2010-12-23 17:52 sancp
-rw-r--r-- 1 root root 21K 2010-12-23 17:41 snort.stats
-rw----rw- 1 sguil sguil 4.7K 2010-10-27 07:57
snort.unified2.1288112299
-rw----rw- 1 sguil sguil 0 2010-10-27 12:06
snort.unified2.1288177562
-rw----rw- 1 sguil sguil 2.8K 2010-10-27 12:53
snort.unified2.1288178141
-rw----rw- 1 sguil sguil 12K 2010-10-28 16:50
snort.unified2.1288180986
-rw----rw- 1 sguil sguil 876 2010-10-28 22:23
snort.unified2.1288300999
-rw----rw- 1 sguil sguil 139K 2010-10-29 10:45
snort.unified2.1288302598
-rw----rw- 1 sguil sguil 15K 2010-10-29 16:20
snort.unified2.1288350766
-rw----rw- 1 sguil sguil 1.4K 2010-10-29 16:24
snort.unified2.1288365741
-rw----rw- 1 sguil sguil 1.1M 2010-10-29 18:52
snort.unified2.1288368449
-rw----rw- 1 sguil sguil 0 2010-11-02 22:11
snort.unified2.1288735893
-rw----rw- 1 sguil sguil 0 2010-11-02 22:34
snort.unified2.1288737284
-rw----rw- 1 sguil sguil 0 2010-11-11 22:13
snort.unified2.1289513609
-rw----rw- 1 sguil sguil 0 2010-11-11 22:34
snort.unified2.1289514882
-rw----rw- 1 sguil sguil 0 2010-11-16 22:09
snort.unified2.1289945365
-rw----rw- 1 sguil sguil 0 2010-11-16 22:30
snort.unified2.1289946630
-rw----rw- 1 sguil sguil 0 2010-11-23 22:09
snort.unified2.1290550161
-rw----rw- 1 sguil sguil 0 2010-11-23 22:31
snort.unified2.1290551481
-rw----rw- 1 sguil sguil 0 2010-12-02 22:10
snort.unified2.1291327814
-rw----rw- 1 sguil sguil 0 2010-12-02 22:31
snort.unified2.1291329080
-rw----rw- 1 sguil sguil 0 2010-12-07 22:18
snort.unified2.1291760305
-rw----rw- 1 sguil sguil 0 2010-12-07 22:41
snort.unified2.1291761670
-rw----rw- 1 sguil sguil 0 2010-12-10 16:36
snort.unified2.1291999017
-rw----rw- 1 sguil sguil 0 2010-12-14 22:09
snort.unified2.1292364573
-rw----rw- 1 sguil sguil 0 2010-12-14 22:31
snort.unified2.1292365918
-rw----rw- 1 sguil sguil 0 2010-12-17 18:03
snort.unified2.1292609034
-rw----rw- 1 sguil sguil 0 2010-12-21 17:19
snort.unified2.1292951965
-rw----rw- 1 sguil sguil 0 2010-12-21 21:55
snort.unified2.1292968546
-rw----rw- 1 sguil sguil 0 2010-12-21 22:14
snort.unified2.1292969697
-rw----rw- 1 sguil sguil 0 2010-12-23 12:55
snort.unified2.1293108957
-rw----rw- 1 sguil sguil 1.9K 2010-12-23 15:15
snort.unified2.1293109623
-rw----rw- 1 sguil sguil 4.1K 2010-12-23 15:28
snort.unified2.1293117646
-rw----rw- 1 sguil sguil 34K 2010-12-23 16:18
snort.unified2.1293120949
-rw----rw- 1 sguil sguil 36K 2010-12-23 16:20
snort.unified2.1293121104
-rw----rw- 1 sguil sguil 34K 2010-12-23 16:40
snort.unified2.1293122333
-rw----rw- 1 sguil sguil 0 2010-12-23 17:15
snort.unified2.1293124530
-rw----rw- 1 sguil sguil 23K 2010-12-23 17:44
snort.unified2.1293126086
-rw-r--r-- 1 root root 0 2010-12-23 17:45 stats.log
root@gtech-ids:/usr/local/bin#
***************************************************************
uname -a
Linux gtech-ids 2.6.32-25-generic #44-Ubuntu SMP Fri Sep 17 20:26:08
UTC 2010 i686 GNU/Linux
*****************************************************************
cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 2
model name : Intel(R) Pentium(R) 4 CPU 2.40GHz
stepping : 4
cpu MHz : 2391.448
cache size : 512 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat
pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm up pebs bts
bogomips : 4782.89
clflush size : 64
cache_alignment : 128
address sizes : 36 bits physical, 32 bits virtual
power management:

On Nov 2, 10:42 am, Doug Burks <doug.bu...@gmail.com> wrote:
> Thanks for the update.
>
> When you switch to Suricata, do you see it running in your list of
> processes?  Or is it dying on startup?
>
> Please run the following commands (as root) and copy the output into
> your reply email.
>
> If you haven't already, run setup and switch to Suricata.
>
> Get a list of all processes and search for suricata:
> ps aux |grep suricat[a]
>
> If you don't see the suricata process in the output of the previous
> command, try starting it manually:
> suricata -c /etc/suricata/suricata.yaml -i eth0
>
> If it's dying on startup, then the output of the previous command
> should tell us why.
>
> Please also include the following:
> ls -alh /var/log/
> ls -alh /nsm/sensor_data/sensor1/
> uname -a
> cat /proc/cpuinfo
>
> Thanks,
> --
> Doug Burks, GSE, CISSP

> President, Greater Augusta ISSAhttp://augusta.issa.orghttp://securityonion.blogspot.com

> ...
>
> read more »

[Doug Burks]

Suricata is failing with an Illegal Instruction. Seems to be a
Suricata-specific issue. You might try compiling Suricata on your own
Ubuntu installation to see if you get the same result.

Regards,

--
Doug Burks, GSE, CISSP

President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[Gene]

Good Evening Doug,
I was wondering if there has been any solution to the problem in
this post. I appear to have a similar situation where snort will
detect the traffic (using testmyids.com) and suricata will not. I've
re-run the setup script in this post a few times (each time running
the nsm_all_del script prior to setup) and get the same result.

I'm presently running securityonion 20110122. Let me know if you
would like to see any of my config files or command outputs. Thanks
for your help

Sincerely,
Gene

On Dec 23 2010, 7:27 pm, Doug Burks <doug.bu...@gmail.com> wrote:
> Suricatais failing with an Illegal Instruction.  Seems to be aSuricata-specific issue.  You might try compilingSuricataon your own

> Ubuntu installation to see if you get the same result.
>
> Regards,
> --
> Doug Burks, GSE, CISSP

> President, Greater Augusta ISSAhttp://augusta.issa.orghttp://securityonion.blogspot.com

>
> On Thu, Dec 23, 2010 at 12:57 PM, pc <pcarron1...@gmail.com> wrote:
> > Hi,
> > sorry for the late reply I have been out of commission for a while and
> > have just picked up on this again. I followed your instructions but no
> > Joy, below is the output when logged in as root.
> > Thanks
>

> > root@gtech-ids:/usr/local/bin#suricata-c /etc/suricata/suricata.yaml

> > -i eth0
> > [1834] 23/12/2010 -- 17:44:19 - (suricata.c:423) <Info> (main) -- This

> > isSuricataversion 1.0.2

> > Would you like to switch toSuricata? [Y/n] Y

> > [1858] 23/12/2010 -- 17:45:02 - (suricata.c:423) <Info> (main) -- This

> > isSuricataversion 1.0.2

> > lrwxrwxrwx  1 root   root   24 2010-10-20 19:14suricata-> /nsm/

> > sensor_data/sensor1
> > -rw-r--r--  1 syslog adm  5.6M 2010-12-23 17:39 syslog
> > -rw-r--r--  1 syslog adm   19M 2010-12-23 07:44 syslog.1
> > -rw-r--r--  1 syslog adm   94K 2010-12-22 07:51 syslog.2.gz
> > -rw-r--r--  1 syslog adm  2.3K 2010-12-21 07:39 syslog.3.gz
> > -rw-r--r--  1 syslog adm  1.8K 2010-12-20 07:49 syslog.4.gz
> > -rw-r--r--  1 syslog adm  1.8K 2010-12-19 07:45 syslog.5.gz
> > -rw-r--r--  1 syslog adm   16K 2010-12-18 07:57 syslog.6.gz
> > -rw-r--r--  1 syslog adm  1.9K 2010-12-17 07:44 syslog.7.gz
> > -rw-r--r--  1 root   root 180K 2010-12-23 17:24 udev
> > -rw-r-----  1 syslog adm     0 2010-10-20 19:22 ufw.log
> > drwxr-xr-x  2 root   root 4.0K 2010-03-19 23:44 unattended-upgrades
> > -rw-r--r--  1 syslog adm   660 2010-12-23 17:33 user.log
> > -rw-r--r--  1 syslog adm    77 2010-12-22 13:04 user.log.1
> > -rw-r--r--  1 syslog adm    99 2010-12-17 16:40 user.log.2.gz
> > -rw-r--r--  1 syslog adm   145 2010-12-10 17:14 user.log.3.gz
> > -rw-r--r--  1 syslog adm   898 2010-10-29 12:38 user.log.4.gz
> > -rw-rw-r--  1 root   utmp  57K 2010-12-23 17:33 wtmp
> > -rw-rw-r--  1 root   utmp  24K 2010-11-23 22:31 wtmp.1
> > -rw-r--r--  1 root   root  45K 2010-12-23 17:25 Xorg.0.log
> > -rw-r--r--  1 root   root  45K
>

> ...
>
> read more »

[Doug Burks]

Is Suricata running? What is the output of the following command?
ps aux | grep sguil

Are there any errors in /var/log/nsm/NAME_OF_SENSOR/suricata.log? Can
you include this log file in your reply?

Have you tried just putting the rule you want to test (SID 498) in
/etc/nsm/rules/downloaded.rules and no other rules?

Thanks,

--
Doug Burks, GSE, CISSP

President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[Gene Albin]

Doug,
  Thanks for the response.  I think Suricata is running (ps shows an entry and log file shows engine started) but I'm not positive since I don't see any alerts in Sguil after testmyids.com.  Here are the files you reqeusted.

gene@securityonion:/var/log/nsm/eth0$ ps aux |grep suricata
sguil    15421  9.9 31.2 554440 317676 ?       Sl   07:01  95:08 suricata --user sguil --group sguil -c /etc/nsm/eth0/suricata.yaml -i eth0 -l /nsm/sensor_data/eth0
gene     17517  0.0  0.0   3324   812 pts/1    S+   22:54   0:00 grep suricata

gene@securityonion:/var/log/nsm/eth0$ ps aux |grep sguil
root     14705  0.0  0.2   8524  2356 ?        S    Jan25   0:04 tclsh /usr/local/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -u /etc/nsm/securityonion/sguild.users -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
root     14707  0.0  0.1   7980  1104 ?        S    Jan25   0:04 tclsh /usr/local/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -u /etc/nsm/securityonion/sguild.users -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
root     14708  0.0  0.0   7980   596 ?        S    Jan25   0:00 tclsh /usr/local/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -u /etc/nsm/securityonion/sguild.users -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
sguil    14829  0.1  0.5   7984  5128 ?        S    Jan25   1:26 sancp -d /nsm/sensor_data/eth0/sancp -i eth0 -c /etc/nsm/eth0/sancp.conf -u sguil -g sguil
sguil    15011  0.1  0.4  26340  4124 ?        S    00:00   2:08 snort -u sguil -g sguil -i eth0 -l /nsm/sensor_data/eth0/dailylogs/2011-01-26 -b -U -m 112
sguil    15421  9.9 31.2 554440 317760 ?       Sl   07:01  95:13 suricata --user sguil --group sguil -c /etc/nsm/eth0/suricata.yaml -i eth0 -l /nsm/sensor_data/eth0
gene     17519  0.0  0.0   3328   820 pts/1    S+   22:55   0:00 grep sguil
gene@securityonion:/var/log/nsm/eth0$

There are a few errors in /var/log/nsm/eth0/suricata.log, but it seems as though the engine is running...

Executing: suricata --user sguil --group sguil -c /etc/nsm/eth0/suricata.yaml -i eth0 -l /nsm/sensor_data/eth0
[17762] 26/1/2011 -- 23:15:40 - (suricata.c:440) <Info> (main) -- This is Suricata version 1.1beta1
[17762] 26/1/2011 -- 23:15:41 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2
[17762] 26/1/2011 -- 23:15:41 - (suricata.c:1070) <Info> (main) -- preallocated 50 packets. Total memory 3760800
[17762] 26/1/2011 -- 23:15:41 - (flow.c:748) <Info> (FlowInitConfig) -- initializing flow engine...
[17762] 26/1/2011 -- 23:15:41 - (flow.c:835) <Info> (FlowInitConfig) -- allocated 524288 bytes of memory for the flow hash... 65536 buckets of size 8
[17762] 26/1/2011 -- 23:15:41 - (flow.c:854) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 184
[17762] 26/1/2011 -- 23:15:41 - (flow.c:856) <Info> (FlowInitConfig) -- flow memory usage: 2364288 bytes, maximum: 33554432
[17762] 26/1/2011 -- 23:15:41 - (detect.c:612) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/rules/local.rules
[17762] 26/1/2011 -- 23:15:41 - (detect.c:658) <Info> (SigLoadSignatures) -- 2 rule files processed. 1 rules succesfully loaded, 0 rules failed
[17762] 26/1/2011 -- 23:15:41 - (detect.c:2101) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
[17762] 26/1/2011 -- 23:15:41 - (detect.c:2104) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
[17762] 26/1/2011 -- 23:15:41 - (detect.c:2723) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[17762] 26/1/2011 -- 23:15:41 - (detect.c:3385) <Info> (SigAddressPrepareStage3) -- MPM memory 172 (dynamic 172, ctxs 0, avg per ctx 0)
[17762] 26/1/2011 -- 23:15:41 - (detect.c:3387) <Info> (SigAddressPrepareStage3) -- max sig id 1, array size 1
[17762] 26/1/2011 -- 23:15:41 - (detect.c:3398) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[17762] 26/1/2011 -- 23:15:41 - (util-mpm-ac.c:951) <Info> (SCACPreparePatterns) -- No patterns supplied to this mpm_ctx
[17762] 26/1/2011 -- 23:15:41 - (util-mpm-ac.c:951) <Info> (SCACPreparePatterns) -- No patterns supplied to this mpm_ctx
[17762] 26/1/2011 -- 23:15:41 - (util-mpm-ac.c:951) <Info> (SCACPreparePatterns) -- No patterns supplied to this mpm_ctx
[17762] 26/1/2011 -- 23:15:41 - (util-mpm-ac.c:951) <Info> (SCACPreparePatterns) -- No patterns supplied to this mpm_ctx
[17762] 26/1/2011 -- 23:15:41 - (util-threshold-config.c:104) <Warning> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory
[17762] 26/1/2011 -- 23:15:41 - (util-privs.c:90) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[17762] 26/1/2011 -- 23:15:41 - (alert-fastlog.c:332) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
[17762] 26/1/2011 -- 23:15:41 - (alert-unified2-alert.c:673) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename snort.unified2, limit 32 MB
[17762] 26/1/2011 -- 23:15:41 - (runmodes.c:100) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring
[17764] 26/1/2011 -- 23:15:41 - (source-pcap.c:267) <Info> (ReceivePcapThreadInit) -- using interface eth0
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:370) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:382) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:392) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:399) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:407) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:416) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[17762] 26/1/2011 -- 23:15:41 - (stream-tcp.c:436) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[17762] 26/1/2011 -- 23:15:41 - (tm-threads.c:1414) <Info> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management threads initialized, engine started.
gene@securityonion:/var/log/nsm/eth0$

I did remove all of the rules from /etc/nsm/rules/downloaded.rules except for SID 498.  Even with that change I don't get any alerts on Sguil.

gene@securityonion:/var/log/nsm/eth0$ cat /etc/nsm/rules/downloaded.rules
alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)

Thanks again for a great product.  I really hope to get suricata up and working as I really want to try it out.

Gene

--
Gene Albin
gene....@gmail.com
gene_...@bigfoot.com

[Jun Wan]

Hi Gene,
 
How many NICs in your machine?
 
Regsrds
 
John
 

 

---

Date: Wed, 26 Jan 2011 23:37:17 -0800
Subject: Re: Installation on HD not capturing any Traffic
From: gene....@gmail.com
To: securit...@googlegroups.com

[Gene Albin]

John,
  I've got 2 nics in the machine.  eth0 is my monitored nic and eth1 is my mgmt nic.  Here is the output of ifconfig -a

gene@securityonion:/var/log/nsm/eth0$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1c:23:05:bb:e8 
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17853033 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1089249146 (1.0 GB)  TX bytes:1730 (1.7 KB)
          Interrupt:18

eth1      Link encap:Ethernet  HWaddr 00:1c:26:00:fb:59 
          inet addr:192.168.xxx.xxx  Bcast:192.168.xxx.xxx  Mask:255.255.255.0
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:202049 errors:0 dropped:0 overruns:0 frame:70986
          TX packets:69783 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:160469446 (160.4 MB)  TX bytes:8575714 (8.5 MB)
          Interrupt:17 Base address:0xc000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:125298 errors:0 dropped:0 overruns:0 frame:0
          TX packets:125298 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:76666655 (76.6 MB)  TX bytes:76666655 (76.6 MB)

pan0      Link encap:Ethernet  HWaddr c2:f9:5c:49:9b:dc 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Thanks for the help.

Gene

[Doug Burks]

A few more questions and things to try:

What are the specs of your machine? CPU, RAM, etc.

What is the load on your machine while Suricata is running? (top)

Instead of accessing testmyids.com from the browser, go to a terminal and type:
curl http://testmyids.com

Then press the Up arrow and Enter to run it again. Do that 5 or 10
times and see if any alerts appear in Sguil.

What is the output of the following command?

ls -alh /nsm/sensor_data/eth0/

Does the snort.unified2 file in that directory grow?

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[Gene Albin]

Doug,
  Interesting.  Running the command below I get a hit in sguil.  Tells me that suricata is looking at an interface and reporting to the database and that sguil is reading from the same database.  Now the question is why suricata is not seeing the events as they come through the browser.  Here are my specs:

Dell Latitude D620 with a Core2Duo and 1GB ram.  2 interfaces, eth0 and eth1.

eth1 is the admin side so the web requests should be going out that interface but eth0 is connected between my router's wan port and my ISP's connection so therefore anything that is coming in to the network should be seen by eth0. 

Now the question is why suricata alerts on the command line attempt to access testmyids.com and not on the browser attempt. 

Here is a screenshot of top with Suricata running.  Of note Suricata is taking 42% of the ram:

top - 18:50:13 up 11 min,  2 users,  load average: 2.27, 1.84, 1.05
Tasks: 169 total,   1 running, 168 sleeping,   0 stopped,   0 zombie
Cpu(s): 16.3%us,  6.9%sy,  0.0%ni, 60.2%id, 13.7%wa,  0.3%hi,  2.6%si,  0.0%st
Mem:   1016860k total,   999980k used,    16880k free,     9728k buffers
Swap:  3484160k total,    50124k used,  3434036k free,   292788k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                
 1295 mysql     20   0  144m  33m 5548 S   15  3.4   0:59.16 mysqld                                                                 
 1554 root      20   0  5848 3396 1760 S   13  0.3   1:09.17 tclsh                                                                  
 1661 sguil     20   0  555m 422m 4224 S    9 42.5   4:46.21 suricata                                                               
 1313 root      20   0  2640 1244  452 D    5  0.1   0:11.33 ossec-syscheckd                                                        
 1292 ossec     20   0  3008 1520  608 S    3  0.1   0:07.69 ossec-analysisd                                                        
 1206 root      20   0 29572  12m 6204 S    1  1.2   0:09.48 Xorg                                                                   
 1383 root      20   0  8404 3428 2296 S    1  0.3   0:07.86 tclsh                                                                  
    7 root      20   0     0    0    0 S    1  0.0   0:03.87 ksoftirqd/1                                                            
 1890 root      20   0  7728 1304  796 S    1  0.1   0:02.39 tclsh                                                                  
    4 root      20   0     0    0    0 S    1  0.0   0:04.89 ksoftirqd/0                                                            
   36 root      20   0     0    0    0 S    1  0.0   0:01.07 kswapd0                                                                
   58 root      20   0     0    0    0 S    0  0.0   0:00.37 kondemand/1                                                            
 2105 gene      20   0 32636 9.9m 7820 S    0  1.0   0:00.16 update-notifier                                                        
 2125 gene      20   0 41632  10m 7920 S    0  1.0   0:01.44 xfce4-terminal                                                         
 2181 gene      20   0 26228  13m 3036 S    0  1.4   0:02.01 wish                                                                   
 2195 gene      20   0  246m  94m  25m S    0  9.5   0:21.65 firefox-bin                                                            
    1 root      20   0  2812 1656 1128 S    0  0.2   0:00.62 init                                                                   
    2 root      20   0     0    0    0 S    0  0.0   0:00.00 kthreadd                                                               
    3 root      RT   0     0    0    0 S    0  0.0   0:00.00 migration/0                       

Here is the output for 'ls-alh /nsm/sensor_data/eth0:  The incrementing filesize on the last unified2 file corresponds directly with the curl command above:

gene@securityonion:~$ ls -alh /nsm/sensor_data/eth0
total 960K
drwxrwxr-x 5 sguil sguil 4.0K 2011-01-31 18:43 .
drwxr-xr-x 3 root  root  4.0K 2011-01-25 23:15 ..
drwxrwxr-x 9 sguil sguil 4.0K 2011-01-31 18:39 dailylogs
-rw-r--r-- 1 sguil sguil  955 2011-01-31 19:01 fast.log
-rw-r--r-- 1 sguil sguil  34K 2011-01-31 19:01 http.log
drwxrwxr-x 2 sguil sguil 4.0K 2011-01-25 23:15 portscans
drwxrwxr-x 2 sguil sguil 612K 2011-01-31 19:01 sancp
-rw-r--r-- 1 sguil sguil    0 2011-01-25 23:20 snort.unified2.1296026436
-rw-r--r-- 1 sguil sguil    0 2011-01-26 07:06 snort.unified2.1296054378
-rw-r--r-- 1 sguil sguil    0 2011-01-26 23:15 snort.unified2.1296112541
-rw-r--r-- 1 sguil sguil    0 2011-01-27 07:07 snort.unified2.1296140828
-rw-r--r-- 1 sguil sguil    0 2011-01-28 07:06 snort.unified2.1296227161
-rw-r--r-- 1 sguil sguil    0 2011-01-29 07:05 snort.unified2.1296313538
-rw-r--r-- 1 sguil sguil    0 2011-01-30 07:05 snort.unified2.1296399927
-rw-r--r-- 1 sguil sguil    0 2011-01-31 07:05 snort.unified2.1296486320
-rw-r--r-- 1 sguil sguil 2.1K 2011-01-31 19:01 snort.unified2.1296528222
-rw-r--r-- 1 root  root  284K 2011-01-31 19:01 stats.log


Thanks again for taking the time to help me figure this one out. 

Gene

[Doug Burks]

My guess is that you had already gone to testmyids.com in your browser
and it was cached. Try going to testmyids.com and then do a
Shift-Reload and see if that results in an alert.

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[Gene Albin]

Doug,
  Learned something new (again) today.  Thought that the F5 key forced a reload, but apparently it's not the same as <shift> and click on reload.  That worked!  Thanks for taking the time to square me away on this.  Now that I have a known good install I'm set.  Thanks again!

Gene

[Doug Burks]

Glad to hear it, Gene!

Regards,
--
Doug Burks, GSE, CISSP

President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com