SO Lack of Alerts/No Alerts
Michael Glass
I have a new(ish) installation of SO that I configured from scratch that I am receiving a lack of alerts on (almost no alerts what-so-ever).
Some information about my SO setup:
-1 Sensor (combination server/sensor)
-VRT with oinkcode is in use and set to security
-curl http://testmyids.com generates no alerts
Out of curiosity, I have only included one of my networks (in the HOME_NET variable) as well as changed the pulledpork profile to 'security' to see if I can generate more alerts (or any?) but this did not generate any more alerts. Initially I thought it was a VLAN issue but I am unsure now. Any help would be appreciated.
-Michael
Wes
Michael,
Could you please try re-attaching your sostat-redacted as a text file? I am not able to open the currently attached file.
Also, have your tried using tcpreplay to replay pcaps and generate alerts?
Ex. sudo tcpreplay -ieth1 -M10 /opt/samples/*
https://github.com/Security-Onion-Solutions/security-onion/wiki/Pcaps#tcpreplay
Thanks,
Wes
Wes
> I have attached the log file again. Let me know if you can open this one.
>
> I'm trying tcpreplay out now. I'll respond with my findings.
It seems like you are getting several events (that should be) populated in Sguil:
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
93
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
TotalsGenID:SigIDSignature
61:39866INDICATOR-COMPROMISE Suspicious .ml dns query
41:31600BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba
41:39867INDICATOR-COMPROMISE Suspicious .tk dns query
21:34826BLACKLIST DNS request for known malware domain cifss.org - Win.Trojan.Cozybear
21:28039INDICATOR-COMPROMISE Suspicious .pw dns query
11:21848MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS
Total
19
Do you not see these? Although, I do see no alerts for yesterday. Was this system setup today?
Thanks,
Wes
Michael Glass
I only see 4 events (of this type 41:39867INDICATOR-COMPROMISE Suspicious .tk dns query). I do not see any other events in Sguil. The server has been running now for about 3 weeks and the last reboot was 7 days ago.
I tried running tcpreplay on the pcaps for the eth1 interface, and let it run for a few hours on a few dozen of the pcaps, and no additional alerts were populated in Sguil.
Doug Burks
A few observations from your sostat output:
Your sniffing interface eth1 is showing lots of errors and drops:
errors:3330 dropped:99019276
What kind of NIC is this? If it's not an Intel server-class NIC, I'd
recommend replacing it with one.
Is this NIC connected to a tap or span port? Have you double-checked
the configuration there to ensure no mismatches?
It appears you're running Suricata with the Snort Talos ruleset (which
was designed for Snort). For best results, you should run Suricata
with the Emerging Threats ruleset OR run Snort with the Snort Talos
ruleset.
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks