snort pfring error
Christopher Lowson
Fresh install, didn't change anything accept disabling a few snort rules and running a rule-update and then it crashes.
Error from logs:
/opt/pfring/lib/daq/daq_pfring.so: dlopen: /opt/pfring/lib/daq/daq_pfring.so: un
ERROR: Can't find pfring DAQ!
Fatal Error, Quitting..
Any ideas on how to fix this without a reinstall?
Christopher Lowson
sudo apt-get install --reinstall securityonion-pfring-module
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager x.x.x.x stopped
proxy proxy x.x.x.x stopped
x-x-eth1-1 worker 192.168.0.241 stopped
Status: x-x-eth1
* netsniff-ng (full packet data) [ FAIL ]
* pcap_agent (sguil) [ FAIL ]
* snort_agent-1 (sguil) [ FAIL ]
* snort-1 (alert data) [ FAIL ]
* barnyard2-1 (spooler, unified2 format) [ FAIL ]
* prads (sessions/assets) [ FAIL ]
* sancp_agent (sguil) [ FAIL ]
* pads_agent (sguil) [ FAIL ]
* argus [ FAIL ]
* http_agent (sguil) [ FAIL ]
Christopher Lowson
* snort-1 (alert data) [ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* barnyard2-1 (spooler, unified2 format) [ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
Christopher Lowson
sudo vi /etc/nsm/sensor-xyz/snort.conf
comment out:
#config daq: pfring
#config daq_dir: /opt/pfring/lib/daq
#config daq_var: clusterid=52
#config daq_var: clustermode=4
Still trying to find a fix to the issue tho.
Heine Lysemose
Hi
Did you "by accident" run sudo apt-get upgrade or sudo apt-get dist-upgrade?
In either case the process broke the pfring.
Doug has made a small tool to take care of the update process in the right way, sudo soup.
Could you send the output of sudo sostat-redacted.
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Christopher Lowson
Nope I always use soup.
Been running SO for months now and have had this issue a few times after a restart of snort. I end up reloading the system and the issue is gone. This time it happened twice after a fresh install and want to trace down a fix.
Output attached.
NOTE: Snort is currently running with pfring, will switch back and rerun if you need.
NOTE: I do have trisul running but it was installed after this issue.
Also I noticed that there is dailylogs directory's for non monitored interfaces, is this expected from 12.04.04 version?
Doug Burks
What's the output of the following?
dpkg -l | grep pfring
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Doug Burks
What's the output of the following?
On Fri, Aug 15, 2014 at 3:59 PM, Christopher Lowson
<lowson...@gmail.com> wrote:
> Hey Doug,
>
> Output Attached.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Your original email includes an error, but it appears to be truncated:
/opt/pfring/lib/daq/daq_pfring.so: dlopen: /opt/pfring/lib/daq/daq_pfring.so: un
Can you provide the full error?
On Fri, Aug 15, 2014 at 4:10 PM, Christopher Lowson
Christopher Lowson
Full Error:
/opt/pfring/lib/daq/daq_pfring.so: dlopen: /opt/pfring/lib/daq/daq_pfring.so: undefined symbol: pfring_set_filtering_mode
Doug Burks
Christopher Lowson
So just because we love to add a twist to things on a Friday.
I did nothing at all to the system from when I posted this yesterday but disabling the pfring in the snort config to at least run and the few commands you all requested.
So while going back a forth with you I put the pfring config back into snort (just to "try") and restarted it and it worked.
I have no clue what was wrong or what fixed it. Glad its fixed...
Next time this happens I will quickly run all the commands and have outputs at the time of the issue.
Maybe pfring was locked up?
Oh also its 64bit:
3.2.0-67-generic #101-Ubuntu SMP Tue Jul 15 17:46:11 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Christopher Lowson
[ Number of patterns truncated to 20 bytes: 6571 ]
/opt/pfring/lib/daq/daq_pfring.so: dlopen: /opt/pfring/lib/daq/daq_pfring.so: undefined symbol: pfring_set_filtering_mode
ERROR: Can't find pfring DAQ!
Fatal Error, Quitting..
Attached outputs
Let me know what other outputs I could do to track this down.
Doug Burks
Is there anything else that happened last night that you could
correlate to this?
Have you installed updates recently?
Specifically, have you installed our new PF_RING and Snort packages?
http://blog.securityonion.net/2014/08/new-pfring-snort-suricata-bro-packages.html
Christopher Lowson
Nope nothing new at all, just noticed this morning I had no alerts and that snort was not running, I suspect it died when the rule update happens.
I will wait a few days like last time and try to enable the pfring again for snort and see if it takes.
Doug Burks
Christopher Lowson
Kernel issues: see http://i.imgur.com/yuqeEpS.jpg
So I went back to the last kernel and was able to boot.
onion server issues:
cron errors:
error: broctl-config.sh not found (try 'broctl install')
warning: new bro version detected (run the broctl "restart --clean" or "install"
command)
How would I fix these errors?
onion sensor issues:
new snort error:
[ Number of patterns truncated to 20 bytes: 3811 ]
pfring DAQ configured to passive.
ERROR: Can't initialize DAQ pfring (-1) -
Fatal Error, Quitting..
Also getting new bro alerts now:
[Bro] PacketFilter::Dropped_Packets
Message: 81 packets dropped after filtering, 445485 received, 445484 on link
Email Extensions
----------------
--
[Automatically generated]
I really don't want to reload this system if I don't have too.
Christopher Lowson
On the sensor:
A stop/start of bro cleared the packets dropped email.
On the server I commented out the cron that was running bro
Still working on the snort but I don't really see a fix yet
Also looking into the Kernel issue still, will update if I find anything.
Christopher Lowson
so one broken shut down leads to a chk disk in the new kernel, another quick reboot again and the kernel boots with no issues.
A re-try of snort with the pfring settings and no issue found...
Crazy what a simple reboot can fix...
Doug Burks
failure. I'd recommend running full hardware diagnostics.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--