Security Onion 14.04 release ISO installation issues
456 views
Skip to first unread message
steve baker
Jan 21, 2016, 6:29:23 AM1/21/16
to security-onion
I downloaded the release ISO today and tried to setup a dedicated server with one sensor node (tried a few rounds of installs). I've run into what seems to be issues with the squil installation.
Here is my log of the installation steps for the server install:
- downloaded 14.04.3.1 STABLE ISO image (same as RC2)
- verfied md5sum ec8a8be90ef071b778575c2364250797
- installed in kvm virtual machine
-Installation type
-erase disk and install SecurityOnion
-Checked "Use LVM with new SecurityOnion installation"
-Chicago time zone
-English(Keyboard)
-Your name:steve
-computer name:so1
-username:steve
-password: simplepassword
-Require my password to log in
-didn't check Encrypt my home folder
-Restarted after successful installation
- sudo soup
- all updates have been installed
- Shutdown for snapshot
- Ran sosetup from console gui
- configured only interface eth0 for management
- 10.1.1.147
- 255.255.255.0
- 10.1.1.1 (gateway)
- 10.1.1.1 (dns)
- yes reboot
- Ran sosetup from console gui
- yes, skip network
- production mode
- Server
- Best Practices
- squil username:steve
- password:simplepassword
- snort for IDS
- emerging threats gpl
- yes proceed
At this point no errors were output from setup and it completed. However, sguil server does not seem to be running:
steve@so1:~$ sudo service nsm status
Status: securityonion
* sguil server [ FAIL ]
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
When I run sostat errors pop up. I've attached the output:
sudo sostat-redacted > sostat-redacted.log
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
Any help on where to look next would be great. I have a snapshot of the server at exactly this point I can revert to. I'm rather new to Security Onion and still learning where all the pieces are.
I've found that if I manually start the nsm services they come up and do listen on 7736. The sensor seems to pick up the connection at that point and send logs. I just do not see any data in Squert.
Thanks,
Steve
Here is my log of the installation steps for the server install:
- downloaded 14.04.3.1 STABLE ISO image (same as RC2)
- verfied md5sum ec8a8be90ef071b778575c2364250797
- installed in kvm virtual machine
-Installation type
-erase disk and install SecurityOnion
-Checked "Use LVM with new SecurityOnion installation"
-Chicago time zone
-English(Keyboard)
-Your name:steve
-computer name:so1
-username:steve
-password: simplepassword
-Require my password to log in
-didn't check Encrypt my home folder
-Restarted after successful installation
- sudo soup
- all updates have been installed
- Shutdown for snapshot
- Ran sosetup from console gui
- configured only interface eth0 for management
- 10.1.1.147
- 255.255.255.0
- 10.1.1.1 (gateway)
- 10.1.1.1 (dns)
- yes reboot
- Ran sosetup from console gui
- yes, skip network
- production mode
- Server
- Best Practices
- squil username:steve
- password:simplepassword
- snort for IDS
- emerging threats gpl
- yes proceed
At this point no errors were output from setup and it completed. However, sguil server does not seem to be running:
steve@so1:~$ sudo service nsm status
Status: securityonion
* sguil server [ FAIL ]
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
When I run sostat errors pop up. I've attached the output:
sudo sostat-redacted > sostat-redacted.log
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
ERROR 1146 (42S02) at line 1: Table 'securityonion_db.event' doesn't exist
Any help on where to look next would be great. I have a snapshot of the server at exactly this point I can revert to. I'm rather new to Security Onion and still learning where all the pieces are.
I've found that if I manually start the nsm services they come up and do listen on 7736. The sensor seems to pick up the connection at that point and send logs. I just do not see any data in Squert.
Thanks,
Steve
Doug Burks
Jan 21, 2016, 7:19:18 AM1/21/16
to securit...@googlegroups.com
Hi Steve,
I believe I've seen this issue before and it should be resolved by
simply starting the services manually (sudo service nsm start).
When you say that sensor is sending logs, but you don't see any data
in Squert, what exactly do you mean? What logs is the sensor sending
and where do you see them? Do you see NIDS/HIDS alerts in the Sguil
client?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
I believe I've seen this issue before and it should be resolved by
simply starting the services manually (sudo service nsm start).
When you say that sensor is sending logs, but you don't see any data
in Squert, what exactly do you mean? What logs is the sensor sending
and where do you see them? Do you see NIDS/HIDS alerts in the Sguil
client?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Doug Burks
Jan 21, 2016, 8:36:53 AM1/21/16
to securit...@googlegroups.com
I found the issue and pushed out a fix:
http://blog.securityonion.net/2016/01/securityonion-nsmnow-admin-scripts.html
http://blog.securityonion.net/2016/01/securityonion-nsmnow-admin-scripts.html
steve baker
Jan 21, 2016, 11:00:06 AM1/21/16
to securit...@googlegroups.com
Thanks Doug, you were right, starting the services manually did work, just needed a little more patience last night.
Everything seems to be working now except that I am not seeing any data in the squert summary tab's geographic distribution map. It just says (0 distinct countries). Fetching AFRINIC Checksum..
error error | E: couldn't open socket: connection refused:
error couldn't open socket: connection refused
error while executing
error "socket $ftp(LocalAddr) $ftp(DataPort)"
error error | E: Error setting PASSIVE mode!:
error couldn't open socket: connection refused
error while executing
error "socket $ftp(LocalAddr) $ftp(DataPort)"
error error | E: Error disconnecting! 425 Failed to establish connection.:
error can't unset "ftp(get:channel)": no such element in array
error while executing
error "unset ftp(get:channel)"
couldn't open "delegated-afrinic-extended-latest_current.md5": no such file or directory
while executing
"open $opts(-filename) r"
(procedure "md5::md5" line 20)
invoked from within
"md5::md5 -hex -file $OUTFILE"
("foreach" body line 57)
invoked from within
"foreach site [list $site1 $site2 $site3 $site4 $site5] {
set siteDesc [lindex $site 0]
set siteLoc [lindex $site 1]
set siteF..."
invoked from within
"if {$fail == "no"} {
### Open new result file for writing
set fileID [open $resultsFile "w"]
## Lets go!
foreach site [list $site1 $..."
(file "./ip2c.tcl" line 278)
Doug Burks
Jan 21, 2016, 1:00:29 PM1/21/16
to securit...@googlegroups.com
Is your Security Onion box allowed to connect to external FTP servers?
Baker, Steve GRE-MG
Jan 21, 2016, 3:04:42 PM1/21/16
to securit...@googlegroups.com
Tests seem to say yes ftp is able to get through:
steve@so1:~$ ftp ftp.afrinic.net
Connected to ftp.afrinic.net.
220 ::::: Welcome to AFRINIC FTP service ::::::
Name (ftp.afrinic.net:steve): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files
ftp> cd stats/afrinic
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 1004 1004 45056 Oct 01 2012 2005
... Removed lots o lines ..
lrwxrwxrwx 1 1004 1004 35 Jan 21 05:30 delegated-afrinic-extended-latest -> delegated-afrinic-extended-20160121
lrwxrwxrwx 1 1004 1004 39 Jan 21 05:30 delegated-afrinic-extended-latest.asc -> delegated-afrinic-extended-20160121.asc
lrwxrwxrwx 1 1004 1004 39 Jan 21 05:30 delegated-afrinic-extended-latest.md5 -> delegated-afrinic-extended-20160121.md5
lrwxrwxrwx 1 1004 1004 26 Jan 21 05:30 delegated-afrinic-latest -> delegated-afrinic-20160121
lrwxrwxrwx 1 1004 1004 30 Jan 21 05:30 delegated-afrinic-latest.asc -> delegated-afrinic-20160121.asc
lrwxrwxrwx 1 1004 1004 30 Jan 21 05:30 delegated-afrinic-latest.md5 -> delegated-afrinic-20160121.md5
226 Directory send OK.
ftp> get delegated-afrinic-extended-latest
local: delegated-afrinic-extended-latest remote: delegated-afrinic-extended-latest
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for delegated-afrinic-extended-latest (387630 bytes).
226 Transfer complete.
387630 bytes received in 7.83 secs (48.3 kB/s)
ftp> passive
Passive mode on.
ftp> get delegated-afrinic-extended-latest
local: delegated-afrinic-extended-latest remote: delegated-afrinic-extended-latest
229 Entering Extended Passive Mode (|||30251|).
150 Opening BINARY mode data connection for delegated-afrinic-extended-latest (387630 bytes).
226 Transfer complete.
387630 bytes received in 8.17 secs (46.3 kB/s)
ftp> quit
221 Goodbye.
But this script fails with the error:
steve@so1:/var/www/so/squert/.scripts$ sudo ./ip2c.tcl
steve@so1:/var/www/so/squert/.scripts$
Running the php doesn't output much:
steve@so1:/var/www/so/squert$ sudo /usr/bin/php -e /var/www/so/squert/.inc/ip2c.php 1
Performing base queries (this can take a while)..
steve@so1:
Thanks for any advice.
Steve
On 1/21/16, 12:00 PM, "securit...@googlegroups.com on behalf of Doug Burks" <securit...@googlegroups.com on behalf of doug....@gmail.com> wrote:
>EXTERNAL
steve@so1:~$ ftp ftp.afrinic.net
Connected to ftp.afrinic.net.
220 ::::: Welcome to AFRINIC FTP service ::::::
Name (ftp.afrinic.net:steve): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files
ftp> cd stats/afrinic
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 1004 1004 45056 Oct 01 2012 2005
... Removed lots o lines ..
lrwxrwxrwx 1 1004 1004 35 Jan 21 05:30 delegated-afrinic-extended-latest -> delegated-afrinic-extended-20160121
lrwxrwxrwx 1 1004 1004 39 Jan 21 05:30 delegated-afrinic-extended-latest.asc -> delegated-afrinic-extended-20160121.asc
lrwxrwxrwx 1 1004 1004 39 Jan 21 05:30 delegated-afrinic-extended-latest.md5 -> delegated-afrinic-extended-20160121.md5
lrwxrwxrwx 1 1004 1004 26 Jan 21 05:30 delegated-afrinic-latest -> delegated-afrinic-20160121
lrwxrwxrwx 1 1004 1004 30 Jan 21 05:30 delegated-afrinic-latest.asc -> delegated-afrinic-20160121.asc
lrwxrwxrwx 1 1004 1004 30 Jan 21 05:30 delegated-afrinic-latest.md5 -> delegated-afrinic-20160121.md5
226 Directory send OK.
ftp> get delegated-afrinic-extended-latest
local: delegated-afrinic-extended-latest remote: delegated-afrinic-extended-latest
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for delegated-afrinic-extended-latest (387630 bytes).
226 Transfer complete.
387630 bytes received in 7.83 secs (48.3 kB/s)
ftp> passive
Passive mode on.
ftp> get delegated-afrinic-extended-latest
local: delegated-afrinic-extended-latest remote: delegated-afrinic-extended-latest
229 Entering Extended Passive Mode (|||30251|).
150 Opening BINARY mode data connection for delegated-afrinic-extended-latest (387630 bytes).
226 Transfer complete.
387630 bytes received in 8.17 secs (46.3 kB/s)
ftp> quit
221 Goodbye.
But this script fails with the error:
steve@so1:/var/www/so/squert/.scripts$ sudo ./ip2c.tcl
Fetching AFRINIC Checksum..
error error | E: couldn't open socket: connection refused:
error couldn't open socket: connection refused
error while executing
error "socket $ftp(LocalAddr) $ftp(DataPort)"
error error | E: Error setting PASSIVE mode!:
error couldn't open socket: connection refused
error while executing
error "socket $ftp(LocalAddr) $ftp(DataPort)"
^C
error error | E: couldn't open socket: connection refused:
error couldn't open socket: connection refused
error while executing
error "socket $ftp(LocalAddr) $ftp(DataPort)"
error error | E: Error setting PASSIVE mode!:
error couldn't open socket: connection refused
error while executing
error "socket $ftp(LocalAddr) $ftp(DataPort)"
steve@so1:/var/www/so/squert/.scripts$
Running the php doesn't output much:
steve@so1:/var/www/so/squert$ sudo /usr/bin/php -e /var/www/so/squert/.inc/ip2c.php 1
Performing base queries (this can take a while)..
steve@so1:
Thanks for any advice.
Steve
On 1/21/16, 12:00 PM, "securit...@googlegroups.com on behalf of Doug Burks" <securit...@googlegroups.com on behalf of doug....@gmail.com> wrote:
>EXTERNAL
NOTICE TO RECIPIENT: The information contained in this message from
Great River Energy and any attachments are confidential and intended
only for the named recipient(s). If you have received this message in
error, you are prohibited from copying, distributing or using the
information. Please contact the sender immediately by return email and
delete the original message.
Doug Burks
Jan 21, 2016, 3:45:11 PM1/21/16
to securit...@googlegroups.com
On Thu, Jan 21, 2016 at 3:02 PM, Baker, Steve GRE-MG
<SBa...@grenergy.com> wrote:
> Tests seem to say yes ftp is able to get through:
>
> steve@so1:~$ ftp ftp.afrinic.net
> Connected to ftp.afrinic.net.
> 220 ::::: Welcome to AFRINIC FTP service ::::::
> Name (ftp.afrinic.net:steve): anonymous
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files
> ftp> cd stats/afrinic
> 250 Directory successfully changed.
> ftp> ls
> 200 EPRT command successful. Consider using EPSV.
This line seems interesting. Are you running an IPv6 network/firewall?
<SBa...@grenergy.com> wrote:
> Tests seem to say yes ftp is able to get through:
>
> steve@so1:~$ ftp ftp.afrinic.net
> Connected to ftp.afrinic.net.
> 220 ::::: Welcome to AFRINIC FTP service ::::::
> Name (ftp.afrinic.net:steve): anonymous
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files
> ftp> cd stats/afrinic
> 250 Directory successfully changed.
> ftp> ls
> 200 EPRT command successful. Consider using EPSV.
Perhaps you're running into something like this?
http://core.tcl.tk/tcllib/tktview/b41b6f76b045c932e10f2504295cf98606835663
Reply all
Reply to author
Forward
0 new messages