Connection failed when trying to view pcap

[dday...@gmail.com]

Pretty new installation of a standalone security onion install. I installed the server the middle of last week, used method 2 to add 3.5 terabytes of space, and everything seemed to be working great. I was able to pivot from snorby, and elsa to capme to view the pcaps. In squert i was able to click the tx button to see the pcap transcript.

This morning after letting the system sit untouched over the weekend, snorby was not loading, and i was having problems getting information out of elsa, so i restarted the nsm service where i noticed netsniff-ng said it was not running when i stopped the service. when i started nsm back up, everything started up just fine, and i was able to get into snorby, and elsa just fine, however after that i can no longer view pcaps. when I try to pivot to capme from snorby and elsa, it takes me to the capme log in page with all info filled in like normal, but when it tries to load the pcap i receive

"The requested URL /capme/pcap/ERROR: Connection failed<br> was not found on this server."

when i try to load the transcript from squert i receive "ERROR: connection failed" message.

I tried restarting the NSM service again, I also restarted mysql and sphinxsearch, with the same results. Then i restarted the server and the problem continues.

I'm pretty new to this system so at this point i'm not sure what logs to look at to figure out where the problem is.

I have attached the sostat-redacted file i ran. Please let me know any additional information you may need. I really appreciate any help!

Thanks

Derek

[Lee Sharp]

On 10/20/2014 10:15 AM, dday...@gmail.com wrote:

> I tried restarting the NSM service again, I also restarted mysql and sphinxsearch, with the same results. Then i restarted the server and the problem continues.
>
> I'm pretty new to this system so at this point i'm not sure what logs to look at to figure out where the problem is.
>
> I have attached the sostat-redacted file i ran. Please let me know any additional information you may need. I really appreciate any help!

Thank you for this. It helps. Especially this part;

> =====================================================================
> Sguil Uncategorized Events
> =====================================================================
> COUNT(*)
> 2477358


Your system is totally overloaded, and you are dropping packets.

> /proc/net/pf_ring/5092-eth1.3
> Appl. Name : snort-cluster-52-socket-0
> Tot Packets : 25128850
> Tot Pkt Lost : 14877015


You need to start with dumping rules...

> Rule Stats...
> New:-------0
> Deleted:---0
> Enabled Rules:----16385
> Dropped Rules:----0
> Disabled Rules:---3805
> Total Rules:------20190

Some big ones to look at are;

> 143366 1:2101411 GPL SNMP public access udp
> 119029 1:2102251 GPL NETBIOS DCERPC Remote Activation bind attempt
> 58368 1:2012296 ET VOIP Modified Sipvicious Asterisk PBX User-Agent
> 57696 1:2102650 GPL SQL user name buffer overflow attempt
> 57432 1:2102649 GPL SQL service_name buffer overflow attempt
> 30879 1:2000419 ET POLICY PE EXE or DLL Windows file download

Frankly, everyone disabled that SNMP one... All HP print drivers spew
it constantly.

And look at https://code.google.com/p/security-onion/wiki/ManagingAlerts
for a lot more information.

Lee

[dday...@gmail.com]

I You are exactly right. I disabled the top few rules like you suggested, and let it run over night. The system is running much better. Looks like it's time to run through the list and get rid of what i don't need.

Thanks for the help!

[Lee Sharp]

On 10/21/2014 08:50 AM, dday...@gmail.com wrote:

> I You are exactly right. I disabled the top few rules like you suggested, and let it run over night. The system is running much better. Looks like it's time to run through the list and get rid of what i don't need.

My pleasure. I was were you are not that long ago... :)

Lee

[Derek Day]

Hopefully it's ok that i'm replying to this weeks old thread instead of starting a new one, but my question is related to this. If i need to start a new thread please let me know. 

So i'm working through cleaning up some unneeded signatures, and i've gotten to one that i want to rewrite to exclude a specific source and destination. I'm going through the instructions on how to do that and i'm a little confused. it says to edit /etc/nsm/rules/local.rules. however i'm not exactly sure how i'm supposed to edit it. Am i supposed to copy the rule from /etc/nsm/rules/downloaded.rules and then put the "var OVERACTIVE [xxx.xxx.xxx] etc. I'm assuming i'm not supposed to add that in the downloaded.rules file since it's a read only file. I'm just a bit confused here.

Thanks for any help!

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/iQPZDns3qd4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Doug Burks]

Hi Derek,

Replies inline.

On Wed, Oct 29, 2014 at 9:13 AM, Derek Day <dday...@gmail.com> wrote:
> Hopefully it's ok that i'm replying to this weeks old thread instead of
> starting a new one, but my question is related to this. If i need to start a
> new thread please let me know.

Please see:
https://code.google.com/p/security-onion/wiki/MailingLists#Start_a_new_thread_instead_of_replying_to_an_old_one

> So i'm working through cleaning up some unneeded signatures, and i've gotten
> to one that i want to rewrite to exclude a specific source and destination.
> I'm going through the instructions on how to do that and i'm a little
> confused. it says to edit /etc/nsm/rules/local.rules. however i'm not
> exactly sure how i'm supposed to edit it. Am i supposed to copy the rule
> from /etc/nsm/rules/downloaded.rules and then put the "var OVERACTIVE
> [xxx.xxx.xxx] etc. I'm assuming i'm not supposed to add that in the
> downloaded.rules file since it's a read only file. I'm just a bit confused
> here.

Please see:
https://code.google.com/p/security-onion/wiki/ManagingAlerts#Rewrite_the_signature

and/or:
https://code.google.com/p/security-onion/wiki/ManagingAlerts#modifysid.conf

> Thanks for any help!
>
> On Tue, Oct 21, 2014 at 11:18 AM, Lee Sharp <lees...@hal-pc.org> wrote:
>>
>> On 10/21/2014 08:50 AM, dday...@gmail.com wrote:
>>
>>> I You are exactly right. I disabled the top few rules like you suggested,
>>> and let it run over night. The system is running much better. Looks like
>>> it's time to run through the list and get rid of what i don't need.
>>
>>
>> My pleasure. I was were you are not that long ago... :)
>>
>> Lee
>>
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "security-onion" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/security-onion/iQPZDns3qd4/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> security-onio...@googlegroups.com.
>> To post to this group, send email to securit...@googlegroups.com.

>> Visit this group at http://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>

> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.

> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com