Can't connect to Squert
Curtis
Got another problem that's over my head. I've searched the forum for similar issues, referenced the troubleshooting wiki, and no luck. There's a lot involved, but I'll try to keep it concise.
Last week, I was unable to access Sguil/Squert. Sguil gave me the "Unable to connect over 7734," and I can't connect to Squert at all.
1) I restarted the nsm service and server, and got the following every time:
Restarting: securityonion
* stopping: sguil server (not running) [ WARN ]
- stale PID file found, deleting!
* starting: sguil server [ OK ]
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
2) I checked /var/log/nsm/securityonion/sguild.log, and it ended with:
mysqlexec/db server: Table 'securityonion_db.event_{ HOSTNAME_INTERFACE }_20160721' doesn't exist
while executing
"mysqlexec $MAIN_DB_SOCKETID $updateString"
(procedure "UpdateDBStatus" line 11)
invoked from within
"UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)"
(procedure "AutoCat" line 43)
invoked from within
"AutoCat $row"
("foreach" body line 6)
invoked from within
"foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
InfoMessage "Archived Alert: $row"
set LAST_EVENT_ID([lindex $row 3]) "[li..."
invoked from within
"if { $mergeTableListArray(event) != "" } {
# Get the archived alerts
LogMessage "Querying DB for archived events..."
set MAJOR_MYSQL_VERS..."
(file "/usr/bin/sguild" line 737)
2016-08-09 17:07:06 pid(36446) Unknown command received from sguild:
3) I lowered my DAYSTOKEEP in /etc/nsm/securityonion.conf, ran sudo sguil-db-purge, and am now able to connect to Sguil. The sguild.log looks good with no errors, however I am still unable to connect to Squert.
4) /var/log/nsm/{ HOSTNAME_INTERFACE }/suricata.log is loaded with errors, the last of which are:
10/8/2016 -- 20:44:41 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SQL use of sleep function in HTTP hea
der - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*sl
eep\x28/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack;
sid:38993; rev:4;)" from file /etc/nsm/rules/downloaded.rules at line 55265
10/8/2016 -- 20:44:41 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established
; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; refe
rence:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16;)"
10/8/2016 -- 20:44:41 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,esta
blished; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,479
7; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16;)" from file /etc/nsm/rules/downloaded.rules at line 55277
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2101411, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2012889, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2003195, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2003195, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2003195, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2012889, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2012889, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2011124, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2011124, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2011124, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2011124, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2020565, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 8000069, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 8000068, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 8000068, gid 1: unknown rule
10/8/2016 -- 20:44:44 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " track by_dst"
10/8/2016 -- 20:44:44 - <Error> - [ERRCODE: SC_ERR_INVALID_IP_NETBLOCK(16)] - failed to parse $HOME_NET, track by_dst, ip x.x.x.x/32
10/8/2016 -- 20:44:44 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
I don't know what else to try, or where to look. Attached is my sostat-redacted for your reference. Note** a sensor shows up at DISCONNECTED. This is a known issue I was previously troubleshooting before this incident occurred. I don't know if my troubleshooting efforts caused this new issue - if it did, I was removing a sensor as per https://github.com/Security-Onion-Solutions/security-onion/wiki/RemovingASensor
Any assistance is appreciated, as always. Seems to be one thing after another.
Wes
Curtis,
To clarify, are you able to view alert data using Sguil now?
How are you trying to connect to Squert?
What is the output of the following?
sudo mysqlcheck -c securityonion_db
What steps had you completed in regard to the disconnected sensor issue?
Thanks,
Wes
Shane Castle
On 10.08.2016 23:58, Curtis wrote:
>
> Got another problem that's over my head. I've searched the forum for similar
> issues, referenced the troubleshooting wiki, and no luck. There's a lot
> involved, but I'll try to keep it concise.
>
> I don't know what else to try, or where to look. Attached is my
> sostat-redacted for your reference. Note** a sensor shows up at DISCONNECTED.
> This is a known issue I was previously troubleshooting before this incident
> occurred. I don't know if my troubleshooting efforts caused this new issue -
> if it did, I was removing a sensor as per
> https://github.com/Security-Onion-Solutions/security-onion/wiki/RemovingASensor
>
> Any assistance is appreciated, as always. Seems to be one thing after
> another.
your system a name that is all numeric; as a result, lots of numeric info in the
output has been obfuscated. If you don't care about various disclosures, such as
netname, username, and IP addresses, you could show us the output of sostat instead.
So, here's a guess: you filled up a filesystem. This sort of behavior can be a
result of /var and/or /etc having been filled. Recovery is unfortunately not so
easy. I've done this with /var in the past, and I would up having to redefine
all my MySQL tables after clearing some space.
Also, you when you say "unable to access Sguil/Squert", you don't say if you are
on the system itself or on another system connecting over the network. Which is
it? I assume local but again, just guessing.
--
Mit besten Grüßen
Shane Castle
Curtis
I am able to view and categorize alerts via Sguil, but not Squert, which I am trying to connect to over 443 - there haven't been any changes to the firewall.
The output of sudo mysqlcheck -c securityonion_db shows everything is OK.
In regard to the sensor issue, I did the following, straight from the wiki:
On the master server, edit /etc/elsa_web.conf, remove the sensor from the peers section, then restart Apache (sudo service apache2 restart).
In MySQL database securityonion_db, edit sensor table (you can simply set active='N'), then restart sguild.
Stop sguild
sudo nsm_server_ps-stop
Show sensor entries
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'select * from sensor';
Set sensor as inactive
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "update sensor set active='N' where sid in (<SID1>,<SID2>)";
Start sguild
sudo nsm_server_ps-start
I re-added the sensor yesterday, just to see if maybe that was the cause, but no change.
Thanks!
Curtis
Thank you. Unfortunately, I am unable to publicly disclose any further information regarding my network.
I'll have to check the memory on the box, it does seem to be running a bit slower.
I am unable to access Squert over the network.
Thanks,
Curt
Wes Lambert
Curtis,
Are you able to access Squert locally?
Have you checked ufw on the master?
Have you tried running so-allow to allow the IP address from which you are attempting to navigate (to Squert).
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
