E325: ATTENTION (rule update getting stuck)
Samson H
It will stop snort from functioning correctly on all my sensors until I manually go through each sensor and bring the local.rules file out of limbo it seems.
Here is the message I receive when trying to "vi /etc/nsm/rules/local.rules" that I have to manually correct:
E325: ATTENTION
Found a swap file by the name "/etc/nsm/rules/.local.rules.swp"
owned by: xxxxxx dated: Wed Aug 27 17:00:04 2014
file name: /etc/nsm/rules/local.rules
modified: YES
user name: xxxxxxx host name: xxxxxxxx
process ID: 7021
While opening file "/etc/nsm/rules/local.rules"
dated: Fri Aug 29 10:55:15 2014
NEWER than swap file!
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r /etc/nsm/rules/local.rules"
to recover the changes (see ":help recovery").
If you did this already, delete the swap file "/etc/nsm/rules/.local.rules.s
wp"
to avoid this message.
Swap file "/etc/nsm/rules/.local.rules.swp" already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (D)elete it, (Q)uit, (A)bort:
Any feedback would be much appreciated!
Doug Burks
My guess would be that you were editing local.rules on the master and
the swp file got replicated out to all the sensors. I'd recommend
something like the following:
- make sure that you don't have any vi processes currently editing the file
- remove the swap file from the master
- force all salt minions to update:
sudo salt '*' state.highstate
- check to see if all swap files have been removed:
sudo salt '*' cmd.run 'ls /etc/nsm/rules/*.swp'
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Samson H
You're probably right about me editing the local.rules on the master when it was replicated out to all the sensors.
- remove the swap file from the master
check
- force all salt minions to update
check (used sudo salt '*' state.highstate)
- check to see if all swap files have been removed
This is where it gets interesting...
I ran sudo salt '*' cmd.run 'ls /etc/nsm/rules/*.swp' and received output:
xxxxxxx@xxxxxxx:~# salt '*' cmd.run 'ls /etc/nsm/rules/*.swp'
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
sensornamexxxx:
ls: cannot access /etc/nsm/rules/*.swp: No such file or directory
But if i run salt '*' cmd.run "ls /etc/nsm/rules/.local.rules.swp" I get output:
xxxxxxx@xxxxxxx:~# salt '*' cmd.run "ls /etc/nsm/rules/.local.rules.swp"
sensornamexxxx:
/etc/nsm/rules/.local.rules.swp
sensornamexxxx:
ls: cannot access /etc/nsm/rules/.local.rules.swp: No such file or directory
sensornamexxxx:
/etc/nsm/rules/.local.rules.swp
sensornamexxxx:
/etc/nsm/rules/.local.rules.swp
sensornamexxxx:
/etc/nsm/rules/.local.rules.swp
sensornamexxxx:
ls: cannot access /etc/nsm/rules/.local.rules.swp: No such file or directory
sensornamexxxx:
/etc/nsm/rules/.local.rules.swp
I verified that the 5 sensors that return the "/etc/nsm/rules/.local.rules.swp" output do still have the issue whereas the other 2 sensors that returned "ls: cannot access /etc/nsm/rules/.local.rules.swp: No such file or directory" do NOT still have the issue.
Doug Burks
sudo salt '*' cmd.run "rm -f /etc/nsm/rules/.local.rules.swp"
Samson H
You're a beast.
Thanks Doug!