Re: [security-onion] Sguil server running but not open 7734 or 7736 ports
2,965 views
Skip to first unread message
Doug Burks
Jul 24, 2012, 8:15:41 AM7/24/12
to securit...@googlegroups.com
Hi Plankskes,
Please send the output of the following (redacting sensitive info
where necessary):
sudo sostat
Also, please send the output of this command:
tail -100 /var/log/nsm/securityonion/sguild.log
Thanks,
Doug
On Tue, Jul 24, 2012 at 8:09 AM, Plankskes <koenvand...@gmail.com> wrote:
> We are running SO in a server/sensor setup and the first day everything is running fine. After one day we noticed that on the server the sguild is running but apparently there is no process listening on inbound connection on port 7734 or 7736.
>
> root@server:~# ufw status
> Status: active
>
> To Action From
> -- ------ ----
> 22/tcp ALLOW Anywhere
> 8000/tcp ALLOW Anywhere
> 443/tcp ALLOW Anywhere
> 7734/tcp ALLOW Anywhere
> 7736/tcp ALLOW Anywhere
> 3000/tcp ALLOW Anywhere
> root@server:~# service nsm status
> Status: securityonion
> * sguil server
> Status: HIDS
> * ossec_agent (sguil)
> root@server:~# netstat -tul
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 localhost:55046 *:* LISTEN
> tcp 0 0 localhost:mysql *:* LISTEN
> tcp 0 0 *:ssh *:* LISTEN
> tcp 0 0 localhost:ipp *:* LISTEN
> tcp6 0 0 [::]:9876 [::]:* LISTEN
> tcp6 0 0 [::]:ssh [::]:* LISTEN
> tcp6 0 0 localhost:ipp [::]:* LISTEN
> tcp6 0 0 [::]:3000 [::]:* LISTEN
> tcp6 0 0 [::]:https [::]:* LISTEN
> udp 0 0 *:58726 *:*
> udp 0 0 *:mdns *:*
> udp 0 0 server.jetair.be:ntp *:*
> udp 0 0 localhost:ntp *:*
> udp 0 0 *:ntp *:*
> udp6 0 0 fe80::21c:c4ff:fe77:ntp [::]:*
> udp6 0 0 localhost:ntp [::]:*
> udp6 0 0 [::]:ntp [::]:*
>
>
> We also can’t see any alerts in snorby after one day. I rebooted both server and sensor, with no result. Apparently all nsm services are running and there is an active ssh connection between the sensor and the server
>
> root@sensor:~# service nsm status
> Status: sensor-eth1
> * pcap_agent (sguil)
> * sancp_agent (sguil)
> * snort_agent (sguil)
> * pads_agent (sguil)
> * snort (alert data)
> * barnyard2 (spooler, unified2 format)
> * sancp (session data)
> * pads (asset info)
> * daemonlogger (full packet data)
> * argus
> * http_agent (sguil)
> Status: HIDS
> * ossec_agent (sguil)
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 16332 0 24 Jul 11:15:12
> root@sensor:~# pgrep -lf autossh
> 1534 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:127.0.0.1:3306 sens...@server.domain.be
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Please send the output of the following (redacting sensitive info
where necessary):
sudo sostat
Also, please send the output of this command:
tail -100 /var/log/nsm/securityonion/sguild.log
Thanks,
Doug
On Tue, Jul 24, 2012 at 8:09 AM, Plankskes <koenvand...@gmail.com> wrote:
> We are running SO in a server/sensor setup and the first day everything is running fine. After one day we noticed that on the server the sguild is running but apparently there is no process listening on inbound connection on port 7734 or 7736.
>
> root@server:~# ufw status
> Status: active
>
> To Action From
> -- ------ ----
> 22/tcp ALLOW Anywhere
> 8000/tcp ALLOW Anywhere
> 443/tcp ALLOW Anywhere
> 7734/tcp ALLOW Anywhere
> 7736/tcp ALLOW Anywhere
> 3000/tcp ALLOW Anywhere
> root@server:~# service nsm status
> Status: securityonion
> * sguil server
> Status: HIDS
> * ossec_agent (sguil)
> root@server:~# netstat -tul
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 localhost:55046 *:* LISTEN
> tcp 0 0 localhost:mysql *:* LISTEN
> tcp 0 0 *:ssh *:* LISTEN
> tcp 0 0 localhost:ipp *:* LISTEN
> tcp6 0 0 [::]:9876 [::]:* LISTEN
> tcp6 0 0 [::]:ssh [::]:* LISTEN
> tcp6 0 0 localhost:ipp [::]:* LISTEN
> tcp6 0 0 [::]:3000 [::]:* LISTEN
> tcp6 0 0 [::]:https [::]:* LISTEN
> udp 0 0 *:58726 *:*
> udp 0 0 *:mdns *:*
> udp 0 0 server.jetair.be:ntp *:*
> udp 0 0 localhost:ntp *:*
> udp 0 0 *:ntp *:*
> udp6 0 0 fe80::21c:c4ff:fe77:ntp [::]:*
> udp6 0 0 localhost:ntp [::]:*
> udp6 0 0 [::]:ntp [::]:*
>
>
> We also can’t see any alerts in snorby after one day. I rebooted both server and sensor, with no result. Apparently all nsm services are running and there is an active ssh connection between the sensor and the server
>
> root@sensor:~# service nsm status
> Status: sensor-eth1
> * pcap_agent (sguil)
> * sancp_agent (sguil)
> * snort_agent (sguil)
> * pads_agent (sguil)
> * snort (alert data)
> * barnyard2 (spooler, unified2 format)
> * sancp (session data)
> * pads (asset info)
> * daemonlogger (full packet data)
> * argus
> * http_agent (sguil)
> Status: HIDS
> * ossec_agent (sguil)
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 16332 0 24 Jul 11:15:12
> root@sensor:~# pgrep -lf autossh
> 1534 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:127.0.0.1:3306 sens...@server.domain.be
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Jul 24, 2012, 10:06:18 AM7/24/12
to securit...@googlegroups.com
server.log shows that Sguil Uncategorized Events is 953,647. This is
a very high number! Did you see this in the Installation guide
(http://code.google.com/p/security-onion/wiki/Installation)?
"Also note that you should be looking at and categorizing events every
day with the goal being to categorize all events every day. Even if
you don't use the Sguil console for your primary analysis, you need to
log into into it periodically and F8 old events to keep the RealTime
queue from getting too big. Neglecting to do so may result in
database/Sguil issues as the number of uncategorized events continues
to increase on a daily basis. Please see the Sguil client page on
NSMwiki:
http://nsmwiki.org/Sguil_Client"
When Sguil started, it began loading these 953,647 uncategorized
events into memory. The output of "tail -100
/var/log/nsm/securityonion/sguild.log" shows a bunch of "Archived
Alert"s, so Sguil is still trying to load them into memory and won't
listen on the network until it's done.
You'll need to get your Uncategorized Events down to a more manageable number.
Hope that helps!
Thanks,
Doug
On Tue, Jul 24, 2012 at 9:45 AM, Plankskes <koenvand...@gmail.com> wrote:
>
> Hi Doug,
> thanks for your feedback, I attatched the logfiles, one from the sensor and one from the server,
> regards
> Plankskes
a very high number! Did you see this in the Installation guide
(http://code.google.com/p/security-onion/wiki/Installation)?
"Also note that you should be looking at and categorizing events every
day with the goal being to categorize all events every day. Even if
you don't use the Sguil console for your primary analysis, you need to
log into into it periodically and F8 old events to keep the RealTime
queue from getting too big. Neglecting to do so may result in
database/Sguil issues as the number of uncategorized events continues
to increase on a daily basis. Please see the Sguil client page on
NSMwiki:
http://nsmwiki.org/Sguil_Client"
When Sguil started, it began loading these 953,647 uncategorized
events into memory. The output of "tail -100
/var/log/nsm/securityonion/sguild.log" shows a bunch of "Archived
Alert"s, so Sguil is still trying to load them into memory and won't
listen on the network until it's done.
You'll need to get your Uncategorized Events down to a more manageable number.
Hope that helps!
Thanks,
Doug
On Tue, Jul 24, 2012 at 9:45 AM, Plankskes <koenvand...@gmail.com> wrote:
>
> Hi Doug,
> thanks for your feedback, I attatched the logfiles, one from the sensor and one from the server,
> regards
> Plankskes
Reply all
Reply to author
Forward
0 new messages