Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSM: nsm_sensor_ps-restart --sensor-name=$i --only-pcap should only restart pcap #1118

Closed
dougburks opened this issue Aug 15, 2017 · 6 comments
Assignees
Projects

Comments

@dougburks
Copy link
Contributor

@dougburks dougburks commented Aug 15, 2017

nsm_sensor_ps-restart currently has a logic bug when combining --sensor-name and --only-pcap:

 --sensor-name*)
                        SENSOR_NAME="$SENSOR_NAME $(echo $1 | cut -d "=" -f 2)"
                        SKIP_BRO=yes
                        SKIP_OSSEC_AGENT=yes
                        ;;

      --only-pcap)
                        SKIP_INVERT=yes
                        SKIP_PCAP=yes

This results in nsm_sensor_ps-restart restarting both pcap and bro instead of just pcap.

This logic bug probably manifests for other --only-? options as well.

This logic bug probably manifests in other nsm_sensor_ps-? scripts as well.

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Mar 23, 2018

dougburks added a commit to Security-Onion-Solutions/securityonion-nsmnow-admin-scripts that referenced this issue Sep 11, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Sep 11, 2019

@dougburks dougburks self-assigned this Sep 11, 2019
@dougburks dougburks added this to To do in 16.04.6.3 via automation Sep 11, 2019
@dougburks dougburks moved this from To do to In progress in 16.04.6.3 Sep 11, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Sep 11, 2019

Pete's recommendations for testing from https://groups.google.com/d/topic/security-onion/lwpkJmfDKVA/discussion:

My recommendation for testing:
====================
Create test VM with multiple monitoring NICs
activate SecurityOnion in advanced mode listening on at least 2 NICs
run nsm_sensor_ps-status --sensor-name=[yourhost-em2] --only-prads
  note that it shows status for ossec, bro, and prads (error condition)
do the same for stop, start, and restart commands (optional)
run nsm_sensor_ps-status --sensor-name=[yourhost-em2] --only-bro
run nsm_sensor_ps-status --sensor-name=[yourhost-em2] --only-ossec-agent
  note that it shows status for ossec and bro (nonsense options allowed)
run nsm_sensor_ps-status --only-prads
  note that it shows status for prads on all interfaces (baseline)
run nsm_sensor_ps-status --only-prads --only-bro
  note that it shows status for bro and for prads on all interfaces (advanced baseline)
install the patch
run nsm_sensor_ps-status --sensor-name=[yourhost-em2] --only-prads
  note that it shows status for just prads on [em2] (fix works)
do the same for stop, start, and restart with other processes (fix works)
run nsm_sensor_ps-status --sensor-name=[yourhost-em2] --only-bro
run nsm_sensor_ps-status --sensor-name=[yourhost-em2] --only-ossec-agent
  note that it shows OOPS message (new check)
run nsm_sensor_ps-status --only-prads
run nsm_sensor_ps-status --only-prads --only-bro
  note that baseline behavior is the same)
@petiepooo

This comment has been minimized.

Copy link

@petiepooo petiepooo commented Sep 11, 2019

@dougburks, I didn't test the start/stop/restart scripts, but changes to nsm_sensor_ps-status work as expected. I used --only-snort-agent instead of --only-prads for testing...
I also tested the changes in commit 5309f5a to nsm_sensor, and I no longer get the OOPS there when given --start plus a --sensor_name.
Thanks!

@dougburks dougburks moved this from In progress to In Testing in 16.04.6.3 Sep 12, 2019
@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Oct 18, 2019

Looks good from my testing 👍

@dougburks dougburks moved this from In Testing to Tested in 16.04.6.3 Oct 19, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Oct 22, 2019

@dougburks dougburks closed this Oct 22, 2019
16.04.6.3 automation moved this from Tested to Done Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.3
  
Done
3 participants
You can’t perform that action at this time.