Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSM Now Scripts don't check if a sensor is disabled before performing operations when a --sensor-name= is specified #645

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

What steps will reproduce the problem?
1. Run - nsm_sensor_ps-stop --sensor-name=<a valid sensor-name that isn't 
enabled>
2. Sensor services should start up

What is the expected output? What do you see instead?

I would expect the NSM_Now scripts to recognize you are attempting to start a 
sensor that has been disabled in /etc/nsm/sensortab and exit.

Are you using the new Security Onion 12.04?

Yes

Did you install from the ISO image or did you install your own version of
Ubuntu and then add our PPA and packages?

Security Onion ISO Image

Please provide any additional information below.

In /usr/lib/nsmnow/lib-nsm-sensor-utils there is a function 
"sensortab_names_get" that will return a string of the sensor names separated 
by a newline character.

Should be somewhat straight forward to write a function that will parse sensor 
tap into an array - before a sensor specific operation is run, such as when you 
specify sensor-name using an NSM NOW script, check and make sure the 
sensor-name is enabled.

Invalid sensor names already throw a "sensor does not exist!" error message.

Original issue reported on code.google.com by IamR...@gmail.com on 8 Nov 2014 at 12:03

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Patches are always welcome!  :)

Original comment by doug.bu...@gmail.com on 8 Nov 2014 at 5:09

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Only three lines needed (see attached patch).

Insert the code at Line 280 on nsm_sensor_ps-stop (this will work for 
start|status|..., different lines though). Changing the lib would be overkill 
with code still needed on the scripts.

#Liam's request by @heywiz
CHECK_NAME=$(echo $SENSOR_NAME|tr -d " ")
grep "#"$CHECK_NAME /etc/nsm/sensortab > /dev/null 2>&1
if [ $? -eq 0 ]; then echo "Sensor disabled, exiting" && exit 1; fi

30aa81949a08d1ff5248e7621d483830 *nsm_sensor_ps-stop.patch
6f52abc2500862b09b98741742372b5d *nsm_sensor_ps-stop.testing
2c2e44ce06744c1e6125776df9c976fc8cbab9fa *nsm_sensor_ps-stop.patch
d75c77b7007643ea02bc3d26f79576ea6aae7198 *nsm_sensor_ps-stop.testing

Tested succesfully Ubuntu 12.04.5 LTS using SO repos.

Hope this helps.

Tim Whisnant
@heywiz

Original comment by timothyw...@gmail.com on 24 Jan 2015 at 12:01

  • Added labels: ****
  • Removed labels: ****

Attachments:

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Thanks, Tim!

Original comment by doug.bu...@gmail.com on 24 Jan 2015 at 2:31

  • Added labels: ****
  • Removed labels: ****
dougburks added a commit to Security-Onion-Solutions/securityonion-nsmnow-admin-scripts that referenced this issue Sep 12, 2019
… operations when a --sensor-name= is specified Security-Onion-Solutions/security-onion#645
@dougburks dougburks self-assigned this Sep 12, 2019
@dougburks dougburks added this to To do in 16.04.6.3 via automation Sep 12, 2019
@dougburks dougburks moved this from To do to In progress in 16.04.6.3 Sep 12, 2019
@dougburks dougburks moved this from In progress to In Testing in 16.04.6.3 Sep 12, 2019
dougburks added a commit to Security-Onion-Solutions/securityonion-nsmnow-admin-scripts that referenced this issue Sep 12, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor

@dougburks dougburks commented Sep 12, 2019

Please test the updated NSM scripts using the --sensor-name option in various combinations:

  • sensor names that are valid and enabled in /etc/nsm/sensortab
  • sensor names that are disabled in /etc/nsm/sensortab
  • sensor names that don't exist in /etc/nsm/sensortab
@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Oct 18, 2019

Looks good from my testing 👍

@dougburks dougburks moved this from In Testing to Tested in 16.04.6.3 Oct 19, 2019
@dougburks

This comment has been minimized.

@dougburks dougburks closed this Oct 22, 2019
16.04.6.3 automation moved this from Tested to Done Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.3
  
Done
3 participants
You can’t perform that action at this time.