Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove VLAN setting from pcap_agent.conf #243

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments
Closed

Remove VLAN setting from pcap_agent.conf #243

GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Remove these two lines:
# If you do VLAN tagging then set this to 1 so the right filter is passed to 
tcpdump.
set VLAN 0


Original issue reported on code.google.com by doug.bu...@gmail.com on 28 Mar 2012 at 2:45

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Actually, instead of removing those two lines, let's change them:

# If you do VLAN tagging then set this to 1 so the right filter is passed to 
tcpdump.
# As of Security Onion 20120224, VLAN should always be 0.  Please do not change!
# 
http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.
html
set VLAN 0

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 4:51

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Code changes in /usr/local/sbin/nsm_sensor_add:


# DLB - Disabled this section
# collect vlan requirements
#if [ -z "$SENSOR_VLAN_TAGGING" ]
#then
    #prompt_user_yesno "VLAN Tagging" "Is this sensor monitoring VLAN or encapsulated traffic?" "N"
    #[ "$?" -ne 0 ] && exit 1
    #SENSOR_VLAN_TAGGING=$PROMPT_RET
#fi

# SENSOR_VLAN_TAGGING should always be N now
SENSOR_VLAN_TAGGING="N"

# prompt to create the sensor
prompt_user_yesno "Create Sensor" "The following information has been 
collected:\n\n  name:        $SENSOR_NAME\n  net group:   $SENSOR_NET_GROUP\n  
interface:   $SENSOR_INTERFACE\n  auto (i
f):   $SENSOR_INTERFACE_AUTO\n  server:      
$SENSOR_SERVER_HOST:$SENSOR_SERVER_PORT\n  barnyard2:   
$SENSOR_BARNYARD2_PORT\n  auto:        $SENSOR_AUTO\n  utc:         
$SENSOR_UTC\n  Do you
 want to create?" "Y"


<snip>



THE_TIME=$(date)
[ "${SENSOR_VLAN_TAGGING}" == "Y" ] && SENSOR_VLAN_TAGGING=1 || 
SENSOR_VLAN_TAGGING=0
cat >/etc/nsm/$SENSOR_NAME/pcap_agent.conf << EOF_PCAP_AGENT
# pcap_agent.conf: auto-generated by NSMnow Administration on $THE_TIME
# DEBUG is VERY chatty. Use it only when needed (1=on, 0=off)
set DEBUG 1
# Run in background (1=yes, 0=no)
set DAEMON 0
# Name of sguild server
set SERVER_HOST $SENSOR_SERVER_HOST
# Port sguild listens on for sensor connects
set SERVER_PORT $SENSOR_SERVER_PORT
# Local hostname (sensors monitoring multiple interfaces need to use a unique 
'hostname' for each interface)
set HOSTNAME $SENSOR_NAME
# The net id is used to correlate data from different agents.
set NET_GROUP $SENSOR_NET_GROUP
# The root of your log dir for data like pcap, portscans, sessions, etc
set LOG_DIR /nsm/sensor_data
# Where raw/pcap files are being logged to and will be read from.
set RAW_LOG_DIR \${LOG_DIR}/\${HOSTNAME}/dailylogs
# Path to tcpdump. Used for parsing pcap files.
set TCPDUMP "/usr/sbin/tcpdump"
# If you do VLAN tagging then set this to 1 so the right filter is passed to 
tcpdump.
# As of Security Onion 20120224, VLAN should always be 0.  Please do not change!
# 
http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.
html
set VLAN $SENSOR_VLAN_TAGGING

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:09

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Added the following to security-onion-upgrade.sh:

sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120326" ]; then
        NEW="20120329"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

        for FILE in securityonion-nsmnow-admin-scripts_20120329_i386.deb; do
                echo -n "* Downloading $FILE..."                | $LOGGER
                wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
                if [ $? -eq 1 ]; then
                        echo "FAIL"     | $LOGGER
                        exit 1
                else
                        echo "OK"       | $LOGGER
                fi
        done

        echo -n "* Installing downloaded packages..." | $LOGGER
        dpkg -i *.deb                                           >> $LOG
        if [ $? -eq 1 ]; then
                echo "FAIL"     | $LOGGER
                exit 1
        else
                echo "OK"       | $LOGGER
        fi

        SENSORS=`grep -v "^#" /etc/nsm/sensortab |awk '{print $1}'`
        for SENSORNAME in $SENSORS; do
                echo "* Creating /etc/nsm/$SENSORNAME/bpf.conf if it doesn't already exist"       | $LOGGER
        touch /etc/nsm/"$SENSORNAME"/bpf.conf
        done

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:11

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Turned over to testing:

Security Onion Testers,

Security Onion 20120328 is ready for testing!  This update should resolve the 
following issues:
http://code.google.com/p/security-onion/issues/detail?id=114
http://code.google.com/p/security-onion/issues/detail?id=224
http://code.google.com/p/security-onion/issues/detail?id=242
http://code.google.com/p/security-onion/issues/detail?id=243

Please only test on VMs that can be snapshotted.

Please test/verify the following:

- Start with a VM with the latest Security Onion and run Setup (choosing Snort 
- Suricata afpacket mode currently doesn't support bpf) so that we can simulate 
an in-place upgrade

- Run the in-place upgrade (should install new package and create 
/etc/nsm/HOSTNAME-INTERFACE/bpf.conf):
sudo -i "curl -L 
http://sourceforge.net/projects/security-onion/files/20120329/security-onion-upg
rade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

- Add a BPF to /etc/nsm/HOSTNAME-INTERFACE/bpf.conf like the following (for 
testmyids.com):
not host 217.160.51.31

- Run "sudo nsm_sensor_ps-restart" to restart Snort and daemonlogger

- Verify that snort doesn't alert on "curl http://testmyids.com" anymore and 
that daemonlogger didn't record any packets for that destination

- run Setup to simulate a new install

- Run the same test as above.

- Verify issues 224, 242, and 243 are fixed as well

- Anything else I didn't think of


Thanks in advance for your time and effort!

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:37

  • Changed state: Fixed
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Tested by:
Craig Shannon
Scott Runnels

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 9:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Published:
http://securityonion.blogspot.com/2012/03/security-onion-20120329-now-available.
html

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 10:03

  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.