Skip to content
This repository has been archived by the owner. It is now read-only.

Remove VLAN setting from pcap_agent.conf #243

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments
Closed

Remove VLAN setting from pcap_agent.conf #243

GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Remove these two lines:
# If you do VLAN tagging then set this to 1 so the right filter is passed to 
tcpdump.
set VLAN 0


Original issue reported on code.google.com by doug.bu...@gmail.com on 28 Mar 2012 at 2:45

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Actually, instead of removing those two lines, let's change them:

# If you do VLAN tagging then set this to 1 so the right filter is passed to 
tcpdump.
# As of Security Onion 20120224, VLAN should always be 0.  Please do not change!
# 
http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.
html
set VLAN 0

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 4:51

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Code changes in /usr/local/sbin/nsm_sensor_add:


# DLB - Disabled this section
# collect vlan requirements
#if [ -z "$SENSOR_VLAN_TAGGING" ]
#then
    #prompt_user_yesno "VLAN Tagging" "Is this sensor monitoring VLAN or encapsulated traffic?" "N"
    #[ "$?" -ne 0 ] && exit 1
    #SENSOR_VLAN_TAGGING=$PROMPT_RET
#fi

# SENSOR_VLAN_TAGGING should always be N now
SENSOR_VLAN_TAGGING="N"

# prompt to create the sensor
prompt_user_yesno "Create Sensor" "The following information has been 
collected:\n\n  name:        $SENSOR_NAME\n  net group:   $SENSOR_NET_GROUP\n  
interface:   $SENSOR_INTERFACE\n  auto (i
f):   $SENSOR_INTERFACE_AUTO\n  server:      
$SENSOR_SERVER_HOST:$SENSOR_SERVER_PORT\n  barnyard2:   
$SENSOR_BARNYARD2_PORT\n  auto:        $SENSOR_AUTO\n  utc:         
$SENSOR_UTC\n  Do you
 want to create?" "Y"


<snip>



THE_TIME=$(date)
[ "${SENSOR_VLAN_TAGGING}" == "Y" ] && SENSOR_VLAN_TAGGING=1 || 
SENSOR_VLAN_TAGGING=0
cat >/etc/nsm/$SENSOR_NAME/pcap_agent.conf << EOF_PCAP_AGENT
# pcap_agent.conf: auto-generated by NSMnow Administration on $THE_TIME
# DEBUG is VERY chatty. Use it only when needed (1=on, 0=off)
set DEBUG 1
# Run in background (1=yes, 0=no)
set DAEMON 0
# Name of sguild server
set SERVER_HOST $SENSOR_SERVER_HOST
# Port sguild listens on for sensor connects
set SERVER_PORT $SENSOR_SERVER_PORT
# Local hostname (sensors monitoring multiple interfaces need to use a unique 
'hostname' for each interface)
set HOSTNAME $SENSOR_NAME
# The net id is used to correlate data from different agents.
set NET_GROUP $SENSOR_NET_GROUP
# The root of your log dir for data like pcap, portscans, sessions, etc
set LOG_DIR /nsm/sensor_data
# Where raw/pcap files are being logged to and will be read from.
set RAW_LOG_DIR \${LOG_DIR}/\${HOSTNAME}/dailylogs
# Path to tcpdump. Used for parsing pcap files.
set TCPDUMP "/usr/sbin/tcpdump"
# If you do VLAN tagging then set this to 1 so the right filter is passed to 
tcpdump.
# As of Security Onion 20120224, VLAN should always be 0.  Please do not change!
# 
http://securityonion.blogspot.com/2012/02/security-onion-20120224-now-available.
html
set VLAN $SENSOR_VLAN_TAGGING

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:09

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Added the following to security-onion-upgrade.sh:

sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120326" ]; then
        NEW="20120329"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

        for FILE in securityonion-nsmnow-admin-scripts_20120329_i386.deb; do
                echo -n "* Downloading $FILE..."                | $LOGGER
                wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
                if [ $? -eq 1 ]; then
                        echo "FAIL"     | $LOGGER
                        exit 1
                else
                        echo "OK"       | $LOGGER
                fi
        done

        echo -n "* Installing downloaded packages..." | $LOGGER
        dpkg -i *.deb                                           >> $LOG
        if [ $? -eq 1 ]; then
                echo "FAIL"     | $LOGGER
                exit 1
        else
                echo "OK"       | $LOGGER
        fi

        SENSORS=`grep -v "^#" /etc/nsm/sensortab |awk '{print $1}'`
        for SENSORNAME in $SENSORS; do
                echo "* Creating /etc/nsm/$SENSORNAME/bpf.conf if it doesn't already exist"       | $LOGGER
        touch /etc/nsm/"$SENSORNAME"/bpf.conf
        done

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:11

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Turned over to testing:

Security Onion Testers,

Security Onion 20120328 is ready for testing!  This update should resolve the 
following issues:
http://code.google.com/p/security-onion/issues/detail?id=114
http://code.google.com/p/security-onion/issues/detail?id=224
http://code.google.com/p/security-onion/issues/detail?id=242
http://code.google.com/p/security-onion/issues/detail?id=243

Please only test on VMs that can be snapshotted.

Please test/verify the following:

- Start with a VM with the latest Security Onion and run Setup (choosing Snort 
- Suricata afpacket mode currently doesn't support bpf) so that we can simulate 
an in-place upgrade

- Run the in-place upgrade (should install new package and create 
/etc/nsm/HOSTNAME-INTERFACE/bpf.conf):
sudo -i "curl -L 
http://sourceforge.net/projects/security-onion/files/20120329/security-onion-upg
rade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

- Add a BPF to /etc/nsm/HOSTNAME-INTERFACE/bpf.conf like the following (for 
testmyids.com):
not host 217.160.51.31

- Run "sudo nsm_sensor_ps-restart" to restart Snort and daemonlogger

- Verify that snort doesn't alert on "curl http://testmyids.com" anymore and 
that daemonlogger didn't record any packets for that destination

- run Setup to simulate a new install

- Run the same test as above.

- Verify issues 224, 242, and 243 are fixed as well

- Anything else I didn't think of


Thanks in advance for your time and effort!

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:37

  • Changed state: Fixed
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Tested by:
Craig Shannon
Scott Runnels

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 9:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Published:
http://securityonion.blogspot.com/2012/03/security-onion-20120329-now-available.
html

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 10:03

  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant