NSM: cron job to check if netsniff-ng is recording with a date other than today

[dougburks]

Problem

Suppose Security Onion is installed in a VM and that VM is suspended today. Tomorrow, that VM is resumed. The VM may then update its OS date/time, either via NTP or virtualization tools. If that happens, then there is a mismatch because netsniff-ng is still writing pcap to a directory with the previous date on it. Attempting to pivot to pcap from Sguil/Squert/ELSA/Kibana will then fail.

Proposed Solution

Create a cron job that runs every minute. That cron job checks to see if:

• netsniff-ng is enabled
• netsniff-ng is running
• netsniff-ng is writing to a date other than today's date
  If all of the conditions above are true, then restart netsniff-ng so that it will start writing to today's date and log to a file that this corrective action was executed.

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/F0ywBbJ9jvo/discussion

published:
http://blog.securityonion.net/2017/08/securityonion-nsmnow-admin-scripts.html