[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Two Snort sensors, need to disable one
From: Doug Burks <doug.burks () gmail ! com>
Date: 2013-03-30 15:16:47
Message-ID: CAK8kjrCXAWb9pTS3o8FaPvagiLsAMvHHpp8zJ6H05Y042QgdUw () mail ! gmail ! com
[Download RAW message or body]
As Matt recommends, use the nsm_sensor_ps-stop
--sensor-name=HOSTNAME-INTERFACE syntax. (We have an open issue for
fixing the Bro and OSSEC agent issue:
https://code.google.com/p/security-onion/issues/detail?id=268). You
can then permanently disable that sensor by commenting it out in
/etc/nsm/sensortab. Then do an nsm_sensor_ps-start to start Bro and
the OSSEC agent back up.
Thanks,
Doug
On Sat, Mar 30, 2013 at 10:31 AM, Matt Gregory <mgg1776@gmail.com> wrote:
> Hi John,
>
> When you say "both" sensors, do you mean two separate sensors (whether two
> VMs, two physical machines, or a combination thereof), or do you have one
> sensor with two sniffing interfaces?
>
> Of course, if you have a completely separate sensor, whether a VM or
> physical machine, you could just disconnect it, but I assume that's not the
> case or you would have done that already ;)
>
> You can try running sudo nsm_sensor_ps-stop --sensor-name=<sensor_name>
> where <sensor_name> can be obtained by running sudo nsm_sensor_ps-status -
> you'll see a "Status" for each sniffing interface. This will stop all the
> sniffing processes (e.g., netsniff-ng, pcap agent, snort agent, prads, etc.)
> for the chosen sniffing interface, but in just testing it out, I find that
> it also stops the Bro and HIDS (OSSEC) processes for every sniffing
> interface, so I'm not sure if that will be suitable for what you're trying
> to do.
>
> Matt
>
>
> On Fri, Mar 29, 2013 at 8:07 PM, John Garland <jdgarland@mail.usf.edu>
> wrote:
> >
> > OK, after a lot of playing around with SO for our class project we finally
> > got the network configuration set up for our test. We went through a lot of
> > configurations and had it set up with one sensor between the modem and
> > router and the other that was internal network.
> >
> > Now, we have both sensors on the internal network because it is a dual NIC
> > on server, so one of them is the IP address of SecurityOnion... so yeah,
> > it's a mess.
> >
> > We have collected data for our first full week, but for the next weeks
> > worth of data I would like to turn off the second sensor. I know I can do
> > it by redoing the setup but we would loose our data and I want to avoid
> > that. This is a temporary setup, so just a simple disable to keep the
> > second sensor from monitoring. Otherwise, we pick up packets involving SO
> > twice.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at
> > http://groups.google.com/group/security-onion?hl=en-US.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic