[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Two Snort sensors, need to disable one
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2013-03-30 15:16:47
Message-ID: CAK8kjrCXAWb9pTS3o8FaPvagiLsAMvHHpp8zJ6H05Y042QgdUw () mail ! gmail ! com
[Download RAW message or body]

As Matt recommends, use the nsm_sensor_ps-stop
--sensor-name=HOSTNAME-INTERFACE syntax.  (We have an open issue for
fixing the Bro and OSSEC agent issue:
https://code.google.com/p/security-onion/issues/detail?id=268).  You
can then permanently disable that sensor by commenting it out in
/etc/nsm/sensortab.  Then do an nsm_sensor_ps-start to start Bro and
the OSSEC agent back up.

Thanks,
Doug

On Sat, Mar 30, 2013 at 10:31 AM, Matt Gregory <mgg1776@gmail.com> wrote:
> Hi John,
> 
> When you say "both" sensors, do you mean two separate sensors (whether two
> VMs, two physical machines, or a combination thereof), or do you have one
> sensor with two sniffing interfaces?
> 
> Of course, if you have a completely separate sensor, whether a VM or
> physical machine, you could just disconnect it, but I assume that's not the
> case or you would have done that already ;)
> 
> You can try running sudo nsm_sensor_ps-stop --sensor-name=<sensor_name>
> where <sensor_name> can be obtained by running sudo nsm_sensor_ps-status -
> you'll see a "Status" for each sniffing interface.  This will stop all the
> sniffing processes (e.g., netsniff-ng, pcap agent, snort agent, prads, etc.)
> for the chosen sniffing interface, but in just testing it out, I find that
> it also stops the Bro and HIDS (OSSEC) processes for every sniffing
> interface, so I'm not sure if that will be suitable for what you're trying
> to do.
> 
> Matt
> 
> 
> On Fri, Mar 29, 2013 at 8:07 PM, John Garland <jdgarland@mail.usf.edu>
> wrote:
> > 
> > OK, after a lot of playing around with SO for our class project we finally
> > got the network configuration set up for our test.  We went through a lot of
> > configurations and had it set up with one sensor between the modem and
> > router and the other that was internal network.
> > 
> > Now, we have both sensors on the internal network because it is a dual NIC
> > on server, so one of them is the IP address of SecurityOnion... so yeah,
> > it's a mess.
> > 
> > We have collected data for our first full week, but for the next weeks
> > worth of data I would like to turn off the second sensor.  I know I can do
> > it by redoing the setup but we would loose our data and I want to avoid
> > that.  This is a temporary setup, so just a simple disable to keep the
> > second sensor from monitoring.  Otherwise, we pick up packets involving SO
> > twice.
> > 
> > --
> > You received this message because you are subscribed to the Google Groups
> > "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at
> > http://groups.google.com/group/security-onion?hl=en-US.
> > For more options, visit https://groups.google.com/groups/opt_out.
> > 
> > 
> 
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
> 
> 



-- 
Doug Burks
http://securityonion.blogspot.com

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]