[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Snorby logs stopped.
From:       Omar Osta <o.osta1978 () gmail ! com>
Date:       2015-05-27 12:16:57
Message-ID: c6d44353-d2d7-412e-a425-c269642fc462 () googlegroups ! com
[Download RAW message or body]


On Tuesday, May 26, 2015 at 3:50:19 PM UTC-4, Lysemose wrote:
> Hi
> 
> Server:
> 
> Tune your ruleset to your environment. 
> 
> Remember to categorize Squil events. 
> 
> Sensor1:
> 
> Add more disk space. 
> 
> Disable unnecessary processes (prads, sancp_agent, pads_agent, http_agent). 
> 
> Tune your ruleset (from server). 
> 
> Netsniff-ng is losing packets, maybe because of slow storage. 
> 
> Look for clues in the log file regarding why snort isn't running (most likely \
> caused by one or more of the customisation you made)  
> Sensor2:
> 
> Mostly ok. But that's probably because you not monitoring that much traffic as \
> sensor1 is.  
> Look for clues in the log file regarding why snort isn't running (most likely \
> caused by one or more of the customisation you made)  
> All of the answers can be found on \
> https://github.com/Security-Onion-Solutions/security-onion/wiki 
> Regards, 
> 
> Lysemose 
> 
> On May 26, 2015 20:03, "Omar Osta" <o.ost...@gmail.com> wrote:
> Hello,
> 
> 
> 
> I created a new installation of a server and tw sensor Friday and it worked for \
> about a day. I logged in Saturday and to see if events were being logged and they \
> were. I did some minor tweaking to snort.con file on the sensors, disabled a rule \
> in dissablesid.conf on the server, and suppressed some rules in threshold.conf on \
> the server then updated the rules on the sensors. All services loaded, so I don't \
> think my changes caused the issue. 
> 
> 
> I notice that snort the error "stale PID file found, deleting!"
> 
> for snort processes" when I do a service status on both sensors. I have attached my \
> server and two sensor sostat-redacted. 
> 
> 
> --
> 
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. 
> To unsubscribe from this group and stop receiving emails from it, send an email to \
> security-onio...@googlegroups.com. 
> To post to this group, send email to securit...@googlegroups.com.
> 
> Visit this group at http://groups.google.com/group/security-onion.
> 
> For more options, visit https://groups.google.com/d/optout.

I figured it out. I had that preprocessor commented out. I as hoping that would keep \
it from running. I will try to disable it from disablesid.conf or just suppress it. 

Thanks for your help.

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.



[prev in list] [next in list] [prev in thread] [next in thread]