[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Snorby logs stopped.
From: Omar Osta <o.osta1978 () gmail ! com>
Date: 2015-05-27 12:16:57
Message-ID: c6d44353-d2d7-412e-a425-c269642fc462 () googlegroups ! com
[Download RAW message or body]
On Tuesday, May 26, 2015 at 3:50:19 PM UTC-4, Lysemose wrote:
> Hi
>
> Server:
>
> Tune your ruleset to your environment.
>
> Remember to categorize Squil events.
>
> Sensor1:
>
> Add more disk space.
>
> Disable unnecessary processes (prads, sancp_agent, pads_agent, http_agent).
>
> Tune your ruleset (from server).
>
> Netsniff-ng is losing packets, maybe because of slow storage.
>
> Look for clues in the log file regarding why snort isn't running (most likely \
> caused by one or more of the customisation you made)
> Sensor2:
>
> Mostly ok. But that's probably because you not monitoring that much traffic as \
> sensor1 is.
> Look for clues in the log file regarding why snort isn't running (most likely \
> caused by one or more of the customisation you made)
> All of the answers can be found on \
> https://github.com/Security-Onion-Solutions/security-onion/wiki
> Regards,
>
> Lysemose
>
> On May 26, 2015 20:03, "Omar Osta" <o.ost...@gmail.com> wrote:
> Hello,
>
>
>
> I created a new installation of a server and tw sensor Friday and it worked for \
> about a day. I logged in Saturday and to see if events were being logged and they \
> were. I did some minor tweaking to snort.con file on the sensors, disabled a rule \
> in dissablesid.conf on the server, and suppressed some rules in threshold.conf on \
> the server then updated the rules on the sensors. All services loaded, so I don't \
> think my changes caused the issue.
>
>
> I notice that snort the error "stale PID file found, deleting!"
>
> for snort processes" when I do a service status on both sensors. I have attached my \
> server and two sensor sostat-redacted.
>
>
> --
>
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to \
> security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at http://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
I figured it out. I had that preprocessor commented out. I as hoping that would keep \
it from running. I will try to disable it from disablesid.conf or just suppress it.
Thanks for your help.
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic