'Re: [security-onion] using pytbull to test security onion'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] using pytbull to test security onion
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2017-04-23 10:04:22
Message-ID: CAK8kjrDop80339X-Pkp6Gk=Vv7xEvi442J3ROOai7jTRQYk4Gg () mail ! gmail ! com
[Download RAW message or body]

Hi Mohammed,

Snort writes alerts in unified2 format to the following location
(replacing HOSTNAME with your actual hostname, INTERFACE with your
actual sniffing interface, and TIMESTAMP with the actual timestamp of
the start of the Snort process):
/nsm/sensor_data/HOSTNAME-INTERFACE/snort.unified2.TIMESTAMP


On Sun, Apr 16, 2017 at 1:04 PM, Mohammed <mohammed93a@gmail.com> wrote:
> On Wednesday, April 12, 2017 at 1:59:04 AM UTC+3, Wes wrote:
> > On Tuesday, April 11, 2017 at 6:26:00 PM UTC-4, Mohammed wrote:
> > > On Friday, April 7, 2017 at 4:49:43 AM UTC+3, Doug Burks wrote:
> > > > Hi mohammed93a,
> > > > 
> > > > What specific problems are you having with pytbull?
> > > > 
> > > > I usually test using tcpreplay and the pcap samples in /opt/samples like \
> > > > this: sudo tcpreplay -i eth1 -M10 /opt/samples/*.pcap
> > > > 
> > > > On Tue, Apr 4, 2017 at 6:08 PM, Smith <moha...@gmail.com> wrote:
> > > > > Hi everyone,
> > > > > 
> > > > > I am trying to use pytbull ids testing framework to test my security onion \
> > > > > implementation, I found some problems with it, I was wondering if anyone \
> > > > > tried it before and can help me with it. 
> > > > > Thank you in advance
> > > > > 
> > > > > --
> > > > > Follow Security Onion on Twitter!
> > > > > https://twitter.com/securityonion
> > > > > ---
> > > > > You received this message because you are subscribed to the Google Groups \
> > > > > "security-onion" group. To unsubscribe from this group and stop receiving \
> > > > > emails from it, send an email to \
> > > > > security-onion+unsubscribe@googlegroups.com. To post to this group, send \
> > > > > email to security-onion@googlegroups.com. Visit this group at \
> > > > > https://groups.google.com/group/security-onion. For more options, visit \
> > > > > https://groups.google.com/d/optout.
> > > > 
> > > > 
> > > > 
> > > > --
> > > > Doug Burks
> > > 
> > > 
> > > Dear Mr.Burks,
> > > 
> > > Thank you so much for your fast response, I am using pytbull instead of \
> > > tcpreplay because I think I had more realistic attack simulation and final \
> > > reports organized for research analysis, I had some issues with ftp and other \
> > > bugs but I managed to solve them through troubleshooting and searching. Now I \
> > > am having a connection error each time I run pytbull code, and the attacker \
> > > machine and security onion can't ping each other for about 5 minutes, then the \
> > > connection is returned again but when I run the code again the same problem \
> > > happens! Is there a rule or something in security onion that prevents the \
> > > connection when malicious activity happens? I thought it was a firewall problem \
> > > ; therefore I switched off the ufw firewall but the same problem remained. I \
> > > attached the error message screenshot. 
> > > 
> > > Mohammed Ammar,
> > 
> > Mohammed,
> > 
> > You may want to try taking a look at the following:
> > 
> > https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC#active-response
> >  
> > https://groups.google.com/d/msg/security-onion/Wg7Xu6ecSR0/2Mb3BREcBAAJ
> > 
> > You are likely triggering OSSEC's active response capability.
> > 
> > Try the above steps and see if it helps.
> > 
> > Thanks,
> > Wes
> 
> Wes,
> 
> It worked thanks a lot, you were right it was OSSEC's active response.
> If I may ask, I also had another problem with alert files pulling via ftp, I don't \
> know what is the specific path of alerts in security onion, I tried \
> "/var/log/nsm/mohammed-virtual-machine-eth1/snortu_agent-1.log" but it didn't work \
> out, I also tried "/var/log/nsm/mohammed-virtual-machine-eth1/snortu_agent-1.log/snort-1.stats" \
> also without response. 
> Thank you,
> Mohammed
> 
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> https://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/d/optout.



-- 
Doug Burks

-- 
Follow Security Onion on Twitter!
https://twitter.com/securityonion
--- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic