Menu
▾
▴
os-sim-support
|
From: David W. <dw...@ad...> - 2009-09-30 21:05:32
|
________________________________ From: David Wilson Sent: Wednesday, September 30, 2009 11:56 AM To: 'Juan Manuel Lorenzo' Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=apache,arpwatch,iptables,nagios,osiris,p0f,pads,pam_unix,rrd,s nare,snortunified,ssh,sudo interfaces=eth1 ip= monitors=nessus-monitor,nmap-monitor,ntop-monitor,opennms-monitor,ossim- monitor,ping-monitor,session-monitor,tcptrack-monitor name=ossim networks=10.0.0.0/8 priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 ________________________________ From: Juan Manuel Lorenzo [mailto:jml...@al...] Sent: Wednesday, September 30, 2009 11:18 AM To: David Wilson Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 post your ossim_setup.conf file please On Sep 30, 2009, at 8:04 PM, David Wilson wrote: I have a new error message: 2009-09-30 10:56:45 (null)-Critical: gda_connection_is_open: assertion `GDA_IS_CONNECTION (cnc)' failed 2009-09-30 10:58:30 OSSIM-Message: Starting OSSIM Server engine. Version: 2.1.4-2 I think I am making progress. -Dave ________________________________ From: Ritter, Nicholas [mailto:Nic...@am...] Sent: Wednesday, September 30, 2009 10:55 AM To: Juan Manuel Lorenzo; David Wilson Cc: os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Nice catch Jaunma.... David- that line should read datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=ossim;HOST= localhost"/> DATABASE should be "ossim", not "idsmanager". ________________________________ From: Juan Manuel Lorenzo [mailto:jua...@gm...] Sent: Wednesday, September 30, 2009 12:53 PM To: David Wilson Cc: Ritter, Nicholas; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 idsmanager as db?? On Sep 30, 2009, at 7:07 PM, David Wilson wrote: <datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager; HOST=localhost"/> ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf_____________________________________________ __ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: David W. <dw...@ad...> - 2009-10-07 22:41:13
|
So I'm doing so more trouble shooting on the box. I decide to reinstall
and follow the directions to the letter. I have tried lots of debugging
steps so I though the machine might not be setup right.
The instructions state:
<QUOTE>
1. Update system. Keep it up-to-date.
Keeping your system up-to-date is an important step. If you enable
'Update Notifications' (suggested), you'll get notified through the
interface whenever important changes happend. The system will connect
once a day to AlienVault servers and download update notifications.
After this you should log into your system using ssh (you defined your
root password during installation) and execute:
apt-get update
# Important: the upgrade procedure might ask questions
# Have a look at them, they usually introduce important
# new changes to configuration files.
# If in doubt hit "I" or "Y"
apt-get dist-upgrade
</QUOTE>
If you do this it will wipe out your mysql password. This will
effectively destroy your ossim box.
Reinstalling requires a 200 mile round trip drive for me. You guys
should be thankful that I am willing to stick with this thing. How many
hundreds or perhaps thousands of people have tried to follow your
directions, discovered that the box doesn't work and tossed your disk in
the trash? Just to prove to you that this is a bug in your software or
docs; this is my whole history file:
idsmanager:~# history
1 netstat -anp | grep 4000
2 apt-get update
3 apt-get dist-upgrade
4 ossim-reconfig -v
5 netstat -anp | grep LISTEN
6 history
This is what happens if you follow the directions:
idsmanager:~# ossim-reconfig -v
Sensor ip blank, using main ip
Server ip blank, using main ip
#########################################
####### Reconfiguring System ############
#########################################
(please run with '-v' for verbose output)
-----------------------------------------
Disabling highmem my.cnf
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
DBI connect('dbname=ossim;host=localhost;port=3306','root',...) failed:
Access denied for user 'root'@'localhost' (using password: NO) at
/usr/lib/perl5/ossim_conf.pm line 38
Checking DB
Connection succeeded, moving on
Setting networks to "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
Starting MySQL process
Inserting 10.0.4.55 and ossim into sensor and host tables
Ignore errors start ----------------------------
Ignore errors end ----------------------------
Updating snare config
Updating OCS server ip
Ignore errors start ----------------------------
mv: `10.0.4.55.exe' and `10.0.4.55.exe' are the same file
Ignore errors end ----------------------------
Updating Ossim-agent windows installer server ip
Ignore errors start ----------------------------
ossim-install.exe: adjusting offsets for a preamble of 67072 bytes
updating: etc/ossim/agent/config.cfg (deflated 45%)
Ignore errors end ----------------------------
Ignore errors start ----------------------------
Stopping OSSIM Agent: ossim-agent.
Ignore errors end ----------------------------
Updating agent config
Updating ntop link
Updating plugin configuration
Updating executive panels config
20 strings replaced in /etc/ossim/framework/panel/configs/
Updating executive panels interfaces config
6 strings replaced in /etc/ossim/framework/panel/configs/
Updating executive panels Jasperserver config
Jasper data for panels: j_password= j_username=
11 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
11 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
0 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
11 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
update-rc.d: warning: /etc/init.d/ossim-server missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: warning: /etc/init.d/ossim-framework missing LSB
information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: warning: /etc/init.d/tomcat missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: /etc/init.d/nessusd: file does not exist
Updating snort config with: 10.0.0.0\/8,172.16.0.0\/12,192.168.0.0\/16.
Updating ntop
Updating snortunified
Setting linklayer to ethernet
Updating pads
Updating p0f
Updating arpwatch
Ignore errors start ----------------------------
Stopping web server: apache2apache2: Could not reliably determine the
server's fully qualified domain name, using 10.0.4.55 for ServerName
[Wed Oct 07 15:19:49 2009] [warn] NameVirtualHost *:80 has no
VirtualHosts
... waiting .
Stopping OpenVAS daemon: openvasd.
Stopping nagios3 monitoring daemon: nagios3
.
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
Ignore errors end ----------------------------
Ignore errors start ----------------------------
Starting OSSIM Server: ossim-server.
Starting OSSIM Framework: ossim-framework.
Starting web server: apache2apache2: Could not reliably determine the
server's fully qualified domain name, using 10.0.4.55 for ServerName
[Wed Oct 07 15:19:56 2009] [warn] NameVirtualHost *:80 has no
VirtualHosts
.
Starting OpenVAS daemon: openvasd.
Starting nagios3 monitoring daemon: nagios3.
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
Ignore errors end ----------------------------
arpwatch: no process killed
p0f: no process killed
pads: no process killed
Stopping Network Intrusion Detection System : snortNo running snort
instance found (warning).
Stopping network top daemon: ntop
Ignore errors start ----------------------------
Stopping OSSIM Agent: ossim-agent failed!
Starting OSSIM Agent: ossim-agent2009-10-07 15:20:49,109 Agent [INFO]:
Forking into background..
.
Ignore errors end ----------------------------
Adjusting monit startup
Stopping daemon monitor: monit.
Starting daemon monitor: monit.
Using database password defined at config file.
Ignore errors start ----------------------------
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Ignore errors end ----------------------------
Ignore errors start ----------------------------
Wed Oct 7 15:20:50 2009 NOTE: Interface merge enabled by default
Wed Oct 7 15:20:50 2009 Initializing gdbm databases
Wed Oct 7 15:20:50 2009 Admin user password has been set
Ignore errors end ----------------------------
Changing Jasper Server password (this might fail if no jasperserver is
present)
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
Oct 7, 2009 3:20:53 PM org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
at
java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:519)
at java.net.Socket.connect(Socket.java:469)
at java.net.Socket.<init>(Socket.java:366)
at java.net.Socket.<init>(Socket.java:180)
at
org.apache.catalina.startup.Catalina.stopServer(Catalina.java:421)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:337)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:415)
Restarting Tomcat
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
All in one profile at 10.0.4.55
You have new mail in /var/mail/root
idsmanager:~#
I'm going to reinstall again.
|
|
From: David W. <dw...@ad...> - 2009-10-08 18:12:42
|
This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave |
|
From: Christopher <c....@gm...> - 2009-10-08 18:37:39
|
Well, I can't answer your questions specifically, but this may provide some insight... I'm not sure why changing the sensor interface stops the server portion from listening on 40001, but I know that in distrubted enviornments, the sensor portion is set up so that it can be on a seperate phyical box so it does need at least one interface with an IP address assigned to it to be able to communicate with the server. When using the all-in-one profile, this gets a little confusing. On my test system I have the same setup as you (one management and one sniffer interface with no IP address) and while I never got it configured exactly as I'd like, I just specified BOTH interfaces (comma seperated) of my system in the sensor interface part of ossim_setup.conf. Not an elegant solution at all, but it works. I think alot of these types of configuration problems are specific to the all-in-one profile that the alienvault installer uses. Hope that helps. On Thu, Oct 8, 2009 at 1:12 PM, David Wilson <dw...@ad...>wrote: > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > |
|
From: Juan M. L. <ju...@os...> - 2009-10-08 20:48:24
|
The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...>wrote: > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > |
|
From: David W. <dw...@ad...> - 2009-10-08 22:38:48
|
Thank you for figuring out what the problem was. I will replace the box ASAP. It is wonderful to have a responsive mailing list with knowledge people to help out. This is a terrific piece of software and the developers are terrific. Perhaps this should be an FAQ? There is no hardware requirement listed on the download page, the FAQ, or the install guide. Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Thursday, October 08, 2009 1:48 PM To: David Wilson Cc: fo...@al...; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> wrote: This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: David W. <dw...@ad...> - 2009-10-14 21:18:02
|
Dear OSSIM Developers, We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB ram and although the problem is greatly alleviated, it is still going on. I think I have tracked down the issue to the kernel that is installed by default on a new Debian machine. This kernel: vmlinuz-2.6.26-2-486 is not SMP capable and will not recognize large amounts of ram. I have replaced the kernel with: vmlinuz-2.6.26-2-686-bigmem which looks to be resolving the ossim-server issue. I am seeing numerous other problems with the box, but those will be addressed in separate posts. Regards, -Dave ________________________________ From: David Wilson Sent: Thursday, October 08, 2009 3:38 PM To: 'Juan Manuel Lorenzo' Cc: fo...@al...; os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Thank you for figuring out what the problem was. I will replace the box ASAP. It is wonderful to have a responsive mailing list with knowledge people to help out. This is a terrific piece of software and the developers are terrific. Perhaps this should be an FAQ? There is no hardware requirement listed on the download page, the FAQ, or the install guide. Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Thursday, October 08, 2009 1:48 PM To: David Wilson Cc: fo...@al...; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> wrote: This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: Juan M. L. <ju...@os...> - 2009-10-14 21:25:47
|
Hi David Which installer are you using? 32 bits? 64 bits? With that processor and amount of memory you should be using the 32bits one. After installing make sure you update your box with apt-get update; apt-get dist-upgrade On Wed, Oct 14, 2009 at 11:17 PM, David Wilson <dw...@ad...>wrote: > Dear OSSIM Developers, > > > > We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB > ram and although the problem is greatly alleviated, it is still going on. I > think I have tracked down the issue to the kernel that is installed by > default on a new Debian machine. This kernel: > > > > vmlinuz-2.6.26-2-486 > > > > is not SMP capable and will not recognize large amounts of ram. > > > > I have replaced the kernel with: > > vmlinuz-2.6.26-2-686-bigmem > > which looks to be resolving the ossim-server issue. > > > > I am seeing numerous other problems with the box, but those will be > addressed in separate posts. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* David Wilson > *Sent:* Thursday, October 08, 2009 3:38 PM > *To:* 'Juan Manuel Lorenzo' > *Cc:* fo...@al...; os-...@li... > *Subject:* RE: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > Thank you for figuring out what the problem was. I will replace the box > ASAP. It is wonderful to have a responsive mailing list with knowledge > people to help out. This is a terrific piece of software and the developers > are terrific. > > > > Perhaps this should be an FAQ? There is no hardware requirement listed on > the download page, the FAQ, or the install guide. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* jua...@gm... [mailto:jua...@gm...] *On Behalf Of *Juan > Manuel Lorenzo > *Sent:* Thursday, October 08, 2009 1:48 PM > *To:* David Wilson > *Cc:* fo...@al...; os-...@li... > *Subject:* Re: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > The problem in your case may be more related to hardware than to > configuration, the server may take 10 minutes to start in systems with an > slow processor or just a few RAM memory, notice that for an all-in-one > profile you will need at least 2gb of RAM memory. Check that your system is > not using swap memory. > > Also take a look to monit, monit is checking that the ossim server is > running every 300 seconds, if monit can not open the port 40001 in localhost > it will start the ossim server again, that's why your server never starts, > because it takes so long to open the port maybe because of the hardware you > are running and then it starts the server again. So you could stop monit or > modify monit config so it waits more time before doing all the checks. But > just as a recommendation to anyone, 1gb is never going to be enough for an > all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots > of programs in the same box, so I would say use at least 2gb in your > all-in-one profile. > > And in the ossim_setup.conf file you only have to define in the interfaces > file those interfaces that are going to be sniffing all the traffic so you > should only write there eth1 not eth0, if you write both you will be running > a lot of programs in the interface eth0 when those programs are never going > to see any traffic in that interface. > > And just another thing, the interface with the port mirroring should never > have an ip adress. > > > Juanma > > On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> > wrote: > > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > |
|
From: David W. <dw...@ad...> - 2009-10-14 21:48:48
|
I am about to try the 64 bit version, but I have tried the 32 bit version. And updated it with apt. That process will not replace the single proc kernel with a multiproc kernel. Why should I use a 32 bit version on a bigmem box? Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Wednesday, October 14, 2009 2:26 PM To: David Wilson Cc: os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 Hi David Which installer are you using? 32 bits? 64 bits? With that processor and amount of memory you should be using the 32bits one. After installing make sure you update your box with apt-get update; apt-get dist-upgrade On Wed, Oct 14, 2009 at 11:17 PM, David Wilson <dw...@ad...> wrote: Dear OSSIM Developers, We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB ram and although the problem is greatly alleviated, it is still going on. I think I have tracked down the issue to the kernel that is installed by default on a new Debian machine. This kernel: vmlinuz-2.6.26-2-486 is not SMP capable and will not recognize large amounts of ram. I have replaced the kernel with: vmlinuz-2.6.26-2-686-bigmem which looks to be resolving the ossim-server issue. I am seeing numerous other problems with the box, but those will be addressed in separate posts. Regards, -Dave ________________________________ From: David Wilson Sent: Thursday, October 08, 2009 3:38 PM To: 'Juan Manuel Lorenzo' Cc: fo...@al...; os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Thank you for figuring out what the problem was. I will replace the box ASAP. It is wonderful to have a responsive mailing list with knowledge people to help out. This is a terrific piece of software and the developers are terrific. Perhaps this should be an FAQ? There is no hardware requirement listed on the download page, the FAQ, or the install guide. Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Thursday, October 08, 2009 1:48 PM To: David Wilson Cc: fo...@al...; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> wrote: This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: Juan M. L. <ju...@os...> - 2009-10-14 21:52:27
|
You should use the 64bits on a bigmem box, replacing the 32 bit kernel wont replace all the binaries that will still be 32bit, so with those specs you should always use the 64bit not the 32 one. On Wed, Oct 14, 2009 at 11:48 PM, David Wilson <dw...@ad...>wrote: > I am about to try the 64 bit version, but I have tried the 32 bit > version. And updated it with apt. That process will not replace the single > proc kernel with a multiproc kernel. > > > > Why should I use a 32 bit version on a bigmem box? > > > > Regards, > > -Dave > > > ------------------------------ > > *From:* jua...@gm... [mailto:jua...@gm...] *On Behalf Of *Juan > Manuel Lorenzo > *Sent:* Wednesday, October 14, 2009 2:26 PM > *To:* David Wilson > *Cc:* os-...@li... > > *Subject:* Re: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > Hi David > > Which installer are you using? 32 bits? 64 bits? With that processor and > amount of memory you should be using the 32bits one. After installing make > sure you update your box with apt-get update; apt-get dist-upgrade > > On Wed, Oct 14, 2009 at 11:17 PM, David Wilson <dw...@ad...> > wrote: > > Dear OSSIM Developers, > > > > We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB > ram and although the problem is greatly alleviated, it is still going on. I > think I have tracked down the issue to the kernel that is installed by > default on a new Debian machine. This kernel: > > > > vmlinuz-2.6.26-2-486 > > > > is not SMP capable and will not recognize large amounts of ram. > > > > I have replaced the kernel with: > > vmlinuz-2.6.26-2-686-bigmem > > which looks to be resolving the ossim-server issue. > > > > I am seeing numerous other problems with the box, but those will be > addressed in separate posts. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* David Wilson > *Sent:* Thursday, October 08, 2009 3:38 PM > *To:* 'Juan Manuel Lorenzo' > > > *Cc:* fo...@al...; os-...@li... > > *Subject:* RE: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > Thank you for figuring out what the problem was. I will replace the box > ASAP. It is wonderful to have a responsive mailing list with knowledge > people to help out. This is a terrific piece of software and the developers > are terrific. > > > > Perhaps this should be an FAQ? There is no hardware requirement listed on > the download page, the FAQ, or the install guide. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* jua...@gm... [mailto:jua...@gm...] *On Behalf Of *Juan > Manuel Lorenzo > *Sent:* Thursday, October 08, 2009 1:48 PM > *To:* David Wilson > *Cc:* fo...@al...; os-...@li... > *Subject:* Re: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > The problem in your case may be more related to hardware than to > configuration, the server may take 10 minutes to start in systems with an > slow processor or just a few RAM memory, notice that for an all-in-one > profile you will need at least 2gb of RAM memory. Check that your system is > not using swap memory. > > Also take a look to monit, monit is checking that the ossim server is > running every 300 seconds, if monit can not open the port 40001 in localhost > it will start the ossim server again, that's why your server never starts, > because it takes so long to open the port maybe because of the hardware you > are running and then it starts the server again. So you could stop monit or > modify monit config so it waits more time before doing all the checks. But > just as a recommendation to anyone, 1gb is never going to be enough for an > all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots > of programs in the same box, so I would say use at least 2gb in your > all-in-one profile. > > And in the ossim_setup.conf file you only have to define in the interfaces > file those interfaces that are going to be sniffing all the traffic so you > should only write there eth1 not eth0, if you write both you will be running > a lot of programs in the interface eth0 when those programs are never going > to see any traffic in that interface. > > And just another thing, the interface with the port mirroring should never > have an ip adress. > > > Juanma > > On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> > wrote: > > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X