Frequently Asked Questions
What is Network Security Monitoring (NSM)?
NSM is not a new term and its not one credited to the Knoppix-NSM developers. Our first introduction to NSM was through the Intrusion Analsyis Tool "Sguil"and "The Art Of Network Security Monitoring". If you want to find out more information about NSM i suggest you check out Richard Bejtlich TAO Security website or book "The Art Of Network Security Monitoring". More information about sguil can be found on our tools page or the sguil website.
Sensor is running but no data in sguil console?
If you have used the - (minus/dash) character in your sensor name than this could be the cause. When a new sensor is created new tables, based on the sensor name, are also created for storring data. MySQL does not allow you access to tables that has the - character in the name. Change the sensor name and this should fix the problem.
Chrome registration failed when starting firefox?
This is a known bug, fixed in version 1.2, it is not critical and only occurs the first time you start firefox.
When checking the status or starting/stopping a service i get 'stale PID found deleting' messages?
This is as a result of the process dying and not being stopped properly, the init script will clean up stale PID files whenever it runs. You may need to invetigate why the process has died, you should find information in the log file located in /var/log/PROCESS_NAME (PROCESS_NAME may also include interface and sensor name).
sguild and/or sguil-sensor-agent are not running after reboot?
This is a known bug, fixed in version 1.2, and is caused by the X server killing the sguild and/or sguil-sensor-agent (TCL) processes when it starts.
I made some changes when runing from the Live CD but they where not there when i installed to harddrive?
This is due to the way the current knoppix-installer works. Some of the directories are copyied from the CD and some are copyied from the ramdisk. The best option is to run the installer from a clean Live session, this is being addressed in a new installer application.
When i modprobe bonding for multiple bonded interfaces i only end up with one?
This is due to the way modprobe is loading the module. It does not allow multiple instances to be loaded with the same name. Recommend you use the sifadd script to add bonded interfaces as this addresses this issue. You can also use the alias option, eg # modprobe bonding -o bond2.
I get an error when i try and delete a bonded interface?
This is typically caused when you are trying to delete a bonded interface and have one running of a higher number, eg deleting bond0 with bond1 running. This reason for this has to do with the naming of the bonded interfaces in /proc/net/dev and the order in which the bonding alias is probed. To fix the problems that can occur when proding the bonding module, the sifdel script attempts to reorder them so that they are always sequential. But it can not do this when an interface is running. Stop the sensor and/or interfaces above the one you are deleitng (sif bond2 down if deleting bond1) before you delete it.
ethereal works from the menu when i run it live from the CD but fails on a hardrive isntall?
When you run ethereal from the the menu it attempts to run it as root and gksudo should prompt for roots password. Hoewever due to an incompatability between the cracklibs (used for password aging) and gksudo it will not work unless you have run sudo from a command prompt first. You only need to do this once and the menu option should work from then on. You will also need to ensure that the user has been added to the suders file. Permanent fix under investigation. If you do not want to run ethereal as root you can run it from the console by typing ethereal but you will not be able to run it in promiscuous mode.
Daily capture files are not being created?
Fixed in version 1.2. This is a bug in the naming convention of the cron job, cron does not recognise files with a . in the name. To fix the problem you need to make the following modification:
mv /etc/cron.daily/snortl-newday.sensorname /etc/cron.daily/snortl-newday_sensorname
Edit: update filename in init script,
File: /etc/init.d/snortl.sensorname
CRONJOB="/etc/cron.daily/snortl-newday_$SENSOR
To fix the problem when creating new sensors you need to repeat the above steps on the the master files in /usr/local/sensor-defaults/
mv /usr/local/sensor-defaults/snortl-newday.default /usr/localsensor-defaults/snortl-newday_defaults
Edit: update filename in default init script,
File: /usr/local/sensor-defaults/snortl.default
CRONJOB="/etc/cron.daily/snortl-newday_$SENSOR #newline
Edit: update the sensoradd script replacing "." with "_",
File: /usr/local/bin/sensoradd
cp -p $DEFAULT/snortl-newday_default /etc/cron.daily/snortl-newday_$SN
Edit: update the sensoredit script replacing "." with "_",
File: /usr/local/bin/sensoredit
SNORTL_CRONJOB="/etc/cron.daily/snortl-newday_$1"
Edit: update the sensormv script replacing "." with "_",
File: /usr/local/bin/sensormv
mv /etc/cron.daily/snortl-newday_$OLD /etc/cron.daily/snortl-newday_$NEW
|
