Don't get me wrong I like playing with software, seems most of the time it's with something that's EOL, and support is not as easy to come by. But for this issue, I was able to find a couple of sites giving some advice on how to fix the issue.
Trouble was the first round, I kind of skipped a part, and well had to start over, not a big deal as its mostly a test platform so nothing lost. In this instance, I was getting somewhere in the millions of uncategorized events on my SecurityOnion which was filling up my drive with both data and errors.
Having never encountered this (normally I just build and walk away), but this time I wanted to get more involved, and this is where I noticed an alert that was just firing away faster then I could count them.
I ran sudo sostat and the Uncategorized Events was 3 million. After reading up I figured I would have to disable the alert in the disabledsid file, and maybe autocat the rule. First I had to figure out how to get rid of the current queue.
More reading leads to sguil-db-purge which I thought would clear out the events, turn out it kind of killed my MYSQL database, must have skipped a step. Easy fix though was to just re-run sosetup, and I was back in business in about 20 minutes.
Before I had to re-add to disablesid and autocat I was back up at 60k uncategorized alerts. I was able to use the information from here which basically
Stop NSM Service
List top 20
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'SELECT COUNT(signature)as count, signature FROM event WHERE status=0 GROUP BY signature ORDER BY count DESC LIMIT 20
Change it from 0 to 1 to ack the alerts
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "UPDATE event SET status=1, last_modified='2018-06-27 01:00:00', last_uid='sguil' WHERE event.status='0' and event.signature LIKE '%MY ALERT%';"
the restart NSM service
Now to watch it for a day, and start some more tuning over the next few days to get it to a good state.
Good fun, and learning had by all.
Trouble was the first round, I kind of skipped a part, and well had to start over, not a big deal as its mostly a test platform so nothing lost. In this instance, I was getting somewhere in the millions of uncategorized events on my SecurityOnion which was filling up my drive with both data and errors.
Having never encountered this (normally I just build and walk away), but this time I wanted to get more involved, and this is where I noticed an alert that was just firing away faster then I could count them.
I ran sudo sostat and the Uncategorized Events was 3 million. After reading up I figured I would have to disable the alert in the disabledsid file, and maybe autocat the rule. First I had to figure out how to get rid of the current queue.
More reading leads to sguil-db-purge which I thought would clear out the events, turn out it kind of killed my MYSQL database, must have skipped a step. Easy fix though was to just re-run sosetup, and I was back in business in about 20 minutes.
Before I had to re-add to disablesid and autocat I was back up at 60k uncategorized alerts. I was able to use the information from here which basically
Stop NSM Service
List top 20
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'SELECT COUNT(signature)as count, signature FROM event WHERE status=0 GROUP BY signature ORDER BY count DESC LIMIT 20
Change it from 0 to 1 to ack the alerts
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "UPDATE event SET status=1, last_modified='2018-06-27 01:00:00', last_uid='sguil' WHERE event.status='0' and event.signature LIKE '%MY ALERT%';"
the restart NSM service
Now to watch it for a day, and start some more tuning over the next few days to get it to a good state.
Good fun, and learning had by all.
No comments:
Post a Comment