Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - m4dm4n

Pages: [1] 2
1
Installation and Upgrades / Re: Issues installing Suricata / Snort
« on: February 25, 2015, 12:01:50 pm »
Sorry for answering so late, i'll send you a PM with a reminder of this post.

For oinkmaster solution, look at this :

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

Don't forget to rename the rules folder in suricata config from "/etc/snort/rules" to "/etc/suricata/rules" . That's why you can't load any of them. If you use Suricata, use rules prebuilt for Suricata, don't mix things.

I see a Threshold file missing too, it can be resolved too, look it up. But if you don't use Suricata as IPS, don't strugle.

Don't forget to disable offloading (hint: ethtool -K) on the listening interface.

2
Personally , I still don't know how are the rules updated, it's not by using oinkmaster or even pulled pork.
All I can tell you this is that Suricata (that would be the IDPS) is started without the option that allows changing the rules "on the fly". When you edit some rule, you need to restart suricata by :

Code: [Select]
sudo service zentyal ips restart
But, when Suricata is updated, you need to check again if your custom rules were overwritten by new ones.

EDIT:

Ok, I looked around a bit, and found that the ruleset is being downloaded by an ubuntu package called "snort-rules-default".
So, yeah, if you do some modifications to the rules, they will be overwritten when a new package installs.

Suricata installed on this system is quite an old one (it depends on official Ubuntu sources) , and it doesn't use native ruleset from Emerging Threats, which, from the security standpoint is not very smart or secure. :)
Suricata is a great system and I think Zentyal developers should use more resources for better integration of it in Zentyal.

3
Hi,

Reading through the official documentation, I couldn't help but to notice that the information about creating Jabber account is pretty scarce.
Firstly, are gtalk accounts even supported?
And if not, is there any detailed info about using Jabber account for sending logs ?



Now, i have created a user on jabb3r.org server, configured it in Pidgin client, added a *@gmail.com user as a friend, and the communication worked without problem.
When configured the same thing in Zentyal, i do not receive any messages on my client.
I tested that by stopping some service, then check in /var/log/zentyal.events.log and on my mobile phone. Log file has written the event in the file, but my phone didn't receive anything.

4
Installation and Upgrades / Re: Best way to configure my system?
« on: February 26, 2014, 05:14:20 pm »
Don't forget to try out XPEnology , too. It's a Synology OS for generic PCs.

5
Code: [Select]
wget -O /dev/null http://speedtest.wdc01.softlayer.com/downloads/test10.zip
This is as real as it gets.

6
I don't think the kernel can detect loop-backs. A loop-back is the same as a timeout from the point of the NIC so it has no real way to determine the issue. But really, is there ANY reason for a loop-back, other then testing a port?

I'm not sure we are on the same page here. I'm not talking about the local loopback network interfaces here. I'm talking that the switch was "shortcircuited" and got stuck in the loop producing massive network traffic (i think). In this situation, switch is acting like a stupid hub, only much worse, since it operates on 100Mb/s speed. Since one Zentyal interface was connected on that switch, it received all that zombie traffic, too. And, i believe, at that point, something went bonkers.
I would like to investigate what, and was hoping for some help in what tools could I use to gather some info (beside the ordinary network captures).
I could try to reproduce that situation tommorow again.

7
Yeah dude, I'm not happy with his behaviour either.
I just want to know if there's some more info about that problem.

8
It's a integrated Intel NIC on a Lenovo TS200 server. I just found that my colleague was fiddling with a stupid network switch. He shortcircuited two ports on the same switch to produce a loop in a network, and of course, he didn't write that down anywhere. At that time he said that server stopped to respond to requests on that interface.
Is that possible, and if yes, what can i do to stop that from happening in the future?
Does kernel even detect loops ?

9
Hi,

I configured server with 4 NICs (3 Intel, 1 Dlink with VIA Rhine3 chipset) to be used as a dhcp and a gateway server. Until recently, everything worked, and then something strange happened.
DHCP stopped work on one Intel interface, and web gui said it had link but it was down.
Then i searched through syslog and found this :

Code: [Select]
Feb 24 07:33:35 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:35 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:37 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:37 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:45 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:33:45 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:34:03 mars dhcpd: DHCPDISCOVER from 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:34:03 mars dhcpd: DHCPOFFER on 70.70.70.35 to 6c:62:6d:44:02:07 (ws5-lb3) via eth2
Feb 24 07:34:03 mars dhcpd: DHCPINFORM from 80.80.80.37 via eth3
Feb 24 07:34:03 mars dhcpd: DHCPACK to 80.80.80.37 (6c:62:6d:44:00:27) via eth3

So, clients in one network constantly send DHCPDISCOVER packages but never finish this procedure and they never get the address. I was scanning on the wireshark and the client never saw this DHCPOFFER packages, so I think they never went out that ETH2 interface.
As you can see, ETH3 network works as usual , everything is normal.

So i said : "Something is very suspicious". :)

Lets look a little deeper, and yes , i found this, 2 days ago (in syslog file, too) :

Code: [Select]
Feb 22 12:40:01 mars CRON[17247]: (root) CMD (/usr/share/zentyal-users/slave-sync)
Feb 22 12:40:01 mars CRON[17248]: (root) CMD ((pgrep -u root,ebox cronjob-runner || /usr/share/zentyal-remoteservices/cronjo$
Feb 22 12:40:01 mars CRON[17249]: (root) CMD ((pgrep -u root,ebox run-pending-ops || /usr/share/zentyal-remoteservices/run-p$
Feb 22 12:45:01 mars CRON[17273]: (root) CMD (/usr/share/zentyal-users/slave-sync)
Feb 22 12:45:01 mars CRON[17274]: (root) CMD ((pgrep -u root,ebox run-pending-ops || /usr/share/zentyal-remoteservices/run-p$
Feb 22 12:45:14 mars kernel: [692378.403101] irq 51: nobody cared (try booting with the "irqpoll" option)
Feb 22 12:45:14 mars kernel: [692378.403109] Pid: 0, comm: swapper/0 Tainted: GF            3.8.0-35-generic #52~precise1-Ub$
Feb 22 12:45:14 mars kernel: [692378.403112] Call Trace:
Feb 22 12:45:14 mars kernel: [692378.403115]  <IRQ>  [<ffffffff810f085d>] __report_bad_irq+0x3d/0xe0
Feb 22 12:45:14 mars kernel: [692378.403132]  [<ffffffff810f0c85>] note_interrupt+0x135/0x190
Feb 22 12:45:14 mars kernel: [692378.403138]  [<ffffffff810ee499>] handle_irq_event_percpu+0xa9/0x210
Feb 22 12:45:14 mars kernel: [692378.403143]  [<ffffffff810ee64e>] handle_irq_event+0x4e/0x80
Feb 22 12:45:14 mars kernel: [692378.403147]  [<ffffffff810f0fe4>] handle_edge_irq+0x84/0x130
Feb 22 12:45:14 mars kernel: [692378.403155]  [<ffffffff81016762>] handle_irq+0x22/0x40
Feb 22 12:45:14 mars kernel: [692378.403160]  [<ffffffff816ffc6a>] do_IRQ+0x5a/0xe0
Feb 22 12:45:14 mars kernel: [692378.403166]  [<ffffffff816f56ed>] common_interrupt+0x6d/0x6d
Feb 22 12:45:14 mars kernel: [692378.403169]  <EOI>  [<ffffffff8158c530>] ? cpuidle_wrap_enter+0x50/0xa0
Feb 22 12:45:14 mars kernel: [692378.403179]  [<ffffffff8158c529>] ? cpuidle_wrap_enter+0x49/0xa0
Feb 22 12:45:14 mars kernel: [692378.403184]  [<ffffffff8158d96e>] ? menu_select+0x16e/0x2b0
Feb 22 12:45:14 mars kernel: [692378.403189]  [<ffffffff8158c590>] cpuidle_enter_tk+0x10/0x20
Feb 22 12:45:14 mars kernel: [692378.403193]  [<ffffffff8158c13f>] cpuidle_idle_call+0xaf/0x2c0
Feb 22 12:45:14 mars kernel: [692378.403199]  [<ffffffff8101db6f>] cpu_idle+0xcf/0x120
Feb 22 12:45:14 mars kernel: [692378.403204]  [<ffffffff816c8302>] rest_init+0x72/0x80
Feb 22 12:45:14 mars kernel: [692378.403209]  [<ffffffff81d05c4f>] start_kernel+0x3d1/0x3de
Feb 22 12:45:14 mars kernel: [692378.403216]  [<ffffffff81d057ff>] ? pass_bootoption.constprop.3+0xd3/0xd3
Feb 22 12:45:14 mars kernel: [692378.403222]  [<ffffffff81d05397>] x86_64_start_reservations+0x131/0x135
Feb 22 12:45:14 mars kernel: [692378.403227]  [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
Feb 22 12:45:14 mars kernel: [692378.403232]  [<ffffffff81d05468>] x86_64_start_kernel+0xcd/0xdc
Feb 22 12:45:14 mars kernel: [692378.403235] handlers:
Feb 22 12:45:14 mars kernel: [692378.403254] [<ffffffffa0039050>] e1000_msix_other [e1000e]
Feb 22 12:45:14 mars kernel: [692378.403257] Disabling IRQ #51
Feb 22 12:45:17 mars kernel: [692381.180378] ------------[ cut here ]------------
Feb 22 12:45:17 mars kernel: [692381.180389] WARNING: at /build/buildd/linux-lts-raring-3.8.0/net/sched/sch_generic.c:254 de$
Feb 22 12:45:17 mars kernel: [692381.180392] Hardware name: Lenovo ThinkServer TS200 -[652512G]-

AND IMMEDIATELY after that this (a put that in a different code formatting for easier reading) :

Code: [Select]
Feb 22 12:45:17 mars kernel: [692381.180394] NETDEV WATCHDOG: eth2 (e1000e): transmit queue 0 timed out
Feb 22 12:45:17 mars kernel: [692381.180397] Modules linked in: xt_multiport(F) nfnetlink_queue(F) nfnetlink(F) xt_REDIRECT($
Feb 22 12:45:17 mars kernel: [692381.180461] Pid: 0, comm: swapper/0 Tainted: GF            3.8.0-35-generic #52~precise1-Ub$
Feb 22 12:45:17 mars kernel: [692381.180463] Call Trace:
Feb 22 12:45:17 mars kernel: [692381.180466]  <IRQ>  [<ffffffff81059b6f>] warn_slowpath_common+0x7f/0xc0
Feb 22 12:45:17 mars kernel: [692381.180479]  [<ffffffff81059c66>] warn_slowpath_fmt+0x46/0x50
Feb 22 12:45:17 mars kernel: [692381.180484]  [<ffffffff81062bf9>] ? raise_softirq_irqoff+0x9/0x40
Feb 22 12:45:17 mars kernel: [692381.180492]  [<ffffffff81603262>] dev_watchdog+0x262/0x270
Feb 22 12:45:17 mars kernel: [692381.180497]  [<ffffffff8101bb39>] ? read_tsc+0x9/0x20
Feb 22 12:45:17 mars kernel: [692381.180504]  [<ffffffff810773c0>] ? __queue_work+0x2d0/0x2d0
Feb 22 12:45:17 mars kernel: [692381.180508]  [<ffffffff81603000>] ? pfifo_fast_dequeue+0xe0/0xe0
Feb 22 12:45:17 mars kernel: [692381.180514]  [<ffffffff81069956>] call_timer_fn+0x46/0x160
Feb 22 12:45:17 mars kernel: [692381.180520]  [<ffffffff8106b427>] run_timer_softirq+0x267/0x2c0
Feb 22 12:45:17 mars kernel: [692381.180527]  [<ffffffff81450131>] ? add_interrupt_randomness+0x41/0x190
Feb 22 12:45:17 mars kernel: [692381.180532]  [<ffffffff81603000>] ? pfifo_fast_dequeue+0xe0/0xe0
Feb 22 12:45:17 mars kernel: [692381.180537]  [<ffffffff81062670>] __do_softirq+0xc0/0x240
Feb 22 12:45:17 mars kernel: [692381.180542]  [<ffffffff816f50fe>] ? _raw_spin_lock+0xe/0x20
Feb 22 12:45:17 mars kernel: [692381.180549]  [<ffffffff816ff3dc>] call_softirq+0x1c/0x30
Feb 22 12:45:17 mars kernel: [692381.180555]  [<ffffffff810167e5>] do_softirq+0x65/0xa0
Feb 22 12:45:17 mars kernel: [692381.180559]  [<ffffffff8106294e>] irq_exit+0x8e/0xb0
Feb 22 12:45:17 mars kernel: [692381.180564]  [<ffffffff816ffc73>] do_IRQ+0x63/0xe0
Feb 22 12:45:17 mars kernel: [692381.180569]  [<ffffffff816f56ed>] common_interrupt+0x6d/0x6d
Feb 22 12:45:17 mars kernel: [692381.180571]  <EOI>  [<ffffffff810b49cc>] ? clockevents_notify+0x4c/0x1a0
Feb 22 12:45:17 mars kernel: [692381.180582]  [<ffffffff8158c530>] ? cpuidle_wrap_enter+0x50/0xa0
Feb 22 12:45:17 mars kernel: [692381.180587]  [<ffffffff8158c529>] ? cpuidle_wrap_enter+0x49/0xa0
Feb 22 12:45:17 mars kernel: [692381.180591]  [<ffffffff8158d96e>] ? menu_select+0x16e/0x2b0
Feb 22 12:45:17 mars kernel: [692381.180596]  [<ffffffff8158c590>] cpuidle_enter_tk+0x10/0x20
Feb 22 12:45:17 mars kernel: [692381.180601]  [<ffffffff8158c13f>] cpuidle_idle_call+0xaf/0x2c0
Feb 22 12:45:17 mars kernel: [692381.180606]  [<ffffffff8101db6f>] cpu_idle+0xcf/0x120
Feb 22 12:45:17 mars kernel: [692381.180610]  [<ffffffff816c8302>] rest_init+0x72/0x80
Feb 22 12:45:17 mars kernel: [692381.180615]  [<ffffffff81d05c4f>] start_kernel+0x3d1/0x3de
Feb 22 12:45:17 mars kernel: [692381.180621]  [<ffffffff81d057ff>] ? pass_bootoption.constprop.3+0xd3/0xd3
Feb 22 12:45:17 mars kernel: [692381.180627]  [<ffffffff81d05397>] x86_64_start_reservations+0x131/0x135
Feb 22 12:45:17 mars kernel: [692381.180632]  [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
Feb 22 12:45:17 mars kernel: [692381.180637]  [<ffffffff81d05468>] x86_64_start_kernel+0xcd/0xdc
Feb 22 12:45:17 mars kernel: [692381.180641] ---[ end trace 4e14019b94f73825 ]---
Feb 22 12:45:17 mars kernel: [692381.180666] e1000e 0000:15:00.0 eth2: Reset adapter


Something happens to this adapter, and it stops working, and I really can't interpret all those messages.
Can somebody provide further info in this situation?
A reboot should resolve this situation temporarily, but it is not a permanent solution.

10
This issue is preventing me from doing any further updates to this server (from now on). Does anyone have a suggestion?

Code: [Select]
sudo apt-get remove zentyal-samba
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install zentyal-samba

11
Since Zentyal team uses default Ubuntu repository and default configuration, i guess it doesn't hurt to add stable repository for Suricata package. If you want to do that, just type this in terminal :

Code: [Select]
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get upgrade

Now, i DO NOT recommend that for any production server, but that should be self explanatory. I would like to hear from the devs, if there is some reason not to do such a thing ?

12
Hi,

Since default config from Suricata states that it will put some info every 8 seconds into stats.log file, it can grow very large in no time. And if you access your server remotely, you can not become root, and sudo does not allow you zero that file.
When i say big, i mean gigabytes big, and most admins rarely look at that realtime data.
So, we need to take care of it.
To delete a file (Suricata will recreate it at start), stop the Suricata engine first :

Code: [Select]
[b]"sudo /etc/init.d/zentyal ips stop"[/b]
Then delete the "stats.log" file (you can first check its size :) )

Code: [Select]
[b]"sudo rm /var/log/suricata/stats.log"[/b]
Then, we need to optimize that configuration a little. Open its main config file :

Code: [Select]
[b]"sudo nano /usr/share/zentyal/stubs/ips/suricata-debian.yaml.mas"[/b]
And then locate a category "stats:"
Under it you will find the line "interval: 8". That mean, that every 8 seconds file will be refreshed with new data. For starters, you can put there a 60 or so, and after a while, if you're not satisfied, play with those numbers a little. Save that file.

And then start the Suricata engine :

Code: [Select]
[b]"sudo /etc/init.d/zentyal ips start"[/b]
P.S. If I can make some suggestions, I think Suricata is really a good choice for modern secure systems, and congrats to developers for choosing it over Snort.
But,first off all, we really shouldn't have that old version from Ubuntu repo, maybe you should build the last stable version and put it in your own repo.
And last but not least, some configuration changes should be implemented. Rules could be used from Emerging Threats. And does anybody know how are there rules updated? Or should we use oinkmaster for it ?
And definitely, not bound only to Suricata, better reporting module is needed, (GUI, better filtering options).


13
Installation and Upgrades / Re: IP reservation
« on: October 10, 2013, 02:55:15 pm »
Had a similar situation not long ago. The thing was that DHCP first served the addresses to clients (especially Microsoft likes to hang on to its DHCP given addresses and don't let go - preferred address), then I went to change the configuration (manually adding network objects for STATIC DHCP addressing, and adding them to dhcp configuration). Well, it all went well, but the problem was, ipconfig/release/renew didn't work, just as your problem.
What worked ?
ipconfig /release
reboot the server
ipconfig /renew

That should solve it.

14
I would scrap that server and do a clean install. I never do the upgrades, windows, zentyal... clean install just seems to work better.

Although a clean install would solve this problem, that's not the point. Since this is not a mission critical server and it's used for experimenting with features, I would like to know what caused this, I dare to say, "bug".
It will be a good learning experience for future situations.


15
Yes, it should have been gone, but that [br1] button in web interface is very annoying, it just won't disappear.

Pages: [1] 2