{"id":10,"date":"2014-11-06T21:08:08","date_gmt":"2014-11-06T20:08:08","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=10"},"modified":"2024-01-16T22:27:02","modified_gmt":"2024-01-17T04:27:02","slug":"security-onion-and-elsa-issues","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=10","title":{"rendered":"Security Onion and Elsa issues"},"content":{"rendered":"

So the other day while reviewing alerts in Squert I noticed a lot of alerts triggering for ‘ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack.’ The rule for this is:<\/p>\n

alert tcp $EXTERNAL_NET [443,465,993,995,25] -&gt; $HOME_NET any (msg:”ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack”; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:”|16 03 00|”; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com\/2014\/10\/15\/poodle\/; reference:url,www.openssl.org\/~bodo\/ssl-poodle.pdf; reference:url,askubuntu.com\/questions\/537196\/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org\/2014\/10\/14\/poodle.html; classtype:policy-violation; sid:2019416; rev:3;)<\/p><\/blockquote>\n

This got me thinking why am I just now starting to see this alert after running SO for a couple months now? Looking into the events I started noticing how they were all stemming from our kid’s Android tablets. And of course since the alerts were over port 443 I could not see anything in the PCAPs. So I figured the next best thing would be to start looking through Elsa to see if I could find out when this started and if there was any pattern to these events. I proceeded to find out that Elsa had stopped archiving events a LONG time ago (about a month and a half ago). The first place I started to troubleshoot thingswas with the command ‘SOSTAT.’ That showed me a high amount of files sitting in the Elsa buffers section of the report (about 280+).<\/p>\n

<\/p>\n

Googling around trying to find out why Elsa stopped working (actually archiving events) I stumbled across this thread<\/a>. I started to go through the node.log file looking for errors and found errors such as these<\/p>\n

ERROR [2014\/11\/01 17:08:04] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 31700 [undef]
\n* ERROR [2014\/11\/01 17:09:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (948) Indexer::load_buffers 31735 [undef]
\n* ERROR [2014\/11\/01 17:09:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 31735 [undef]
\n* ERROR [2014\/11\/01 17:10:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (948) Indexer::load_buffers 31776 [undef]
\n* ERROR [2014\/11\/01 17:10:04] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 31776 [undef]
\n* ERROR [2014\/11\/01 17:11:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (948) Indexer::load_buffers 32062 [undef]
\n* ERROR [2014\/11\/01 17:11:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 32062 [undef]
\n* ERROR [2014\/11\/01 17:12:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (948) Indexer::load_buffers 32087 [undef]
\n* ERROR [2014\/11\/01 17:12:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 32087 [undef]
\n* ERROR [2014\/11\/01 17:13:02] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (948) Indexer::load_buffers 32123 [undef]
\n* ERROR [2014\/11\/01 17:13:03] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 32123 [undef]
\n* ERROR [2014\/11\/01 17:14:02] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (948) Indexer::load_buffers 32146 [undef]
\n* ERROR [2014\/11\/01 17:14:02] \/opt\/elsa\/web\/..\/node\/\/Indexer.pm (1142) Indexer::_queue_for_indexing 32146 [undef]<\/p><\/blockquote>\n

Now since I am running SecurityOnion as a VM on a laptop with a bad battery, there had been some “unexpected” shutdowns. So just on the off chance that I borked the database, I ran the command ‘sudo mysqlcheck -A’. Nothing came back corrupted. YIPPEE! I tried to restart just the syslog_ng service to see if that would kick start things… Nope no go there either.<\/p>\n

So going back to the node.log file for Elsa, I noticed the following line:<\/p>\n

Total mem used: 770549356 of 3082194944, which is greater than 25 allowed percent<\/p><\/blockquote>\n

in the log file. Based on the post from above, I tried restarting the syslog_ng service and watching what was being written to the log file. This time I saw it in real-time. It was here that it dawned on me that this was relating back to a line that I saw in the \/etc\/elsa_node.conf file:<\/p>\n

# Check to be sure that temporary indexes (which use a lot of RAM) never go above this amount of RAM, or they will be prematurely consolidated.
\n“allowed_mem_percent”: 25,<\/p><\/blockquote>\n

I made a quick change to the file; changing the ’25’ to ’35’ and then restarted the syslog_ng service. Once I did that, the files in the buffer started to go down again and Elsa started processing things again.<\/p>\n

Now back to trying to figure out why I am seeing the POODLE alert.<\/p>\n","protected":false},"excerpt":{"rendered":"

So the other day while reviewing alerts in Squert I noticed a lot of alerts triggering for ‘ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack.’ The rule for this is: alert tcp $EXTERNAL_NET [443,465,993,995,25] -&gt; $HOME_NET any (msg:”ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack”; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:”|16 03 00|”; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com\/2014\/10\/15\/poodle\/; reference:url,www.openssl.org\/~bodo\/ssl-poodle.pdf; reference:url,askubuntu.com\/questions\/537196\/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org\/2014\/10\/14\/poodle.html; classtype:policy-violation; sid:2019416; rev:3;) This got me thinking why am I just now starting to see this alert after running SO for a couple months now? Looking into the…<\/p>\n

Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3,2],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-security-onion","tag-nsm","tag-securityonion"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/10","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10"}],"version-history":[{"count":16,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/10\/revisions"}],"predecessor-version":[{"id":1650,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/10\/revisions\/1650"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}