SweetSecurity icon indicating copy to clipboard operation
SweetSecurity copied to clipboard

Published 20 hours ago verified publisher icon TravisFSmith

Bro IDS + Critical stack not showing up in alerts.

Open TheBlindHacker opened this issue 7 years ago • 3 comments

Default install on Ubuntu 16.04.3 Working great for baseliner but I am not getting any bro alerts or any alerts from critical stack when i am sending triggers to the know test sites.

Any suggestions?

TheBlindHacker avatar Feb 08 '18 18:02 TheBlindHacker

First step would be to verify that Bro is actually logging the files to the intel.log or notice.log files.

TravisFSmith avatar Feb 08 '18 18:02 TravisFSmith

looks like it intel.log

Both logs are below, none of the notices are logging.

critical-stack 11:08:36 [DEBUG] Downloading file:

Filename: critical-stack-intel-8-Cyber-Crime-Tracker.bro.dat Checksum: 6d4698c56e9934b1cb2b61045eff77c5

critical-stack 11:08:36 [DEBUG] Downloading file:

Filename: critical-stack-intel-7-Known-Tor-Exit-Nodes.bro.dat Checksum: d006bb56888d575f1e0f33b983fb636f

critical-stack 11:08:36 [DEBUG] Downloading file:

Filename: critical-stack-intel-2-bambenekconsulting.com-C-C-IPs.bro.dat Checksum: 328f39db0af433b7dcf9f73a487f5f61

critical-stack 11:08:36 [INFO] Creating master file: master-public.bro.dat. Please wait. critical-stack 11:08:53 [INFO] Master file created successfully. critical-stack 11:08:53 [INFO] Intel files located at: /opt/critical-stack/frameworks/intel critical-stack 11:08:53 [INFO] API Requests Remaining: 959 of 1000/minute

from notice

  • CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 38.988% - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - 1518116594.128321 COTLvE2zGCsqtQX4U5 10.10.1.172 53902 173.67.41.226 8834 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ACTIVE-SOAP,ST=NY,C=US,L=New York,OU=Nessus Server,O=Nessus Users United 10.10.1.172 173.67.41.226 8834 - bro Notice::ACTION_LOG 3600.000000 F - - - - - 1518117477.191508 - - - - - - - -- CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 19.627% - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -

TheBlindHacker avatar Feb 08 '18 19:02 TheBlindHacker

critical-stack-intel's server is down(2018-08-10). actually the .dat file will not be downloaded. I posted here:

https://github.com/TravisFSmith/SweetSecurity/issues/48

under "NOTICE"

use oxt Alien Vault instead.

cloudstrifeedge avatar Aug 10 '18 05:08 cloudstrifeedge