I still use Base as a web frontend to my snort installation. I know a lot of people are using things like Snorby now, but I think Base does everything I need it to do. Anyway, I was looking at Base this afternoon and I noticed over 200 new alerts.
All of the alerts were from my main router and they were of the type "ICMP Test". Closer examination showed that the router was trying to ping a machine that was unreachable. Since my router also acts as my DNS and DHCP server, I checked the syslog on that machine.
The syslog was full of DHCP offers to the same IP address that snort was showing as unreachable. I took the MAC address and ran it through an online MAC to vendor lookup and it showed me that it was a MAC from Motorola CHS. I went through the house restarting all of my Motorola cable boxes. Since doing that I noticed that the DHCP log shows that an acknowledgment was sent in response to the DHCP offer. Snort has also stopped alerting for that particular ICMP Test.
I guess one of the cable boxes just got hung up a bit. It happens from time to time. Usually I don't catch the problem until it is too late (e.g. my favorite TV shows aren't recording as scheduled in the DVR). Thanks to Snort and Base, that won't be a problem tonight.
Friday, May 4, 2012
NTFSclone
I installed ntfsprogs on my Debian desktop because I have a Windows partition that I'd like to create an image of on my NAS. I ran ntfsclone with the --save-image option and directed it to place the output in an NFS share to my NAS. I started it last night and it's almost 60% of the way finished.
My lessons learned are as follows:
- Software RAID sucks. I should probably spring for a decent hardware RAID controller.
- Consumer hard disks also suck for large file copies like this one. Those cheap Western Digital disks in my NAS may have seemed like a great deal, but they just don't compare to higher-end SCSI disks. The IO Wait is what's causing it to take so long. It was over 50% when I last looked at it on the NAS.
I should really invest in better equipment at home :)
Update: The ntfsclone imaging finally finished. It turns out that I may have tracked down another culprit relating to the slow file transfer and the high iowait. I have a 3-disk RAID 5 array in my Openfiler NAS. Running mdadm -D /dev/md0 showed that one of the disks was faulty. I rebooted the NAS and re-added that disk to the RAID array. Right now it is in the process of rebuilding, so I'll have to wait a while to see how that goes. Even if it comes back online okay, I'll still probably order an extra disk to add to the array as a spare.
My lessons learned are as follows:
- Software RAID sucks. I should probably spring for a decent hardware RAID controller.
- Consumer hard disks also suck for large file copies like this one. Those cheap Western Digital disks in my NAS may have seemed like a great deal, but they just don't compare to higher-end SCSI disks. The IO Wait is what's causing it to take so long. It was over 50% when I last looked at it on the NAS.
I should really invest in better equipment at home :)
Update: The ntfsclone imaging finally finished. It turns out that I may have tracked down another culprit relating to the slow file transfer and the high iowait. I have a 3-disk RAID 5 array in my Openfiler NAS. Running mdadm -D /dev/md0 showed that one of the disks was faulty. I rebooted the NAS and re-added that disk to the RAID array. Right now it is in the process of rebuilding, so I'll have to wait a while to see how that goes. Even if it comes back online okay, I'll still probably order an extra disk to add to the array as a spare.
Snort: Sensitive Data
Man, I'll tell you, the sensitive data processor in snort was not designed to be used with web traffic. If you've used it at all, you know it fires all the time when used in conjunction with regular web traffic. If seems to throw alerts for detecting email addresses if it so much as finds the '@' symbol in a packet. Any string of numbers in a packet makes it alert for finding supposed credit card numbers.
Since in my current setup snort is processing all packets sent from my router, I'm going to have to disable sensitive data processing. I guess if I was only monitoring traffic from my internal network, then there would be fewer of these alerts. And then, the alerts I do get would probably at least be worth taking a look at. Right now, though, I'm just getting flooded with false positives.
Since in my current setup snort is processing all packets sent from my router, I'm going to have to disable sensitive data processing. I guess if I was only monitoring traffic from my internal network, then there would be fewer of these alerts. And then, the alerts I do get would probably at least be worth taking a look at. Right now, though, I'm just getting flooded with false positives.
Subscribe to:
Posts (Atom)