Evebox does not collect statistics

suricata
v7

(Igor) #1

Здравствуйте! После октябрьского обновления Suricata перестало работать приложение Evebox. Статистика в него не попадает.


(Stefano Zamboni) #2

please, english only, thank you


(Michael Träumner) #3

Translation:

Hello! After the October update of Suricata, the Evebox application stopped working. Statistics do not fall into it.

Did you have looked in your logs? I don’t use it but perhaps we find something at the logs.

And please post in english, google translation could help you.


(kai) #4

at my side everything is ok with evebox


(Igor) #5

I’m sorry, I seem to have inserted the translated text.
Transfer:
Hello! After the October update of Suricata, the Evebox application stopped working. Statistics do not fall into it.

The journal “/var/log/suricata/suricata.log” seems to be:
7/12/2017 - 12:04:26 - - This is Suricata version 3.2.4 RELEASE
7/12/2017 - 12:04:41 - - [ERRCODE: SC_ERR_EVENT_ENGINE (210)] - can not suppress sid 2011124, gid 1: unknown rule
7/12/2017 - 12:04:41 - - all 4 packet processing threads, 2 management threads initialized, engine started.
7/12/2017 - 12:04:41 - - Signal Received. Stopping engine.
7/12/2017 - 12:04:41 - - (RX-Q0) Treated: Pkts 1, Bytes 616, Errors 0
7/12/2017 - 12:04:41 - - (RX-Q0) Verdict: Accepted 0, Dropped 0, Replaced 0
7/12/2017 - 12:04:41 - - This is Suricata version 3.2.4 RELEASE
7/12/2017 - 12:05:02 - - [ERRCODE: SC_ERR_EVENT_ENGINE (210)] - can not suppress sid 2011124, gid 1: unknown rule
7/12/2017 - 12:05:02 - - all 4 packet processing threads, 2 management threads initialized, engine started.
7/12/2017 - 12:05:08 - - rule reload starting
7/12/2017 - 12:05:22 - - [ERRCODE: SC_ERR_EVENT_ENGINE (210)] - can not suppress sid 2011124, gid 1: unknown rule
7/12/2017 - 12:05:22 - - rule reload complete
7/12/2017 - 12:05:22 - - rule reload starting
7/12/2017 - 12:05:37 - - [ERRCODE: SC_ERR_EVENT_ENGINE (210)] - can not suppress sid 2011124, gid 1: unknown rule
7/12/2017 - 12:05:37 - - rule reload complement

The journal “/var/log/suricata/eve.json-20171207” is also maintained:
{“timestamp”: “2017-12-07T00: 25: 32.858511 + 0300”, “flow_id”: 45646380175304, “event_type”: “alert”, “src_ip”: “85.172.1.12”, “src_port”: 80, " dest_ip “:” 192.168.41.203 “,” dest_port “: 54724,” proto “:” TCP “,” alert “: {” action “:” allowed “,” gid “: 1,” signature_id “: 2000419,” rev “: 22,” signature “:” ET POLICY PE EXE or DLL Windows file download “,” category “:” Potential Corporate Privacy Violation “,” severity ": 1}}


(Filippo Carletti) #6

evebox read /var/log/suricata/eve.json. Do you have that file?
If no, restart suricata and check it is created.
Then try to restart evebox.


(Igor) #7

Yes, the /var/log/suricata/eve.json log is in the list, it’s empty, or rather it does not even open, when you click on it, nothing happens.


(Michael Träumner) #8

Please have a look here:

https://github.com/NethServer/dev/issues/5370

@giacomo Is it the same problem?


(Igor) #9

The roles are all loaded and running.


(Michael Träumner) #10

Are you sure? I think minimum one rule doesn’t work, because your error message reports it’s unknown.


(Filippo Carletti) #11

No @m.traeumner, that error means that he has not activated a “special” rule which needs to be silenced on fax servers because of false alarms.
The rule:
http://doc.emergingthreats.net/2011124

If you enable that rule, you have to suppress it if the destination is the NethServer itself. If we don’t suppress it, ids logs will be full of false alerts if the fax server runs on nethserver.
I’m sorry, I can’t explain it better.
Summary: that error is common, it is harmless.
I never found a way to handle this problem better.
Hylafax uses a custom FTP protocol, that’s why the above rule causes false alarms.


Warning on suricata on start regarding some rules any idea?
(Igor) #12

I do not have a fax server installed. I have only these modules installed:

  • Backup
  • Bandwidth monitor
  • Basic firewall
  • Deep packet inspection (DPI)
  • Intrusion Prevention System
  • Russian language
  • Statistics
  • Web filter
  • Web proxy

Earlier Evebox showed normally that it blocked what it detected.
I still can not figure out the IPS, it sometimes blocks the VPN connection, and until I disconnect the IPS completely, I can not connect via VPN. VPN is software on another computer, to connect to it I use the redirection on a specific port.


(Joel Clendineng) #13

Thats a different issue…VPN. Explain more? host-host, client, etc. What is your vpn setup and what did you do to activate/deactivate? IPS is pretty straightforward, suricata just looks for patterns and blocks based on patterns. Are you fully updated? Did you try removing ips, rebooting, and reinstalling? If you are referring to the SID error that is ok, you do not have to worry about it like @filippo_carletti said. I have everything turned on under IPS but “Policy” because it blocks nextcloud. My VPN works fine with no issues, so maybe you can tell us more about your VPN setup.


(Igor) #14

There is a server running Windows Server 2003 running SoftEther VPN Server. People connect to me using SoftEther VPN Client. The connection procedure is as follows:
Customers run the SoftEther VPN Client program, this program tries to connect to me at my static IP address and a specific port. To connect, I use “port forwarding” in NethServer, certain people are redirected to a computer running Windows Server 2003. When connected, they are assigned IP by using the DHCP server installed on the domain controller running Windows Server 2008.
IPS and rebooted, and reinstalled. Re-installed via the Web interface. The most interesting is that when I reinstalled the IPS, all the roles that I configured have been preserved. Thought they would fold.


(Igor) #15

I tried to remove and reinstall Suricata and Evebox through the command line. When deleting, here are the errors that have appeared:


Is it critical?


(Michael Träumner) #16

For me it seems to be an info only, saved a copy of the config files before deleting them.


(Joel Clendineng) #17

Thats fine, just letting you know its saving important files as a backup. Eve box will not present all statistics, make sure you went into “IPS” and make sure every category is set to “Block”, that is the only way it will show. Also in Evebox you can go to the “Alert” tab and it will show you all the alerts, it will only show important ones on the main page, and only blocks/alerts set up in IPS.