Ticket #47 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

New hflow (1.99.26) seems to cause walleye to not display IDS alerts

Reported by: SJefferson Owned by: rmcmillen
Priority: major Milestone:
Component: Honeywall Version: 1.4 Release
Keywords: hflow, walleye Cc:

Description

After installing new hflow rpm (hflow-1.99.26), via yum update, Walleye doesn't display IDS alerts (and possibly also Sebek information.)

Change History

Changed 10 years ago by david

Having just checked my test nodes, I'm seeing the same lack of snort IDS alerts in Walleye too (ie the alert count has been zero per hour/day since the hflow patch was installed). However, Sebek is working fine on my systems (ie logging into my own honeypot via SSH generated the expected attack trees and keystroke logs in walleye).

Changed 10 years ago by rmcmillen

  • owner changed from rob to rmcmillen
  • status changed from new to assigned

Rebuilt rpm to fix Ticket #47 and incremented the Release number (1.99.26-2). Accidentally left a bad snort.conf in package directory. Previous snort.conf restored. The bad snort.conf I had in the package had most of the rule includes in snort.conf commented out; thereby, resulting in the lack of alerts. Apologies.

Currently testing new hflow rpm prior to upload to honeynet repository.

Changed 10 years ago by rmcmillen

  • status changed from assigned to closed
  • resolution set to fixed

New rpm (hflow-1.99.26-2) seems to work properly. It is now uploaded to the repository. To update, execute 'yum update' from the honeywall logged in as root.

Note: See TracTickets for help on using tickets.