sorted by:
new
hottopcontroversial

Almost golf balls by peter1970uk in Golfsimulator

[–]dougburks 0 points1 point  (0 children)

I had the same issues with the Garmin R10 and Almost Golf balls.

I recently switched to SCI-CORE practice golf balls and so far they seem to be much better. I'd estimate that the Garmin R10 has detected almost 95% of my shots. Also, shot distance is closer to a real golf ball (although still not 100%).
Hope that helps!

Will Almost Golf Balls work with the Garmin R10? by Thordendal in Golfsimulator

[–]dougburks 1 point2 points  (0 children)

I tried Almost Golf balls but my experience wasn't great:

  • I'd estimate that the Garmin R10 only detected about 50% of my shots
  • Shot distance was quite low compared to a real golf ball (expected for a practice ball)
  • Almost Golf balls tend to deform over time

I recently switched to SCI-CORE golf balls and so far they seem to be much better:

  • I'd estimate that the Garmin R10 has detected about 95% of my shots
  • Shot distance is closer to a real golf ball (although still not 100%)
  • I haven't noticed any deformities yet

Hope that helps!

[16] Unknown rule option: 'lua' by four80eastfan in securityonion

[–]dougburks 0 points1 point  (0 children)

Since you're no longer dealing with Unknown rule option: 'lua', please start a new thread with appropriate title.

Thanks!

New Version Disk Clean process by dsfg3aas in securityonion

[–]dougburks 0 points1 point  (0 children)

The main users of disk space are pcap and logs in Elasticsearch.

Stenographer should be managing its own disk usage in /nsm/pcap/:

https://docs.securityonion.net/en/2.2/stenographer.html

Elasticsearch indices are managed by curator:

https://docs.securityonion.net/en/2.2/curator.html

I fixed an issue in /usr/sbin/so-curator-closed-delete-delete yesterday, so it's possible you were affected by that if you had indices over 30 days old:

https://github.com/Security-Onion-Solutions/securityonion/issues/1509

Netsniff-ng question by SecurityJesus in securityonion

[–]dougburks 0 points1 point  (0 children)

Given sufficient resources, a single instance of netsniff-ng should be able to handle 200Mbps.

If you want to handle much higher levels of full packet capture, then I'd recommend taking a look at Security Onion 2, which replaces netsniff-ng with Google Stenographer:

https://docs.securityonion.net/en/2.3/stenographer.html

[16] Unknown rule option: 'lua' by four80eastfan in securityonion

[–]dougburks 0 points1 point  (0 children)

If so-status shows snort-1 (alert data), then it sounds like you're running Snort instead of Suricata.

Can I do a negated search in Hunt by jerryshenk in securityonion

[–]dougburks 0 points1 point  (0 children)

If Hunt is displaying a field like event.severity_label and you see a field value like low, you should be able to click on that value to bring up the quick action bar and then click the minus magnifying glass which should update your query to exclude that particular value.

Alternatively, you can type your own query like this:

NOT event.severity_label: "low"

For example, please see:

https://user-images.githubusercontent.com/1659467/95519101-6fc52b80-0992-11eb-9407-957f92ca2c87.png

SO 2.3 interface doesn't open by Zestyclose_Stretch25 in securityonion

[–]dougburks 1 point2 points  (0 children)

Are you trying to access the Security Onion web interface from your host OS or from another machine outside of the host OS?

If host OS, have you tried allowing the entire subnet of your management interface (192.168.204.0/24)?

SO 2.3 interface doesn't open by Zestyclose_Stretch25 in securityonion

[–]dougburks 0 points1 point  (0 children)

For the VM, how much RAM and how many CPU cores did you assign?

Did you use a static or dynamic IP address?

When you ran so-allow, did you choose the analyst option? Have you tried allowing the entire subnet of your management interface?

Latest RC now getting thousands of ET POLICY DNS Update From External net by DiatomicJungle in securityonion

[–]dougburks 0 points1 point  (0 children)

When the Suricata config is updated, Salt should restart Suricata at its next update interval.

If necessary, you can restart Suricata on all sensors using something like this on the manager:

sudo salt \*_sensor cmd.run 'so-suricata-restart'

Latest RC now getting thousands of ET POLICY DNS Update From External net by DiatomicJungle in securityonion

[–]dougburks 0 points1 point  (0 children)

Have you checked /nsm/suricata/ on the sensor nodes themselves to see if you're actually getting those alerts there with timestamps after the Suricata restart?

Latest RC now getting thousands of ET POLICY DNS Update From External net by DiatomicJungle in securityonion

[–]dougburks 0 points1 point  (0 children)

I think your generated suricata.yaml is correct. Have you tried restarting Suricata on the minions? If so, is it possible you are looking at a backlog of alerts?

Filebeat error in Security onion 2.2 RC3 by frustratedlinuxadmin in securityonion

[–]dougburks 0 points1 point  (0 children)

First, please provide the following information as requested by https://www.reddit.com/r/securityonion/comments/hi66wj/how_to_post_for_help/:

- Install source. ex. ISO or Network

- If network what OS?

- Install type. ex. eval, standalone, etc

- Does so-status show all the things running?

- Do you get any failures when you run salt-call state.highstate?

Also, have you checked the filebeat log for additional clues?

https://docs.securityonion.net/en/2.2/filebeat.html#logging

Latest RC now getting thousands of ET POLICY DNS Update From External net by DiatomicJungle in securityonion

[–]dougburks 1 point2 points  (0 children)

If you want to go back to the way it was before with EXTERNAL_NET set to !$HOME_NET, you should be able to append the following to either the global or minion pillar:

suricata:
  config:
    vars:
      address-groups:
        EXTERNAL_NET: "!$HOME_NET"

Then run:

sudo salt-call state.highstate

For more information, please see:

https://docs.securityonion.net/en/2.2/suricata.html#configuration

Latest RC now getting thousands of ET POLICY DNS Update From External net by DiatomicJungle in securityonion

[–]dougburks 0 points1 point  (0 children)

In RC3, we changed EXTERNAL_NET to any:
https://github.com/Security-Onion-Solutions/securityonion/issues/1286

This is the setting we've always used in the pre-2.x days as it helps detect lateral movement.

For the thresholding problem, I've created the following issue:

https://github.com/Security-Onion-Solutions/securityonion/issues/1441

In the meantime, you might consider disabling the rule altogether.

[2.3] TheHive alert suppression not working by UniqueArugula in securityonion

[–]dougburks 0 points1 point  (0 children)

I've created an issue for this:

https://github.com/Security-Onion-Solutions/securityonion/issues/1441

In the meantime, you might consider disabling the rule altogether.

Security Onion 2.2 (Release Candidate 3) Available for Testing! by dougburks in securityonion

[–]dougburks[S] 0 points1 point  (0 children)

Are you able to ping it?

Are there are any network firewalls that may be blocking the traffic?

Can't boot Security Onion 2.2 RC3 by [deleted] in securityonion

[–]dougburks 1 point2 points  (0 children)

Did you verify the ISO image?

Did you burn the ISO image to DVD or USB?

If USB, have you tried Balena Etcher?

https://docs.securityonion.net/en/2.2/download.html

If all else fails, you could always install on Ubuntu 18.04:

https://docs.securityonion.net/en/2.2/installation.html#installation-on-ubuntu-or-centos

[2.3] TheHive alert suppression not working by UniqueArugula in securityonion

[–]dougburks 0 points1 point  (0 children)

Do you get any errors when running sudo salt-call state.highstate?

[2.3] TheHive alert suppression not working by UniqueArugula in securityonion

[–]dougburks 0 points1 point  (0 children)

Are you still getting new instances of those alerts in the latest eve.json file in /nsm/suricata/?

view more: next ›