Monday, 8 December 2014

Fix DistributionNotFound error argparse>=1.1.0 in elasticsearch-curator installation

I wanted to install elasticsearch-curator package(ver. 2.0.2) on my CentOS machine to manage my old elasticsearch(ver. 1.2.0) indices. I encountered the following weird error while installing:

$ curator --versionTraceback (most recent call last):  File "/usr/bin/curator", line 5, in <module>    from pkg_resources import load_entry_point  File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 2655, in <module>    working_set.require(__requires__)  File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 648, in require    needed = self.resolve(parse_requirements(requirements))  File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 546, in resolve    raise DistributionNotFound(req)pkg_resources.DistributionNotFound: argparse>=1.1.0

After searching on google, it became apparent that the error is peculiar to CentOS/RHEL variants only!!

Finally, I found a way..... Un-install existing installation and then re-install...

$ sudo pip uninstall argparse
$ sudo pip uninstall elasticsearch
$ sudo pip uninstall elasticsearch-curator
$ sudo pip install argparse
$ sudo pip install elasticsearch
$ sudo pip install elasticsearch-curator

Not a perfect way to solve the issue... But still, the
This thread on github might be useful - https://github.com/elasticsearch/curator/issues/56

I found another reason for this type of error: it happens when the version of setuptools and distribute libraries of python on the system are old. So, update them using pip installer:

$ sudo pip install distribute --upgrade
$ sudo pip install setuptools --upgrade


Posted by at No comments:
Labels:

Tuesday, 28 October 2014

Linux socket monitor - monitor network sockets

Earlier, I used to monitor network connections of my linux machine using netstat and ss utilities. Recently, I came across "Linux socket monitor"(LSM) utility from R-fx networks (https://www.rfxn.com/) and installed it on my PC.

"Linux socket monitor(LSM)" monitors network sockets on Linux machines and will send you a mail whenever any changes occur.e.g. on web server you have opened the following ports:

 apache:80
 ssh:22

When you suddenly see a new listening port, you have to be suspicious. It could be either due to:
  • a new service has been configured and installed
  • the server got infected by a malicious script and that in turn opens a new network socket.

This is where linux socket monitor comes in picture. It records a 'baseline' so it knows what are the connections that are normally open and notifies you when a new network socket is opened.

The installation of linux network monitor is simple. Please follow the given steps on linux machine console:
[root@psj ~]# wget -c http://www.rfxn.com/downloads/lsm-current.tar.gz
[root@psj ~]# tar -xzvf lsm-current.tar.gz
[root@psj ~]# cd lsm-0.6/
[root@psj lsm-0.6]# ./install.sh
.: LSM installed
Install path:    /usr/local/lsm
Config path:     /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
              2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files
[root@psj ~]# vim /usr/local/lsm/conf.lsm

Change e-mail address to receive notification:
USER="email@mymail.com"    # Alert email address

LSM uses cron and runs every 10 minutes. So, every 10 minutes, your system will be watched for any new network sockets.

LSM can be extended to include process information and more details are available here - http://www.dynamicnet.net/2012/09/extending-linux-socket-monitor/





Posted by at No comments:
Labels:

Monday, 27 October 2014

Snort compilation errors - error while loading shared libraries: libdnet.1: and libsfbpf.so.0 error

While compiling snort source, you will often encounter the following errors:

 error while loading shared libraries: libdnet.1:

Do this to get rid of the error:


#cp /usr/local/lib/libdnet.1.0.1 /usr/local/lib/libdnet.so.1.0.1
#/sbin/ldconfig

If this does not help, try this:
#ln -sf /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
#/sbin/ldconfig

If that still does not help,
#LD_LIBRARY_PATH=/usr/local/lib
#export LD_LIBRARY_PATH

Another error that is encountered is:

error while loading shared libraries:
libsfbpf.so.0: cannot open shared object file: No such file or directory

To get rid of this error, do:
#/sbin/ldconfig

If this does not help, add '/usr/local/lib' to '/etc/ld.so.conf'

Finally, test the snort instance:
#snort -c /etc/snort.conf -T

These solutions have been tested on CentOS/SL variants and they work well.

Reference links:
http://seclists.org/snort/2014/q1/221

Posted by at 1 comment:
Labels:

Monday, 20 October 2014

How do I configure inactivity timeout for PuTTy client

Recently, I got flummoxed by the error - "Network error: Connection timed out" for my PuTTy client and finally, solved the issue after a bit of google search. If you happen to be in similar situation, the following set of instructions can be used to set in-activity timeout for PuTTy client.

  1. Open PuTTy application windows and navigate to the Options panel.
  2. Select Connection
  3. On right side of the panel, you will see option fields such as "Sending of null packets to keep sesssion active", "Low-level TCP connection options" etc.
  4. In the field - "Sending null packets to keep session active", change the default value from 0 to say, 1800 (30 minutes)
  5. Also, Check the Enable TCP keepalives (SO_KEEPALIVE option) check box. This option may not be available in the older versions of the PuTTY client.
  6. Then, select Session from the left hand menu.
    1. For all new sessions:
      1. Select "Default settings" in "Load,save or delete a stored sessions pane"
      2. Select "Save"   
    2. For a new session with a particular host:
      1. In the Host Name (or IP Address) field, enter the destination hostname.
      2. In the Saved Sessions box enter a name for the session.
      3. Select Save
If you have access to the server, you can configure ClientAliveInterval, TCPKeepAlive and ClientAliveCountMax options in the ssh configuration file which normally resides in /etc/ssh/sshd_config

ClientAliveInterval 30
TCPKeepAlive yes
ClientAliveCountMax 99999

Do not forget to restart the SSH server for the changes to take effect.

# /etc/init.d/sshd restart
Posted by at No comments:
Labels:

Sunday, 14 September 2014

Getting more information about Snort rules

Periodically, I often require more information about the snort IDS alert that was triggered by looking in the logs. I find it tedious to look into the snort manual and find more details about the alert. Fortunately, SourceFire (now Cisco!) the company behind Snort, has provided online option.

In every snort alert, there is a section that reads something like [3:15912:2]. This breaks down as the [(detection mechanism):(signature ID):(signature revision)]. Using the SID (the middle number) you can find more information about most signatures.

If the number is less than 1000000, it is a SourceFire rule. In this case you can get more information about the rule by going to https://www.snort.org/search?query=15912&submit_search=

If the number is between 1000000 and 2000000, it is a snort community rule. In this case, the best source of information will be the rule itself which can be downloaded from Community Rules.

If the number is between 2000000 and 3000000 it comes from emergingthreats.net and you can get more information by going to http://doc.emergingthreats.net/bin/view/Main/<sid number> .

Finally, if the number is in the 6000000 to 7000000 range it is a custom rule that is developed based upon patterns.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)