This repository was archived by the owner on Apr 16, 2021. It is now read-only.
This repository was archived by the owner on Apr 16, 2021. It is now read-only.
NSM: cron job to check if netsniff-ng is recording with a date other than today #1117
Description
Problem
Suppose Security Onion is installed in a VM and that VM is suspended today. Tomorrow, that VM is resumed. The VM may then update its OS date/time, either via NTP or virtualization tools. If that happens, then there is a mismatch because netsniff-ng is still writing pcap to a directory with the previous date on it. Attempting to pivot to pcap from Sguil/Squert/ELSA/Kibana will then fail.
Proposed Solution
Create a cron job that runs every minute. That cron job checks to see if:
- netsniff-ng is enabled
- netsniff-ng is running
- netsniff-ng is writing to a date other than today's date
If all of the conditions above are true, then restart netsniff-ng so that it will start writing to today's date and log to a file that this corrective action was executed.