Recovering from Suricata Gone Wild
Recently I tried interacting with one of my lab Security Onion sensors running the Suricata IDS. I found the Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that there might be too many uncategorized events in the Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at the system. First I stopped the NSM applications on the server. sudo service nsm stop Stopping: securityonion * stopping: sguil server [ OK ] Stopping: HIDS * stopping: ossec_agent (sguil) [ OK ] Stopping: Bro stopping ds61so-eth1-1 ... stopping proxy ... stopping manager ... Stopping: ds61so-eth1 * stopping: netsniff-ng (full packet data) [ OK ] * stopping: pcap_agent (sguil) [ OK ] * stopping: snort_agent (sguil) [ OK ] * stoppi...