10-23-2017 10:10 AM - edited 10-23-2017 10:18 AM
Hi,
I have a couple of problems with MineMeld (on a VM from ova template).
1. I recently seem to have lost the ability to export a system backup (which was working until recently). In the log, I can see a bunch of "GET /jobs/status-backup/.....", but the actual download never starts.
[2017-10-23 16:12:19 UTC] [1971] [INFO] AUDIT - {"msg": null, "action": "POST /status/backup", "params": [["jsonbody", "{\"p\": \"password\"}"]], "user": "admin/luca.admin"}
[2017-10-23 16:12:19 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:19 +0000] "POST /status/backup?_=1508775151 HTTP/1.0" 200 55 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:19 UTC] [1971] [INFO] Executing job mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c - ['/usr/bin/7z', 'a', '-ppassword', '-y', '/tmp/mm-local-backupn9IHT9.zip', '/opt/minemeld/local/prototypes', '/opt/minemeld/local/config'] cwd: /tmp/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23cXTBsCU logfile: /opt/minemeld/log/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c.log
[2017-10-23 16:12:22 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:22 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:22 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775154 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:25 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:25 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:25 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775157 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:28 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:28 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:28 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775161 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:31 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:31 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:31 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775164 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:33 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
127.0.0.1 - - [23/Oct/2017:16:12:33 +0000] "GET /supervisor?_=1508775165 HTTP/1.0" 200 594 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:34 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
If I try a manual back from SSH (ubuntu user), I get this (permission denied?):
ubuntu@minemeld:/tmp$ sudo service minemeld stop
* Stopping: minemeld minemeld-supervisord-listener: stopped
minemeld-traced: stopped
minemeld-engine: stopped
minemeld-web: stopped
[ OK ]
ubuntu@minemeld:/tmp$ tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/
tar: Removing leading `/' from member names
/opt/minemeld/local/config/
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/
/opt/minemeld/local/config/api/20-local.yml
/opt/minemeld/local/config/api/10-defaults.yml
tar: /opt/minemeld/local/config/api/50-api-users-attrs.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/wsgi.htpasswd
tar: /opt/minemeld/local/config/running-config.yml.1508772314: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml.1508771982: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml.copy: Cannot open: Permission denied
/opt/minemeld/local/config/traced/
/opt/minemeld/local/config/traced/traced.yml
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml: Cannot open: Permission denied
/opt/minemeld/local/prototypes/
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors
ubuntu@minemeld:/tmp$
2. I setup a panos syslog miner. It's working great for log_subtype = flood, but not at all for subtype vulnerability. I cannot get any vulnerability events to generate a hit on the correspondent rule(s). Very similar flood rules are working perfectly. Example of a rule that is not working:
conditions: - type == 'THREAT' - log_subtype == 'vulnerability' - severity == 'critical' - src_zone == 'WAN' - dst_zone == 'DMZ' fields: - log_subtype - threat_name indicators: - src_ip
Example of a rule that is working:
conditions: - type == "THREAT" - log_subtype == "flood" - severity == "critical" - src_zone == "WAN" - dest_zone == "DMZ" - action == "drop" fields: - log_subtype - threat_name indicators: - src_ip
I tried making the log_subtype vulnerability rules more specific, for instance by adding a threat name:
threat_name == 'Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)'
or an action:
action == 'block-ip'
Nothing has worked so far. I can see the events in the THREAT log that match the rules conditions, but the rules are not picking those up. Any ideas?
10-26-2017 08:38 AM
Hi @LucaMarchiori,
the reason manual backup is failing is that you need to be minemeld user to access some of those files, please try:
sudo -u minemeld tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/
In the directory /opt/minemeld/log you should find the logs of the backup logs, could you check them to see if there is a clue about the cause of the failures ?
Thanks,
luigi
10-25-2017 02:37 PM
Anyone? The only difference I can think of between rule working / not working is that the flood rules hit a DoS policy, while the others just hit a security rule (allow) then dropped as critical vulnerabilites. Both type of events are logged in the same Panorama log profile.
10-26-2017 07:14 AM
Hi @LucaMarchiori,
1 - when you press EXPORT BACKUP after some seconds you should see a window like this one, please click on here to download the encrypted zip file
2 - have you tried simplifying the rule (just type and log_subtype) to see if it is matched ?
Thanks
10-26-2017 08:11 AM
Hi @lmori
That "Download backup" windows just never appears. After clicking on the "Export Backup" button and typing the backup password, both the Export and Restore Backup buttons are grayed out, and stay like that until I click on a different tab and then back to System. I've waited over 10-15 minutes. I use Chrome (popup blocker is disabled for the site), but also tried Firefox.
As previously mentioned, manual backup fails as well.
I will try simplyfing the vulnerability rules to see if I'm getting anywhere with that.
Thanks,
Luca
10-26-2017 08:38 AM
Hi @LucaMarchiori,
the reason manual backup is failing is that you need to be minemeld user to access some of those files, please try:
sudo -u minemeld tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/
In the directory /opt/minemeld/log you should find the logs of the backup logs, could you check them to see if there is a clue about the cause of the failures ?
Thanks,
luigi
10-26-2017 08:47 AM - edited 10-26-2017 02:21 PM
Hi @lmori
Thanks for pointing me in the right direction. I think that the problem was I had manually created a copy of a config file. After deleting that file, export works just fine! A little (linux) knowledge... 🙂
Rule issue fixed as well... There was a typo (dst_zone) that got into some of the rules. "dest_zone" is the correct field.
Luca
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
