POSSIBLE BUGS version 2.3.150 - FleetDM and Cases

[hackecu]

Good morning,

I have installed the Security Onion software version 2.3.150-20220820 ISO image built on 2022/08/20 and when I try to create a new case from an alert, the system fails to create it. It also does not let me create a new case despite saving it.

In addition, in the FleetDM service, when I try to consult the list of programs installed in a computer with the Wazuh agent, after modifying the corresponding file, the system cannot obtain this list.

I think that being a recent version of the software, there are some bugs in this new version. Possibly this causes the failures that I have commented above.

Regards

[dougburks]

I have installed the Security Onion software version 2.3.150-20220820 ISO image built on 2022/08/20 and when I try to create a new case from an alert, the system fails to create it. It also does not let me create a new case despite saving it.

Cases seems to work fine for me:

Please try a fresh installation and make sure you are following the documentation and Best Practices:
http://securityonion.net/docs
https://docs.securityonion.net/en/2.3/best-practices.html

If you continue to have problems, please provide more information. From #1720:

Please include the following details where you can:

• Security Onion version as seen in the lower left corner of SOC and in /etc/soversion. For example: 2.3.140
• Is this a cloud deployment or on-prem? If on-prem, do you have Internet access or this an airgap installation?
• Did you install from our Security Onion ISO image or did you perform a network installation?
• If network installation, did you install on CentOS 7 or Ubuntu?
• How many nodes do you have?
• What are the hardware specs of each of those nodes?
• How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
• Are you experiencing issues monitoring network traffic? If so, are you sniffing from a tap or span port and what is the traffic volume?
• Does so-status show all services running?
• Do you get any failures when you run sudo salt-call state.highstate?
• Does the SOC Grid page show any failures?
• Explain your issue. For example: Installation fails when I select this series of options...
• Provide applicable logs. If you are having problems right after setup, provide /root/sosetup.log. If you are having problems during soup, provide /root/soup.log. If you are having problems with a specific component, provide that component's logs from /opt/so/log/.

[hackecu]

Security Onion version as seen in the lower left corner of SOC and in /etc/soversion. Version: 2.3.150

Is this a cloud deployment or on-prem? If on-prem, do you have Internet access or this an airgap installation?
Yes, on-prem with airgap installation

Did you install from our Security Onion ISO image or did you perform a network installation?
from Security Onion ISO imagen

If network installation, did you install on CentOS 7 or Ubuntu?
CentOS7

How many nodes do you have?
4

What are the hardware specs of each of those nodes?
VMWare ESXi 6.7

Does so-status show all services running?
Yes

Do you get any failures when you run sudo salt-call state.highstate?
No, attached output

Does the SOC Grid page show any failures?
No
securityOnion.txt
sosetup.log

[dougburks]

From your sosetup.log:

               total        used        free      shared  buff/cache   available
Mem:            11G        293M         11G        8.8M        198M         11G
Swap:          8.0G          0B        8.0G

Node Type: STANDALONE

It looks like this system does not meet the minimum specs for a STANDALONE installation.

From https://docs.securityonion.net/en/2.3/hardware.html#standalone-deployments:

In a standalone deployment, the manager components and the sensor components all run on a single box, therefore, your hardware requirements will reflect that. You’ll need at minimum 16GB RAM, 4 CPU cores, and 200GB storage. At the bare minimum of 16GB RAM, you would most likely need swap space to avoid issues.

As mentioned in my previous reply, please try a fresh installation and make sure you are following the documentation and Best Practices:
http://securityonion.net/docs
https://docs.securityonion.net/en/2.3/best-practices.html