Hi Jon,

I don't have any time to work on this right now, so if you'd like to see it 
added, please send patches.

Thanks!

Doug

Will do.

Hey Doug, 
I have most of this done.

Few questions:
1.) Would you like an bpf-arpwatch.conf file or should it use bpf.conf?
2.) Would you integrate an existing Debian package for arpwatch or would you 
prefer to have your own.
If the latter, would I need to build it? It would take me longer as I haven't 
done it before and I don't know when I'll
be able to read through the documentation. But as I have time I don't mind too 
much. 
3.) Would you like to have a PF_RING aware arpwatch using the modified PF_RING 
libpcap library?

Replies inline.

1.) Would you like an bpf-arpwatch.conf file or should it use bpf.conf?

Just like the rest of the services, it should be started with its own bpf 
(bpf-arpwatch.conf) that is symlinked to bpf.conf by default.

2.) Would you integrate an existing Debian package for arpwatch or would you 
prefer to have your own.
If the latter, would I need to build it? It would take me longer as I haven't 
done it before and I don't know when I'll
be able to read through the documentation. But as I have time I don't mind too 
much. 
3.) Would you like to have a PF_RING aware arpwatch using the modified PF_RING 
libpcap library?

I'd rather just go with the Ubuntu arpwatch package for now.

I have attached 6 patches in a gzip'd tar ball to enable the use of arpwatch in 
SO with the nsm scripts after installing the package from the Ubuntu repository.

I encountered an issue with the process_start function in 
/usr/lib/nsmnow/lib-nsm-common-utils with arpwatch so I amended the function to 
fix a few things. It was not testing against the PID that arpwatch had assigned 
and is
described in the screenshots attached along with some debugging output I added. 
I modified it in a way that adds a sixth argument to process_start should a 
another future sensor program encounter this behavior and need to get the PID 
in another way.


Though, before arpwatch will be of use the system needs to be able to write to 
the normal system logging facilities. Once the messages are logged, say to 
/var/log/syslog, it will match against the rules in OSSEC's arpwatch_rules.xml 
and then can end up in Sguil, ELSA, etc.

Do you want to proceed with modifying syslog-ng and if so how would you like it 
done?

Regarding process_start, is arpwatch daemonizing itself?  process_start wants 
to manage the PID itself for any process it starts, so you may be able to 
resolve this issue by having process_start run arpwatch manually (no daemon).

Yes, that's correct, it's daemonizing. I believe the patch I submitted will 
take care of that for future processes so
 that all one has to do is add "insufficient_pid" as the last argument to process_start in nsm_sensor_ps-[re]start. 
I can change the name from "insufficient_pid" to "is_daemonized" or "daemon" or 
something. Then anyone can add a new tool that daemonizes following all the 
others just by placing the text "is_daemonized" at the end.

Unless you see a problem with this is it fine?

Here's what it looks like with my patch (from nsm_sensor_ps-start):

process_start "$APP" "$APP_OPTIONS" "PID_FILE" "LOG_FILE" "APP_DESC" "<optional 
argument for PID issues>"

 [ "$ARPWATCH_ENABLED" == "yes" ] && [ -z "$SKIP_ARPWATCH" ] && 
process_start "arpwatch" "-i $SENSOR_INTERFACE_SHORT -Q -n 
$ARPWATCH_NETWORKS_FORMATTED -u arpwatch -z $ARPWATCH_EXCLUSIONS_FORMATTED -f 
/var/lib/arpwatch/$SENSOR.db" "$PROCESS_PID_DIR/$SENSOR/arpwatch.pid" 
"$PROCESS_LOG_DIR/$SENSOR/arpwatch.log" "arpwatch" "insufficient_pid"

I would be happy to test this if you help explain how to set it up.
We came from EasyIDS and I manually installed arpwatch on SO but have to get it 
working. Thanks a bunch. Kevin

That would be awesome. You can extract the files from the files directory and 
copy them over the existing files.
Be sure to back up your files first or use a test machine.

$ cp files/nsm_* /usr/sbin/
$ cp files/sosetup /usr/bin/
$ cp files/lib-nsm-common-utils /usr/lib/nsmnow

After installing the arpwatch, remove or rename its files:

$ rm /etc/init.d/arpwatch
$ rm /etc/defaults/arpwatch
$ rm /etc/arpwatch.conf

Once complete rerun sosetup and select the advanced menu. There should be a 
dialog box asking if you would like to enable arpwatch near the end and what 
networks you would like to watch.

After that, should every go well, arpwatch will be managed like many of the 
other tools via the nsm_ scripts.
Check its status after with service nsm status.

Do fill me in on how it goes.

Thanks

I'm sorry. work has been super busy. [that's a good thing]I'm going to test it 
this month.  I still have an interest here that hasn't changed.  Thx 

Thanks for the update.

That was easier than I was getting my head around -but- I have to run sosetup 
as I'm remote and only have shell access so I'm unable to run sosetup.  I did 
try to get remote X running on this box but never was able to even with the faq 
notes.  I'll be out at that client late this week and flip the switch then as I 
placed the files. 
Thanks a bunch.
also FYI the one folder in the notes
is /etc/default/ not /etc/defaults/ . Easy miss. no worries.

Hi Kevin,

Regarding X window forwarding, have you tried running Security Onion in a VM on 
your workstation and then using "ssh -X" to connect to your Security Onion 
server?  If you then run "sudo sosetup" it should execute on your server but 
display on your local VM.

Kevin, you could also try manually setting the ARPWATCH variables as seen in so 
setup in the appropriate sensor.conf files if you've copied over the new 
scripts.

I'm running on a physical machine. I'm remoting from Win7 not linux or SSH -X 
would be a lot easier so I will address that.  when I ran 'sudo sosetup' today 
it wants to go through the whole initial setup even when I select 'advanced' 
[setup the sguil user etc' I cancelled]. I'm hesitant to do that. is that what 
is expected?? rerun the setup? I don't want to overwrite any other configs. 
thanks

Yes, sosetup will overwrite any existing config/data.  If you don't want to do 
that, then you can use Jon's suggestion in comment #15.

oh, and I'm running as standalone. all on one box. that's all that is needed.
my arpwatch is still running on my other system until I get this working.

can you help with which files? thanks

I see it /etc/nsm/"hostname"-eth1-1.  Cool

I'm getting a log file now but arpwatch is not running according to 'ps ax | 
grep -i arpwatch'
Here's my arpwatch.log

log/
Executing: arpwatch -i eth1 -Q -n 10.10.10.0/24 -u arpwatch -z  -f 
/var/lib/arpwatch/LBIDSSO-eth1.db
/log

but it's not executing.
On my other system running arpwatch, ps ax | grep -i arpwatch shows its running:
arpwatch -u pcap -N -i eth0 -e kbrouelette@sample.com -s Arpwatch 
<kevin@sample.net>

I did restart the SO box. What starts up arpwatch since it's not in the init 
scripts now?  thanks a bunch for the help.

sorry, clarifying, after I restarted, no arpwatch starts. 

Kevin, where are you at now with this? I'm a little confused.

Perhaps you guys should take this discussion to private email.

Kevin, e-mail me at jonschipp@gmail.com with any questions or updates.