question about runniong SO in VM...and an OSSEC question
443 views
Skip to first unread message
Mike_B
Jun 1, 2012, 7:40:21 PM6/1/12
to security-onion
Hi everyone,
I downloaded Security Onion a few months ago and forgot about it. The
past few days I decided to try it out and I am beyond impressed. It
is just awesome. Great work to everyone involved.
Here are my questions:
I installed Security Onion in a VM created with VMware Player. It
installed and updated fine. No problems. Obviously I want to have a
management interface and a sensor interface, so when I set up the VM,
I added a second NIC in VMwares settings. What should I set the 2
NICs to - NAT or Bridged?
Right now I have the sensor set to Bridged - I am pretty sure the
sensor has to be setup as Bridged....and the management interface set
to NAT...and everything works fine....I read in the FAQ that in VMware
the NIC's are backwards....eth0 is really supposed to be eth1....but I
havent fixed that yet. So right now my sensor is on eth1, and
management is on eth0.
BTW I have 3 NICs in my PC....the built in one, which I disable or
unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
I use when running the IDS.
When I start Sguil, both interfaces are listed at the bottom - eth1 is
on the left and says "unmonitored" underneath it...and eth0 is on the
right, and says "eth0 ossec" and then it says "unmonitored" underneath
it.
I know what OSSEC is....but I couldnt figure out why it was showing up
next to what is supposed to be my management interface,. I searched
thru Security Onion and found a blog that mentions ossec and
Sguil....but in the screenshots in the blog, ossec doesnt appear to
have an interface next to it.
The link to the blog is here:
http://securityonion.blogspot.com/2011/01/security-onion-20110101-ossec-and-sguil.html
So since OSSEC is a host based IDS, should I select Sguil to monitor
both my sensor and my management interface? Or am I doing something
fundamentally wrong when I am setting up my network in VMWare Player?
Thanks in advance for your help.
Mike
PS After I make sure I am using this correctly I will probably install
it to a standalone PC, which should make the network setup alot
easier.
I downloaded Security Onion a few months ago and forgot about it. The
past few days I decided to try it out and I am beyond impressed. It
is just awesome. Great work to everyone involved.
Here are my questions:
I installed Security Onion in a VM created with VMware Player. It
installed and updated fine. No problems. Obviously I want to have a
management interface and a sensor interface, so when I set up the VM,
I added a second NIC in VMwares settings. What should I set the 2
NICs to - NAT or Bridged?
Right now I have the sensor set to Bridged - I am pretty sure the
sensor has to be setup as Bridged....and the management interface set
to NAT...and everything works fine....I read in the FAQ that in VMware
the NIC's are backwards....eth0 is really supposed to be eth1....but I
havent fixed that yet. So right now my sensor is on eth1, and
management is on eth0.
BTW I have 3 NICs in my PC....the built in one, which I disable or
unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
I use when running the IDS.
When I start Sguil, both interfaces are listed at the bottom - eth1 is
on the left and says "unmonitored" underneath it...and eth0 is on the
right, and says "eth0 ossec" and then it says "unmonitored" underneath
it.
I know what OSSEC is....but I couldnt figure out why it was showing up
next to what is supposed to be my management interface,. I searched
thru Security Onion and found a blog that mentions ossec and
Sguil....but in the screenshots in the blog, ossec doesnt appear to
have an interface next to it.
The link to the blog is here:
http://securityonion.blogspot.com/2011/01/security-onion-20110101-ossec-and-sguil.html
So since OSSEC is a host based IDS, should I select Sguil to monitor
both my sensor and my management interface? Or am I doing something
fundamentally wrong when I am setting up my network in VMWare Player?
Thanks in advance for your help.
Mike
PS After I make sure I am using this correctly I will probably install
it to a standalone PC, which should make the network setup alot
easier.
Mike_B
Jun 2, 2012, 1:18:40 AM6/2/12
to security-onion
Hi again,
After I posted my first message I did a little bit more research and
am able to refine my questions a little bit.
After I got SO running, I used the advanced option in the setup
program. I just want one of my two NICs to be a sensor. How do I do
this? I have read conflicting info about this. I have read that if
you use the "quick" setup option, it configures all of your NICs to be
sensors; but I have also read that the advanced setup does the same
thing. If this is true, how do I set SO up so one NIC is a sensor and
one is a management interface?
Next, I am confused about OSSEC. I have read thru many of the OSSEC
related posts on this group....as well as OSSEC related info in the SO
blog....Is OSSEC actually part of SO? Or is it just an agent to
listen for OSSEC messages from other hosts that have OSSEC installed?
And I have read that you can use SO's OSSEC to analyze syslogs
etc.....do I need to do anything to set this up? Do I need to have
OSSEC running on another host to have this work? Sorry for the basic
questions....I have never used OSSEC before and am just confused on
what part of OSSEC is supported in SO.
And once again, one of the questions that I asked in my first post:
in the screenshots that I have seen from the SO blog....when Sguil is
started it lets you select which interfaces to monitor. In the
screenshots, it shows "ossec"....yet on my install, it says "eth0 -
ossec"....does anyone know the significance of this? Have I done
something wrong? And since I dont have OSSEC running on another host,
would I achieve anything by having Sguil monitor it?
I think those are my main questions for now. Sorry for my ignorance
concerning OSSEC.
I am just amazed with SO. I have always found it a PITA to get Sguil
to work properly....and often had trouble getting Barnyard or Barnyard
2 to work correctly. Sometimes I would just throw up my hands and use
a script like NSMnow.....but never again. SO is so well thought
out....and the fact that it has so many analysis tools built in is
great. I cant thank the developers enough. Now I just need to learn
how to iron out my issues.
Thanks,
Mike
On Jun 1, 7:40 pm, Mike_B <boeck...@gmail.com> wrote:
> Hi everyone,
>
> I downloaded Security Onion a few months ago and forgot about it. The
> past few days I decided to try it out and I am beyond impressed. It
> is just awesome. Great work to everyone involved.
>
> Here are my questions:
>
> I installed Security Onion in a VM created with VMware Player. It
> installed and updated fine. No problems. Obviously I want to have a
> management interface and a sensor interface, so when I set up the VM,
> I added a second NIC in VMwares settings. What should I set the 2
> NICs to - NAT or Bridged?
>
> Right now I have the sensor set to Bridged - I am pretty sure the
> sensor has to be setup as Bridged....and the management interface set
> to NAT...and everything works fine....I read in the FAQ that in VMware
> the NIC's are backwards....eth0 is really supposed to be eth1....but I
> havent fixed that yet. So right now my sensor is on eth1, and
> management is on eth0.
>
> BTW I have 3 NICs in my PC....the built in one, which I disable or
> unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
> I use when running the IDS.
>
> When I start Sguil, both interfaces are listed at the bottom - eth1 is
> on the left and says "unmonitored" underneath it...and eth0 is on the
> right, and says "eth0ossec" and then it says "unmonitored" underneath
> it.
>
> I know whatOSSECis....but I couldnt figure out why it was showing up
>
> So sinceOSSECis a host based IDS, should I select Sguil to monitor
After I posted my first message I did a little bit more research and
am able to refine my questions a little bit.
After I got SO running, I used the advanced option in the setup
program. I just want one of my two NICs to be a sensor. How do I do
this? I have read conflicting info about this. I have read that if
you use the "quick" setup option, it configures all of your NICs to be
sensors; but I have also read that the advanced setup does the same
thing. If this is true, how do I set SO up so one NIC is a sensor and
one is a management interface?
Next, I am confused about OSSEC. I have read thru many of the OSSEC
related posts on this group....as well as OSSEC related info in the SO
blog....Is OSSEC actually part of SO? Or is it just an agent to
listen for OSSEC messages from other hosts that have OSSEC installed?
And I have read that you can use SO's OSSEC to analyze syslogs
etc.....do I need to do anything to set this up? Do I need to have
OSSEC running on another host to have this work? Sorry for the basic
questions....I have never used OSSEC before and am just confused on
what part of OSSEC is supported in SO.
And once again, one of the questions that I asked in my first post:
in the screenshots that I have seen from the SO blog....when Sguil is
started it lets you select which interfaces to monitor. In the
screenshots, it shows "ossec"....yet on my install, it says "eth0 -
ossec"....does anyone know the significance of this? Have I done
something wrong? And since I dont have OSSEC running on another host,
would I achieve anything by having Sguil monitor it?
I think those are my main questions for now. Sorry for my ignorance
concerning OSSEC.
I am just amazed with SO. I have always found it a PITA to get Sguil
to work properly....and often had trouble getting Barnyard or Barnyard
2 to work correctly. Sometimes I would just throw up my hands and use
a script like NSMnow.....but never again. SO is so well thought
out....and the fact that it has so many analysis tools built in is
great. I cant thank the developers enough. Now I just need to learn
how to iron out my issues.
Thanks,
Mike
On Jun 1, 7:40 pm, Mike_B <boeck...@gmail.com> wrote:
> Hi everyone,
>
> I downloaded Security Onion a few months ago and forgot about it. The
> past few days I decided to try it out and I am beyond impressed. It
> is just awesome. Great work to everyone involved.
>
> Here are my questions:
>
> I installed Security Onion in a VM created with VMware Player. It
> installed and updated fine. No problems. Obviously I want to have a
> management interface and a sensor interface, so when I set up the VM,
> I added a second NIC in VMwares settings. What should I set the 2
> NICs to - NAT or Bridged?
>
> Right now I have the sensor set to Bridged - I am pretty sure the
> sensor has to be setup as Bridged....and the management interface set
> to NAT...and everything works fine....I read in the FAQ that in VMware
> the NIC's are backwards....eth0 is really supposed to be eth1....but I
> havent fixed that yet. So right now my sensor is on eth1, and
> management is on eth0.
>
> BTW I have 3 NICs in my PC....the built in one, which I disable or
> unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
> I use when running the IDS.
>
> When I start Sguil, both interfaces are listed at the bottom - eth1 is
> on the left and says "unmonitored" underneath it...and eth0 is on the
> it.
>
> I know whatOSSECis....but I couldnt figure out why it was showing up
> next to what is supposed to be my management interface,. I searched
> thru Security Onion and found a blog that mentionsossecand
> Sguil....but in the screenshots in the blog,ossecdoesnt appear to
> thru Security Onion and found a blog that mentionsossecand
> have an interface next to it.
>
> The link to the blog is here:http://securityonion.blogspot.com/2011/01/security-onion-20110101-oss...
>
>
> So sinceOSSECis a host based IDS, should I select Sguil to monitor
Doug Burks
Jun 2, 2012, 6:19:58 AM6/2/12
to securit...@googlegroups.com
Hi Mike,
Replies inline.
On Fri, Jun 1, 2012 at 7:40 PM, Mike_B <boec...@gmail.com> wrote:
> Hi everyone,
>
> I downloaded Security Onion a few months ago and forgot about it. The
> past few days I decided to try it out and I am beyond impressed. It
> is just awesome. Great work to everyone involved.
Thanks, glad you like it!
> Here are my questions:
>
> I installed Security Onion in a VM created with VMware Player. It
> installed and updated fine. No problems. Obviously I want to have a
> management interface and a sensor interface, so when I set up the VM,
> I added a second NIC in VMwares settings. What should I set the 2
> NICs to - NAT or Bridged?
>
> Right now I have the sensor set to Bridged - I am pretty sure the
> sensor has to be setup as Bridged....and the management interface set
> to NAT...and everything works fine....
Yep, management interface set to NAT, sensor interface set to Bridged.
> I read in the FAQ that in VMware
> the NIC's are backwards....eth0 is really supposed to be eth1....but I
> havent fixed that yet.
I believe that FAQ entry is just referring to the fact that if you
clone a VM, VMware will give it a new MAC address and then Ubuntu's
Udev will see the new MAC address and make it eth1. If you haven't
cloned your VM, you can ignore this FAQ entry.
> So right now my sensor is on eth1, and
> management is on eth0.
> BTW I have 3 NICs in my PC....the built in one, which I disable or
> unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
> I use when running the IDS.
>
> When I start Sguil, both interfaces are listed at the bottom - eth1 is
> on the left and says "unmonitored" underneath it...and eth0 is on the
> right, and says "eth0 ossec" and then it says "unmonitored" underneath
> it.
Sounds strange. What is the hostname of your VM? When logging into
Sguil, you should see sensor names like this:
hostname-eth0
hostname-eth1
hostname-ossec
Any chance you could attach a screenshot?
> I know what OSSEC is....but I couldnt figure out why it was showing up
> next to what is supposed to be my management interface,. I searched
> thru Security Onion and found a blog that mentions ossec and
> Sguil....but in the screenshots in the blog, ossec doesnt appear to
> have an interface next to it.
>
> The link to the blog is here:
> http://securityonion.blogspot.com/2011/01/security-onion-20110101-ossec-and-sguil.html
>
> So since OSSEC is a host based IDS, should I select Sguil to monitor
> both my sensor and my management interface? Or am I doing something
> fundamentally wrong when I am setting up my network in VMWare Player?
When logging into Sguil, I normally click the "Select All" button so
that I will see all alerts from all sensors (NIDS alerts from network
interfaces and HIDS alerts from OSSEC).
> Thanks in advance for your help.
>
> Mike
>
> PS After I make sure I am using this correctly I will probably install
> it to a standalone PC, which should make the network setup alot
> easier.
Thanks,
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Replies inline.
On Fri, Jun 1, 2012 at 7:40 PM, Mike_B <boec...@gmail.com> wrote:
> Hi everyone,
>
> I downloaded Security Onion a few months ago and forgot about it. The
> past few days I decided to try it out and I am beyond impressed. It
> is just awesome. Great work to everyone involved.
> Here are my questions:
>
> I installed Security Onion in a VM created with VMware Player. It
> installed and updated fine. No problems. Obviously I want to have a
> management interface and a sensor interface, so when I set up the VM,
> I added a second NIC in VMwares settings. What should I set the 2
> NICs to - NAT or Bridged?
>
> Right now I have the sensor set to Bridged - I am pretty sure the
> sensor has to be setup as Bridged....and the management interface set
> to NAT...and everything works fine....
> I read in the FAQ that in VMware
> the NIC's are backwards....eth0 is really supposed to be eth1....but I
> havent fixed that yet.
clone a VM, VMware will give it a new MAC address and then Ubuntu's
Udev will see the new MAC address and make it eth1. If you haven't
cloned your VM, you can ignore this FAQ entry.
> So right now my sensor is on eth1, and
> management is on eth0.
> BTW I have 3 NICs in my PC....the built in one, which I disable or
> unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
> I use when running the IDS.
>
> When I start Sguil, both interfaces are listed at the bottom - eth1 is
> on the left and says "unmonitored" underneath it...and eth0 is on the
> right, and says "eth0 ossec" and then it says "unmonitored" underneath
> it.
Sguil, you should see sensor names like this:
hostname-eth0
hostname-eth1
hostname-ossec
Any chance you could attach a screenshot?
> I know what OSSEC is....but I couldnt figure out why it was showing up
> next to what is supposed to be my management interface,. I searched
> thru Security Onion and found a blog that mentions ossec and
> Sguil....but in the screenshots in the blog, ossec doesnt appear to
> have an interface next to it.
>
> The link to the blog is here:
> http://securityonion.blogspot.com/2011/01/security-onion-20110101-ossec-and-sguil.html
>
> So since OSSEC is a host based IDS, should I select Sguil to monitor
> both my sensor and my management interface? Or am I doing something
> fundamentally wrong when I am setting up my network in VMWare Player?
that I will see all alerts from all sensors (NIDS alerts from network
interfaces and HIDS alerts from OSSEC).
> Thanks in advance for your help.
>
> Mike
>
> PS After I make sure I am using this correctly I will probably install
> it to a standalone PC, which should make the network setup alot
> easier.
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Doug Burks
Jun 2, 2012, 6:35:14 AM6/2/12
to securit...@googlegroups.com
Hello again Mike,
Replies inline.
On Sat, Jun 2, 2012 at 1:18 AM, Mike_B <boec...@gmail.com> wrote:
> Hi again,
>
> After I posted my first message I did a little bit more research and
> am able to refine my questions a little bit.
>
> After I got SO running, I used the advanced option in the setup
> program. I just want one of my two NICs to be a sensor. How do I do
> this? I have read conflicting info about this. I have read that if
> you use the "quick" setup option, it configures all of your NICs to be
> sensors; but I have also read that the advanced setup does the same
> thing. If this is true, how do I set SO up so one NIC is a sensor and
> one is a management interface?
Quick Setup will automatically configure ALL network interfaces for
monitoring. Advanced Setup will allow you to choose one or more
network interfaces for monitoring. Where did you read that Advanced
Setup automatically configures all network interfaces?
> Next, I am confused about OSSEC. I have read thru many of the OSSEC
> related posts on this group....as well as OSSEC related info in the SO
> blog....Is OSSEC actually part of SO?
Yes, Security Onion contains OSSEC installed in Server mode. It's
monitoring local logs by default and reporting any alerts to Sguil.
> Or is it just an agent to
> listen for OSSEC messages from other hosts that have OSSEC installed?
It's in Server mode so it can receive logs from other boxes running
the OSSEC agent (available for Linux, Unix, Windows, etc.).
> And I have read that you can use SO's OSSEC to analyze syslogs
> etc.....do I need to do anything to set this up?
Yes, OSSEC can act as a syslog collector. You would edit
/var/ossec/etc/ossec.conf like this:
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.23.45</allowed-ips>
</remote>
Then restart OSSEC:
sudo service ossec restart
Then allow the syslog port in the firewall:
sudo ufw allow 514/udp
For more info, please see:
http://www.ossec.net/doc/syntax/head_ossec_config.remote.html
http://www.ossec.net/main/manual/configuration-options
> Do I need to have
> OSSEC running on another host to have this work?
Nope!
> Sorry for the basic
> questions....I have never used OSSEC before and am just confused on
> what part of OSSEC is supported in SO.
No problem.
> And once again, one of the questions that I asked in my first post:
> in the screenshots that I have seen from the SO blog....when Sguil is
> started it lets you select which interfaces to monitor. In the
> screenshots, it shows "ossec"....yet on my install, it says "eth0 -
> ossec"....does anyone know the significance of this? Have I done
> something wrong? And since I dont have OSSEC running on another host,
> would I achieve anything by having Sguil monitor it?
The screenshot that you linked to previously was from an older version
of SO where the sensor names didn't have the hostname. As I mentioned
in my previous email, the current version of SO will create sensor
names like this:
hostname-eth0
hostname-ossec
If you're seeing "eth0 - ossec", is your hostname set to "eth0"?
> I think those are my main questions for now. Sorry for my ignorance
> concerning OSSEC.
>
> I am just amazed with SO. I have always found it a PITA to get Sguil
> to work properly....and often had trouble getting Barnyard or Barnyard
> 2 to work correctly. Sometimes I would just throw up my hands and use
> a script like NSMnow.....but never again.
Actually, you are using NSMnow :) The NSMnow scripts are part of SO,
but they've been heavily modified.
> SO is so well thought
> out....and the fact that it has so many analysis tools built in is
> great. I cant thank the developers enough. Now I just need to learn
> how to iron out my issues.
Thanks, glad you like it!
Doug
Replies inline.
On Sat, Jun 2, 2012 at 1:18 AM, Mike_B <boec...@gmail.com> wrote:
> Hi again,
>
> After I posted my first message I did a little bit more research and
> am able to refine my questions a little bit.
>
> After I got SO running, I used the advanced option in the setup
> program. I just want one of my two NICs to be a sensor. How do I do
> this? I have read conflicting info about this. I have read that if
> you use the "quick" setup option, it configures all of your NICs to be
> sensors; but I have also read that the advanced setup does the same
> thing. If this is true, how do I set SO up so one NIC is a sensor and
> one is a management interface?
monitoring. Advanced Setup will allow you to choose one or more
network interfaces for monitoring. Where did you read that Advanced
Setup automatically configures all network interfaces?
> Next, I am confused about OSSEC. I have read thru many of the OSSEC
> related posts on this group....as well as OSSEC related info in the SO
> blog....Is OSSEC actually part of SO?
monitoring local logs by default and reporting any alerts to Sguil.
> Or is it just an agent to
> listen for OSSEC messages from other hosts that have OSSEC installed?
the OSSEC agent (available for Linux, Unix, Windows, etc.).
> And I have read that you can use SO's OSSEC to analyze syslogs
> etc.....do I need to do anything to set this up?
/var/ossec/etc/ossec.conf like this:
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.23.45</allowed-ips>
</remote>
Then restart OSSEC:
sudo service ossec restart
Then allow the syslog port in the firewall:
sudo ufw allow 514/udp
For more info, please see:
http://www.ossec.net/doc/syntax/head_ossec_config.remote.html
http://www.ossec.net/main/manual/configuration-options
> Do I need to have
> OSSEC running on another host to have this work?
> Sorry for the basic
> questions....I have never used OSSEC before and am just confused on
> what part of OSSEC is supported in SO.
> And once again, one of the questions that I asked in my first post:
> in the screenshots that I have seen from the SO blog....when Sguil is
> started it lets you select which interfaces to monitor. In the
> screenshots, it shows "ossec"....yet on my install, it says "eth0 -
> ossec"....does anyone know the significance of this? Have I done
> something wrong? And since I dont have OSSEC running on another host,
> would I achieve anything by having Sguil monitor it?
of SO where the sensor names didn't have the hostname. As I mentioned
in my previous email, the current version of SO will create sensor
names like this:
hostname-eth0
hostname-ossec
If you're seeing "eth0 - ossec", is your hostname set to "eth0"?
> I think those are my main questions for now. Sorry for my ignorance
> concerning OSSEC.
>
> I am just amazed with SO. I have always found it a PITA to get Sguil
> to work properly....and often had trouble getting Barnyard or Barnyard
> 2 to work correctly. Sometimes I would just throw up my hands and use
> a script like NSMnow.....but never again.
but they've been heavily modified.
> SO is so well thought
> out....and the fact that it has so many analysis tools built in is
> great. I cant thank the developers enough. Now I just need to learn
> how to iron out my issues.
Doug
Mike_B
Jun 3, 2012, 3:31:49 AM6/3/12
to security-onion
Hi Doug,
Thank you for all of your help!
I was wrong about what interfaces were listed when starting Sguil.
First is eth1...and second is ossec. It was not eth0-ossec like I had
posted earlier. Sorry about that.
As of right now I think everything in SO is working fine. But I am
having a trouble with setting up my NICs in Windows. As I mentioned
in a previous post, I have VMWare Player running on Windows 7. SO is
running in a VM (obviously). I have 2 active NICs in Windows. One is
the sensor, and it is plugged into a SPAN port on my ASA5505. The
other is a management interface.
In the VM running SO, I set the sensor interface like you described in
the network config instructions - i.e. so it does not have an IP
address. So when I am inside of the VM, I can run Firefox and it will
use the management interface.
My problem is within Windows itself. I have these 2 active NICs. I
dont know if I have misconfigured my ASA or what, but when I try to
use Firefox in Windows, I cannot get the traffic to go thru the
management NIC - sometimes it goes thru the sensor. I have tried to
set the sensor's gateway in Windows to be blank - and I thought that
would solve it. But it doesnt really. So SO would work fine if I
just wanted to use my PC to run the VM. But I cant use Windows if the
VM is running because some of the traffic is trying to go thru the
sensor. After I set the sensors gateway in Windows to be blank, I did
a route PRINT, and it had removed the sensor from the routing
table....so everything should have been going thru the management
NIC....but it wasnt.
And prior to changing the sensors gateway to blank, both the sensor
and the management interface showed up when I did a route
PRINT....however, after removing the gateway from the sensors NIC,
only the management interface is in the Windows routing table.
I would really like to run this in a VM as opposed to on a dedicated
machine.
So do you or anyone else know how to keep traffic out of the sensor in
Windows?
I noticed this problem when I had the SO VM running and Sguil was
open. If I did a port scan from another PC, alerts would show up.
But if I went out to Windows, with the VM still running, and tried to
use Nmap to portscan my 192.168.1.0/24 network, I wasnt getting any
alerts. The weird thing was that from a Windows command prompt, I
could ping my ASA at 192.168.1.1....however, if I tried to do a ping
scan of my ASA with nmap, nmap reported the host was down. I confirmed
this problem by using Wireshark in Windows to watch the management
interface. If I used a browser, ping or telnet, the traffic showed up
like it should. But if I used nmap, it didnt show up at all.
So now I am also wondering if maybe nmap is using the wrong interface
when I am in Windows....however, I have tried changing the interface
used with the "-e" command line option, but I get error messages
regardless of which interface I use. I have googled for the past hour
trying to find the proper interface names to use with the "-e" option
when running nmap in Windows but cant find an answer.
I hope I have explained this problem well enough for you to
understand. To sum it up - on the PC running the SO VM, if I am
inside the VM browser data etc is routed properly thru the management
interface, But in Windows, some of the traffic doesnt want to use the
management interface, So I was wondering if anyone has experienced
this or has any ideas.
Thanks for all of your help in the past day Doug.
Mike
On Jun 2, 6:35 am, Doug Burks <doug.bu...@gmail.com> wrote:
> Hello again Mike,
>
> Replies inline.
>
> For more info, please see:http://www.ossec.net/doc/syntax/head_ossec_config.remote.htmlhttp://www.ossec.net/main/manual/configuration-options
Thank you for all of your help!
I was wrong about what interfaces were listed when starting Sguil.
First is eth1...and second is ossec. It was not eth0-ossec like I had
posted earlier. Sorry about that.
As of right now I think everything in SO is working fine. But I am
having a trouble with setting up my NICs in Windows. As I mentioned
in a previous post, I have VMWare Player running on Windows 7. SO is
running in a VM (obviously). I have 2 active NICs in Windows. One is
the sensor, and it is plugged into a SPAN port on my ASA5505. The
other is a management interface.
In the VM running SO, I set the sensor interface like you described in
the network config instructions - i.e. so it does not have an IP
address. So when I am inside of the VM, I can run Firefox and it will
use the management interface.
My problem is within Windows itself. I have these 2 active NICs. I
dont know if I have misconfigured my ASA or what, but when I try to
use Firefox in Windows, I cannot get the traffic to go thru the
management NIC - sometimes it goes thru the sensor. I have tried to
set the sensor's gateway in Windows to be blank - and I thought that
would solve it. But it doesnt really. So SO would work fine if I
just wanted to use my PC to run the VM. But I cant use Windows if the
VM is running because some of the traffic is trying to go thru the
sensor. After I set the sensors gateway in Windows to be blank, I did
a route PRINT, and it had removed the sensor from the routing
table....so everything should have been going thru the management
NIC....but it wasnt.
And prior to changing the sensors gateway to blank, both the sensor
and the management interface showed up when I did a route
PRINT....however, after removing the gateway from the sensors NIC,
only the management interface is in the Windows routing table.
I would really like to run this in a VM as opposed to on a dedicated
machine.
So do you or anyone else know how to keep traffic out of the sensor in
Windows?
I noticed this problem when I had the SO VM running and Sguil was
open. If I did a port scan from another PC, alerts would show up.
But if I went out to Windows, with the VM still running, and tried to
use Nmap to portscan my 192.168.1.0/24 network, I wasnt getting any
alerts. The weird thing was that from a Windows command prompt, I
could ping my ASA at 192.168.1.1....however, if I tried to do a ping
scan of my ASA with nmap, nmap reported the host was down. I confirmed
this problem by using Wireshark in Windows to watch the management
interface. If I used a browser, ping or telnet, the traffic showed up
like it should. But if I used nmap, it didnt show up at all.
So now I am also wondering if maybe nmap is using the wrong interface
when I am in Windows....however, I have tried changing the interface
used with the "-e" command line option, but I get error messages
regardless of which interface I use. I have googled for the past hour
trying to find the proper interface names to use with the "-e" option
when running nmap in Windows but cant find an answer.
I hope I have explained this problem well enough for you to
understand. To sum it up - on the PC running the SO VM, if I am
inside the VM browser data etc is routed properly thru the management
interface, But in Windows, some of the traffic doesnt want to use the
management interface, So I was wondering if anyone has experienced
this or has any ideas.
Thanks for all of your help in the past day Doug.
Mike
On Jun 2, 6:35 am, Doug Burks <doug.bu...@gmail.com> wrote:
> Hello again Mike,
>
> Replies inline.
>
Doug Burks
Jun 4, 2012, 5:49:59 AM6/4/12
to securit...@googlegroups.com
In Windows, does your "sensor" interface have an IP address? If so,
can you remove the IP address?
Thanks,
Doug
can you remove the IP address?
Thanks,
Doug
Mike_B
Jun 4, 2012, 4:40:10 PM6/4/12
to security-onion
Hi Doug -
I finally got everything to work like it should.
First, I downloaded the trial of VMWare Workstation so that I would
have better network setup capabilities....and was able to choose which
physical adapter I wanted assigned to each virtual bridged NIC.
And second, I solved the routing problem by going into Window's
network adapter properties and deselecting "Client for Microsoft
Networks", "IP v4", "IP v6", and "File and Printer Sharing for
Windows". I had forgotten about being able to do this.
Doug, I really appreciate all of your help.
Take care,
Mike
> >> For more info, please see:http://www.ossec.net/doc/syntax/head_ossec_config.remote.htmlhttp://w...
> ...
>
> read more »
I finally got everything to work like it should.
First, I downloaded the trial of VMWare Workstation so that I would
have better network setup capabilities....and was able to choose which
physical adapter I wanted assigned to each virtual bridged NIC.
And second, I solved the routing problem by going into Window's
network adapter properties and deselecting "Client for Microsoft
Networks", "IP v4", "IP v6", and "File and Printer Sharing for
Windows". I had forgotten about being able to do this.
Doug, I really appreciate all of your help.
Take care,
Mike
>
> read more »
Reply all
Reply to author
Forward
0 new messages