Message from discussion question about runniong SO in VM...and an OSSEC question
Received: by 10.101.136.25 with SMTP id o25mr5391266ann.8.1338803400877;
Mon, 04 Jun 2012 02:50:00 -0700 (PDT)
Received: by 10.101.172.24 with SMTP id z24ls851039ano.4.gmail; Mon, 04 Jun
2012 02:49:59 -0700 (PDT)
Received: by 10.100.80.2 with SMTP id d2mr1186714anb.0.1338803399412;
Mon, 04 Jun 2012 02:49:59 -0700 (PDT)
Received: by 10.100.80.2 with SMTP id d2mr1186713anb.0.1338803399392;
Mon, 04 Jun 2012 02:49:59 -0700 (PDT)
Received: from mail-yx0-f170.google.com (mail-yx0-f170.google.com [188.8.131.52])
by gmr-mx.google.com with ESMTPS id b73si7278182yhh.4.2012.06.04.02.49.59
Mon, 04 Jun 2012 02:49:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of doug.bu...@gmail.com designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of doug.bu...@gmail.com designates 18.104.22.168 as permitted sender) smtp.mail=doug.bu...@gmail.com; dkim=pass header...@gmail.com
Received: by yenm2 with SMTP id m2so3118577yen.29
for <email@example.com>; Mon, 04 Jun 2012 02:49:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Received: by 10.50.41.226 with SMTP id i2mr7488533igl.4.1338803399097; Mon, 04
Jun 2012 02:49:59 -0700 (PDT)
Received: by 10.231.192.15 with HTTP; Mon, 4 Jun 2012 02:49:59 -0700 (PDT)
Date: Mon, 4 Jun 2012 05:49:59 -0400
Subject: Re: [security-onion] Re: question about runniong SO in VM...and an
From: Doug Burks <doug.bu...@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
In Windows, does your "sensor" interface have an IP address? If so,
can you remove the IP address?
On Sun, Jun 3, 2012 at 3:31 AM, Mike_B <boeck...@gmail.com> wrote:
> Hi Doug,
> Thank you for all of your help!
> I was wrong about what interfaces were listed when starting Sguil.
> First is eth1...and second is ossec. It was not eth0-ossec like I had
> posted earlier. =A0Sorry about that.
> As of right now I think everything in SO is working fine. But I am
> having a trouble with setting up my NICs in Windows. =A0As I mentioned
> in a previous post, I have VMWare Player running on Windows 7. =A0SO is
> running in a VM (obviously). =A0I have 2 active NICs in Windows. =A0One i=
> the sensor, and it is plugged into a SPAN port on my ASA5505. =A0The
> other is a management interface.
> In the VM running SO, I set the sensor interface like you described in
> the network config instructions - i.e. so it does not have an IP
> address. =A0So when I am inside of the VM, I can run Firefox and it will
> use the management interface.
> My problem is within Windows itself. =A0I have these 2 active NICs. =A0I
> dont know if I have misconfigured my ASA or what, but when I try to
> use Firefox in Windows, I cannot get the traffic to go thru the
> management NIC - sometimes it goes thru the sensor. =A0I have tried to
> set the sensor's gateway in Windows to be blank - and I thought that
> would solve it. =A0But it doesnt really. =A0So SO would work fine if I
> just wanted to use my PC to run the VM. =A0But I cant use Windows if the
> VM is running because some of the traffic is trying to go thru the
> sensor. =A0After I set the sensors gateway in Windows to be blank, I did
> a route PRINT, and it had removed the sensor from the routing
> table....so everything should have been going thru the management
> NIC....but it wasnt.
> And prior to changing the sensors gateway to blank, both the sensor
> and the management interface showed up when I did a route
> PRINT....however, after removing the gateway from the sensors NIC,
> only the management interface is in the Windows routing table.
> I would really like to run this in a VM as opposed to on a dedicated
> So do you or anyone else know how to keep traffic out of the sensor in
> I noticed this problem when I had the SO VM running and Sguil was
> open. =A0If I did a port scan from another PC, alerts would show up.
> But if I went out to Windows, with the VM still running, and tried to
> use Nmap to portscan my 192.168.1.0/24 network, I wasnt getting any
> alerts. =A0The weird thing was that from a Windows command prompt, I
> could ping my ASA at 192.168.1.1....however, if I tried to do a ping
> scan of my ASA with nmap, nmap reported the host was down. I confirmed
> this problem by using Wireshark in Windows to watch the management
> interface. =A0If I used a browser, ping or telnet, the traffic showed up
> like it should. =A0But if I used nmap, it didnt show up at all.
> So now I am also wondering if maybe nmap is using the wrong interface
> when I am in Windows....however, I have tried changing the interface
> used with the "-e" command line option, but I get error messages
> regardless of which interface I use. =A0I have googled for the past hour
> trying to find the proper interface names to use with the "-e" option
> when running nmap in Windows but cant find an answer.
> I hope I have explained this problem well enough for you to
> understand. =A0To sum it up - on the PC running the SO VM, if I am
> inside the VM browser data etc is routed properly thru the management
> interface, =A0But in Windows, some of the traffic doesnt want to use the
> management interface, =A0So I was wondering if anyone has experienced
> this or has any ideas.
> Thanks for all of your help in the past day Doug.
> On Jun 2, 6:35=A0am, Doug Burks <doug.bu...@gmail.com> wrote:
>> Hello again Mike,
>> Replies inline.
>> On Sat, Jun 2, 2012 at 1:18 AM, Mike_B <boeck...@gmail.com> wrote:
>> > Hi again,
>> > After I posted my first message I did a little bit more research and
>> > am able to refine my questions a little bit.
>> > After I got SO running, I used the advanced option in the setup
>> > program. =A0I just want one of my two NICs to be a sensor. =A0How do I=
>> > this? =A0I have read conflicting info about this. =A0I have read that =
>> > you use the "quick" setup option, it configures all of your NICs to be
>> > sensors; but I have also read that the advanced setup does the same
>> > thing. =A0If this is true, how do I set SO up so one NIC is a sensor a=
>> > one is a management interface?
>> Quick Setup will automatically configure ALL network interfaces for
>> monitoring. =A0Advanced Setup will allow you to choose one or more
>> network interfaces for monitoring. =A0Where did you read that Advanced
>> Setup automatically configures all network interfaces?
>> > Next, I am confused about OSSEC. =A0I have read thru many of the OSSEC
>> > related posts on this group....as well as OSSEC related info in the SO
>> > blog....Is OSSEC actually part of SO?
>> Yes, Security Onion contains OSSEC installed in Server mode. =A0It's
>> monitoring local logs by default and reporting any alerts to Sguil.
>> > Or is it just an agent to
>> > listen for OSSEC messages from other hosts that have OSSEC installed?
>> It's in Server mode so it can receive logs from other boxes running
>> the OSSEC agent (available for Linux, Unix, Windows, etc.).
>> > And I have read that you can use SO's OSSEC to analyze syslogs
>> > etc.....do I need to do anything to set this up?
>> Yes, OSSEC can act as a syslog collector. =A0You would edit
>> /var/ossec/etc/ossec.conf like this:
>> =A0 <remote>
>> =A0 =A0 <connection>syslog</connection>
>> =A0 =A0 <allowed-ips>192.168.23.45</allowed-ips>
>> =A0 </remote>
>> Then restart OSSEC:
>> sudo service ossec restart
>> Then allow the syslog port in the firewall:
>> sudo ufw allow 514/udp
>> For more info, please see:http://www.ossec.net/doc/syntax/head_ossec_con=
>> > Do I need to have
>> > OSSEC running on another host to have this work?
>> > Sorry for the basic
>> > questions....I have never used OSSEC before and am just confused on
>> > what part of OSSEC is supported in SO.
>> No problem.
>> > And once again, one of the questions that I asked in my first post:
>> > in the screenshots that I have seen from the SO blog....when Sguil is
>> > started it lets you select which interfaces to monitor. =A0In the
>> > screenshots, it shows "ossec"....yet on my install, it says "eth0 -
>> > ossec"....does anyone know the significance of this? =A0Have I done
>> > something wrong? =A0And since I dont have OSSEC running on another hos=
>> > would I achieve anything by having Sguil monitor it?
>> The screenshot that you linked to previously was from an older version
>> of SO where the sensor names didn't have the hostname. =A0As I mentioned
>> in my previous email, the current version of SO will create sensor
>> names like this:
>> If you're seeing "eth0 - ossec", is your hostname set to "eth0"?
>> > I think those are my main questions for now. =A0Sorry for my ignorance
>> > concerning OSSEC.
>> > I am just amazed with SO. =A0I have always found it a PITA to get Sgui=
>> > to work properly....and often had trouble getting Barnyard or Barnyard
>> > 2 to work correctly. =A0Sometimes I would just throw up my hands and u=
>> > a script like NSMnow.....but never again.
>> Actually, you are using NSMnow :) =A0The NSMnow scripts are part of SO,
>> but they've been heavily modified.
>> > SO is so well thought
>> > out....and the fact that it has so many analysis tools built in is
>> > great. =A0I cant thank the developers enough. =A0Now I just need to le=
>> > how to iron out my issues.
>> Thanks, glad you like it!
>> > Thanks,
>> > Mike
>> > On Jun 1, 7:40=A0pm, Mike_B <boeck...@gmail.com> wrote:
>> >> Hi everyone,
>> >> I downloaded Security Onion a few months ago and forgot about it. =A0=
>> >> past few days I decided to try it out and I am beyond impressed. =A0I=
>> >> is just awesome. =A0Great work to everyone involved.
>> >> Here are my questions:
>> >> I installed Security Onion in a VM created with VMware Player. =A0It
>> >> installed and updated fine. =A0No problems. =A0Obviously I want to ha=
>> >> management interface and a sensor interface, so when I set up the VM,
>> >> I added a second NIC in VMwares settings. =A0What should I set the 2
>> >> NICs to - NAT or Bridged?
>> >> Right now I have the sensor set to Bridged - I am pretty sure the
>> >> sensor has to be setup as Bridged....and the management interface set
>> >> to NAT...and everything works fine....I read in the FAQ that in VMwar=
>> >> the NIC's are backwards....eth0 is really supposed to be eth1....but =
>> >> havent fixed that yet. =A0So right now my sensor is on eth1, and
>> >> management is on eth0.
>> >> BTW I have 3 NICs in my PC....the built in one, which I disable or
>> >> unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
>> >> I use when running the IDS.
>> >> When I start Sguil, both interfaces are listed at the bottom - eth1 i=
>> >> on the left and says "unmonitored" underneath it...and eth0 is on the
>> >> right, and says "eth0ossec" and then it says "unmonitored" underneath
>> >> it.
>> >> I know whatOSSECis....but I couldnt figure out why it was showing up
>> >> next to what is supposed to be my management interface,. =A0I searche=
>> >> thru Security Onion and found a blog that mentionsossecand
>> >> Sguil....but in the screenshots in the blog,ossecdoesnt appear to
>> >> have an interface next to it.
>> >> The link to the blog is here:http://securityonion.blogspot.com/2011/0=
>> >> So sinceOSSECis a host based IDS, should I select Sguil to monitor
>> >> both my sensor and my management interface? =A0Or am I doing somethin=
>> >> fundamentally wrong when I am setting up my network in VMWare Player?
>> >> Thanks in advance for your help.
>> >> Mike
>> >> PS After I make sure I am using this correctly I will probably instal=
>> >> it to a standalone PC, which should make the network setup alot
>> >> easier.
>> Doug Burks |http://securityonion.blogspot.com
>> Don't miss SANS SEC503 Intrusion Detection In-Depth in
>> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!http://augusta.is=
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!