question about runniong SO in VM...and an OSSEC question - security-onion

The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Message from discussion question about runniong SO in VM...and an OSSEC question
Received-SPF: pass (google.com: domain of doug.bu...@gmail.com designates 209.85.213.170 as permitted sender) client-ip=209.85.213.170;
MIME-Version: 1.0
In-Reply-To: <18db7f24-3d21-4566-891d-846cbbafd...@v33g2000yqv.googlegroups.com>
References: <c99004df-00ba-47cf-aeff-dbfb749cd...@h9g2000yqi.googlegroups.com>
	<d9f01322-ea9c-4644-b476-656b8d173...@j10g2000yqd.googlegroups.com>
	<CAK8kjrAZvyVjAZ6s_G49muPiCgTBitiSrC09n2SexM6Hh4E...@mail.gmail.com>
	<18db7f24-3d21-4566-891d-846cbbafd...@v33g2000yqv.googlegroups.com>
Date: Mon, 4 Jun 2012 05:49:59 -0400
Message-ID: <CAK8kjrAbKKSXTFSmCVnnNr8hh1yg-9ZfBJ-WTjyc-eF9+q_...@mail.gmail.com>
Subject: Re: [security-onion] Re: question about runniong SO in VM...and an
 OSSEC question
From: Doug Burks <doug.bu...@gmail.com>
To: security-onion@googlegroups.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

In Windows, does your "sensor" interface have an IP address?  If so,
can you remove the IP address?

Thanks,
Doug

On Sun, Jun 3, 2012 at 3:31 AM, Mike_B <boeck...@gmail.com> wrote:
> Hi Doug,
>
> Thank you for all of your help!
>
> I was wrong about what interfaces were listed when starting Sguil.
>
> First is eth1...and second is ossec. It was not eth0-ossec like I had
> posted earlier. =A0Sorry about that.
>
> As of right now I think everything in SO is working fine. But I am
> having a trouble with setting up my NICs in Windows. =A0As I mentioned
> in a previous post, I have VMWare Player running on Windows 7. =A0SO is
> running in a VM (obviously). =A0I have 2 active NICs in Windows. =A0One i=
s
> the sensor, and it is plugged into a SPAN port on my ASA5505. =A0The
> other is a management interface.
>
> In the VM running SO, I set the sensor interface like you described in
> the network config instructions - i.e. so it does not have an IP
> address. =A0So when I am inside of the VM, I can run Firefox and it will
> use the management interface.
>
> My problem is within Windows itself. =A0I have these 2 active NICs. =A0I
> dont know if I have misconfigured my ASA or what, but when I try to
> use Firefox in Windows, I cannot get the traffic to go thru the
> management NIC - sometimes it goes thru the sensor. =A0I have tried to
> set the sensor's gateway in Windows to be blank - and I thought that
> would solve it. =A0But it doesnt really. =A0So SO would work fine if I
> just wanted to use my PC to run the VM. =A0But I cant use Windows if the
> VM is running because some of the traffic is trying to go thru the
> sensor. =A0After I set the sensors gateway in Windows to be blank, I did
> a route PRINT, and it had removed the sensor from the routing
> table....so everything should have been going thru the management
> NIC....but it wasnt.
>
> And prior to changing the sensors gateway to blank, both the sensor
> and the management interface showed up when I did a route
> PRINT....however, after removing the gateway from the sensors NIC,
> only the management interface is in the Windows routing table.
>
> I would really like to run this in a VM as opposed to on a dedicated
> machine.
>
> So do you or anyone else know how to keep traffic out of the sensor in
> Windows?
>
> I noticed this problem when I had the SO VM running and Sguil was
> open. =A0If I did a port scan from another PC, alerts would show up.
> But if I went out to Windows, with the VM still running, and tried to
> use Nmap to portscan my 192.168.1.0/24 network, I wasnt getting any
> alerts. =A0The weird thing was that from a Windows command prompt, I
> could ping my ASA at 192.168.1.1....however, if I tried to do a ping
> scan of my ASA with nmap, nmap reported the host was down. I confirmed
> this problem by using Wireshark in Windows to watch the management
> interface. =A0If I used a browser, ping or telnet, the traffic showed up
> like it should. =A0But if I used nmap, it didnt show up at all.
>
> So now I am also wondering if maybe nmap is using the wrong interface
> when I am in Windows....however, I have tried changing the interface
> used with the "-e" command line option, but I get error messages
> regardless of which interface I use. =A0I have googled for the past hour
> trying to find the proper interface names to use with the "-e" option
> when running nmap in Windows but cant find an answer.
>
> I hope I have explained this problem well enough for you to
> understand. =A0To sum it up - on the PC running the SO VM, if I am
> inside the VM browser data etc is routed properly thru the management
> interface, =A0But in Windows, some of the traffic doesnt want to use the
> management interface, =A0So I was wondering if anyone has experienced
> this or has any ideas.
>
> Thanks for all of your help in the past day Doug.
>
> Mike
>
> On Jun 2, 6:35=A0am, Doug Burks <doug.bu...@gmail.com> wrote:
>> Hello again Mike,
>>
>> Replies inline.
>>
>> On Sat, Jun 2, 2012 at 1:18 AM, Mike_B <boeck...@gmail.com> wrote:
>> > Hi again,
>>
>> > After I posted my first message I did a little bit more research and
>> > am able to refine my questions a little bit.
>>
>> > After I got SO running, I used the advanced option in the setup
>> > program. =A0I just want one of my two NICs to be a sensor. =A0How do I=
 do
>> > this? =A0I have read conflicting info about this. =A0I have read that =
if
>> > you use the "quick" setup option, it configures all of your NICs to be
>> > sensors; but I have also read that the advanced setup does the same
>> > thing. =A0If this is true, how do I set SO up so one NIC is a sensor a=
nd
>> > one is a management interface?
>>
>> Quick Setup will automatically configure ALL network interfaces for
>> monitoring. =A0Advanced Setup will allow you to choose one or more
>> network interfaces for monitoring. =A0Where did you read that Advanced
>> Setup automatically configures all network interfaces?
>>
>> > Next, I am confused about OSSEC. =A0I have read thru many of the OSSEC
>> > related posts on this group....as well as OSSEC related info in the SO
>> > blog....Is OSSEC actually part of SO?
>>
>> Yes, Security Onion contains OSSEC installed in Server mode. =A0It's
>> monitoring local logs by default and reporting any alerts to Sguil.
>>
>> > Or is it just an agent to
>> > listen for OSSEC messages from other hosts that have OSSEC installed?
>>
>> It's in Server mode so it can receive logs from other boxes running
>> the OSSEC agent (available for Linux, Unix, Windows, etc.).
>>
>> > And I have read that you can use SO's OSSEC to analyze syslogs
>> > etc.....do I need to do anything to set this up?
>>
>> Yes, OSSEC can act as a syslog collector. =A0You would edit
>> /var/ossec/etc/ossec.conf like this:
>> =A0 <remote>
>> =A0 =A0 <connection>syslog</connection>
>> =A0 =A0 <allowed-ips>192.168.23.45</allowed-ips>
>> =A0 </remote>
>>
>> Then restart OSSEC:
>> sudo service ossec restart
>>
>> Then allow the syslog port in the firewall:
>> sudo ufw allow 514/udp
>>
>> For more info, please see:http://www.ossec.net/doc/syntax/head_ossec_con=
fig.remote.htmlhttp://www.ossec.net/main/manual/configuration-options
>>
>> > Do I need to have
>> > OSSEC running on another host to have this work?
>>
>> Nope!
>>
>> > Sorry for the basic
>> > questions....I have never used OSSEC before and am just confused on
>> > what part of OSSEC is supported in SO.
>>
>> No problem.
>>
>> > And once again, one of the questions that I asked in my first post:
>> > in the screenshots that I have seen from the SO blog....when Sguil is
>> > started it lets you select which interfaces to monitor. =A0In the
>> > screenshots, it shows "ossec"....yet on my install, it says "eth0 -
>> > ossec"....does anyone know the significance of this? =A0Have I done
>> > something wrong? =A0And since I dont have OSSEC running on another hos=
t,
>> > would I achieve anything by having Sguil monitor it?
>>
>> The screenshot that you linked to previously was from an older version
>> of SO where the sensor names didn't have the hostname. =A0As I mentioned
>> in my previous email, the current version of SO will create sensor
>> names like this:
>> hostname-eth0
>> hostname-ossec
>>
>> If you're seeing "eth0 - ossec", is your hostname set to "eth0"?
>>
>> > I think those are my main questions for now. =A0Sorry for my ignorance
>> > concerning OSSEC.
>>
>> > I am just amazed with SO. =A0I have always found it a PITA to get Sgui=
l
>> > to work properly....and often had trouble getting Barnyard or Barnyard
>> > 2 to work correctly. =A0Sometimes I would just throw up my hands and u=
se
>> > a script like NSMnow.....but never again.
>>
>> Actually, you are using NSMnow :) =A0The NSMnow scripts are part of SO,
>> but they've been heavily modified.
>>
>> > SO is so well thought
>> > out....and the fact that it has so many analysis tools built in is
>> > great. =A0I cant thank the developers enough. =A0Now I just need to le=
arn
>> > how to iron out my issues.
>>
>> Thanks, glad you like it!
>> Doug
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> > Thanks,
>> > Mike
>>
>> > On Jun 1, 7:40=A0pm, Mike_B <boeck...@gmail.com> wrote:
>> >> Hi everyone,
>>
>> >> I downloaded Security Onion a few months ago and forgot about it. =A0=
The
>> >> past few days I decided to try it out and I am beyond impressed. =A0I=
t
>> >> is just awesome. =A0Great work to everyone involved.
>>
>> >> Here are my questions:
>>
>> >> I installed Security Onion in a VM created with VMware Player. =A0It
>> >> installed and updated fine. =A0No problems. =A0Obviously I want to ha=
ve a
>> >> management interface and a sensor interface, so when I set up the VM,
>> >> I added a second NIC in VMwares settings. =A0What should I set the 2
>> >> NICs to - NAT or Bridged?
>>
>> >> Right now I have the sensor set to Bridged - I am pretty sure the
>> >> sensor has to be setup as Bridged....and the management interface set
>> >> to NAT...and everything works fine....I read in the FAQ that in VMwar=
e
>> >> the NIC's are backwards....eth0 is really supposed to be eth1....but =
I
>> >> havent fixed that yet. =A0So right now my sensor is on eth1, and
>> >> management is on eth0.
>>
>> >> BTW I have 3 NICs in my PC....the built in one, which I disable or
>> >> unplug when I am using Security Onion...and 2 Intel PCI-e NICs, which
>> >> I use when running the IDS.
>>
>> >> When I start Sguil, both interfaces are listed at the bottom - eth1 i=
s
>> >> on the left and says "unmonitored" underneath it...and eth0 is on the
>> >> right, and says "eth0ossec" and then it says "unmonitored" underneath
>> >> it.
>>
>> >> I know whatOSSECis....but I couldnt figure out why it was showing up
>> >> next to what is supposed to be my management interface,. =A0I searche=
d
>> >> thru Security Onion and found a blog that mentionsossecand
>> >> Sguil....but in the screenshots in the blog,ossecdoesnt appear to
>> >> have an interface next to it.
>>
>> >> The link to the blog is here:http://securityonion.blogspot.com/2011/0=
1/security-onion-20110101-oss...
>>
>> >> So sinceOSSECis a host based IDS, should I select Sguil to monitor
>> >> both my sensor and my management interface? =A0Or am I doing somethin=
g
>> >> fundamentally wrong when I am setting up my network in VMWare Player?
>>
>> >> Thanks in advance for your help.
>>
>> >> Mike
>>
>> >> PS After I make sure I am using this correctly I will probably instal=
l
>> >> it to a standalone PC, which should make the network setup alot
>> >> easier.
>>
>> --
>> Doug Burks |http://securityonion.blogspot.com
>> Don't miss SANS SEC503 Intrusion Detection In-Depth in
>> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!http://augusta.is=
sa.org/drupal/SANS-Augusta-2012



--=20
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
Account Options
