Well I have successfully borked my SO network configuration. I am not a linux expert (my background is 25 years of windows/ms-dos). I have a SO sensor set up (dell optiplex) and it has 2 copper NICs and I also have one USB wifi NIC if I need it.
If I want to change just the management interface, is the *only* thing I need to do is just:
1. sudo nano /etc/network/interfaces and make a change to the management interface
2. sudo /etc/init.d/networking restart
3. sudo sudo nsm_sensor_ps-restart
OR
are there other things I need to reconfig and/or restart as well.
My sensor isn't within range of a router, so I have to use either the Wifi to do any updates or I can try a 1-port wifi network extender that I use with my VOIP phone.
I've made some changes...and sometimes sudo apt-get-update doesn't hit the servers. Any help to a newbie will be very appreciated.
Obviously in a production environment I wouldn't use wifi, but I am trying to learn Security Onion for use in monitoring ICS/SCADA devices that I have access to. This is ground breaking stuff for a SCADA engineer like me to do.
Thanks!
Chris
Ultimately I want to come up with a cheatsheet for someone really new to install SO in a control systems lab. I'm sniffing ICS traffic just fine and Bro has lit up with stuff I've thrown at the devices. FlowBAT works great too.
I'm all ears on what to do to get my monitor port squared away and accessible to the internet for updates. I am quite sure I'll have to reinstall SO at some point or move my setup close to my router somehow.
>
> > are there other things I need to reconfig and/or restart as well.
> >
> > My sensor isn't within range of a router, so I have to use either the Wifi to do any updates or I can try a 1-port wifi network extender that I use with my VOIP phone.
>
> WiFi is not inherently bad. But nore is it inherently stable. :) But
> if it is what you have it is what you have. Things like using a USB
> extension cable and sticking it in the focal point of a wok, while
> laughable, actually can work very well!
>
> > I've made some changes...and sometimes sudo apt-get-update doesn't hit the servers. Any help to a newbie will be very appreciated.
>
> The first thing is to look into logs to see why.
Yeah I figured there are logs, but I don't really know what linux logs to work with.
>
> > Obviously in a production environment I wouldn't use wifi, but I am trying to learn Security Onion for use in monitoring ICS/SCADA devices that I have access to. This is ground breaking stuff for a SCADA engineer like me to do.
>
> I am doing a network design for a major plant. A major control network.
> (Names have been changed to protect... Well, me.) And we have two
> fiber runs to each building along different paths. But a tertiary
> fail-over link back to the main building with WiFi. No matter how bad
> the backhoe guy gets, we will have some connectivity.
Excellent! Good to see some NSM happening in ICS. Nobody has been really looking. I'll admit I cringed a little when you said there was Wifi, but as long as you know what you're doing. :)
>
>
> Now, I touched on a lot of thing, because you asked a lot of things. I
> recomend this thread stay with "What is needed when I change an IP." Add
> a new one for "Why is SALT hating me?" :)
>
> And welcome to the party. New stuff is fun!
>
> Lee
New stuff is fun...when I get full understanding on what's going on...not just breaking it.
Cheers!
Chris
Now, If I can just figure out what some of these alerts mean! :)
DNP3 and modbus are picked up by Bro, but Snort is not alerting on these things...I know there are Snort rules for both.
I will be writing a blogpost on my setup and writing a book chapter for setting up SO in ICS. Stay tuned...and I appreciate Lee's help and everyone else as well.
Cheers!
Chris