Management Interface Basics
Chris Sistrunk
Well I have successfully borked my SO network configuration. I am not a linux expert (my background is 25 years of windows/ms-dos). I have a SO sensor set up (dell optiplex) and it has 2 copper NICs and I also have one USB wifi NIC if I need it.
If I want to change just the management interface, is the *only* thing I need to do is just:
1. sudo nano /etc/network/interfaces and make a change to the management interface
2. sudo /etc/init.d/networking restart
3. sudo sudo nsm_sensor_ps-restart
OR
are there other things I need to reconfig and/or restart as well.
My sensor isn't within range of a router, so I have to use either the Wifi to do any updates or I can try a 1-port wifi network extender that I use with my VOIP phone.
I've made some changes...and sometimes sudo apt-get-update doesn't hit the servers. Any help to a newbie will be very appreciated.
Obviously in a production environment I wouldn't use wifi, but I am trying to learn Security Onion for use in monitoring ICS/SCADA devices that I have access to. This is ground breaking stuff for a SCADA engineer like me to do.
Thanks!
Chris
Lee Sharp
> Hello!
>
> Well I have successfully borked my SO network configuration.
> I am not a linux expert (my background is 25 years of windows/ms-dos). I have a SO sensor set up (dell optiplex) and it has 2 copper NICs and I also have one USB wifi NIC if I need it.
>
> If I want to change just the management interface, is the *only* thing I need to do is just:
> 1. sudo nano /etc/network/interfaces and make a change to the management interface
> 2. sudo /etc/init.d/networking restart
> 3. sudo sudo nsm_sensor_ps-restart
changing IP addresses, there will may be a bit more to do. And if you
are changing the IP address of the interface you are on (with ssh) it
gets more complex. I would actually change the config and reboot to
make sure it comes up clean. (Or does not come up at all...)
> are there other things I need to reconfig and/or restart as well.
>
> My sensor isn't within range of a router, so I have to use either the Wifi to do any updates or I can try a 1-port wifi network extender that I use with my VOIP phone.
if it is what you have it is what you have. Things like using a USB
extension cable and sticking it in the focal point of a wok, while
laughable, actually can work very well!
> I've made some changes...and sometimes sudo apt-get-update doesn't hit the servers. Any help to a newbie will be very appreciated.
> Obviously in a production environment I wouldn't use wifi, but I am trying to learn Security Onion for use in monitoring ICS/SCADA devices that I have access to. This is ground breaking stuff for a SCADA engineer like me to do.
(Names have been changed to protect... Well, me.) And we have two
fiber runs to each building along different paths. But a tertiary
fail-over link back to the main building with WiFi. No matter how bad
the backhoe guy gets, we will have some connectivity.
Now, I touched on a lot of thing, because you asked a lot of things. I
recomend this thread stay with "What is needed when I change an IP." Add
a new one for "Why is SALT hating me?" :)
And welcome to the party. New stuff is fun!
Lee
Chris Sistrunk
> On 11/10/2014 06:09 PM, Chris Sistrunk wrote:
> > Hello!
> >
> > Well I have successfully borked my SO network configuration.
>
> Good! I have found that breaking things is the best way to learn! :)
>
> > I am not a linux expert (my background is 25 years of windows/ms-dos). I have a SO sensor set up (dell optiplex) and it has 2 copper NICs and I also have one USB wifi NIC if I need it.
> >
> > If I want to change just the management interface, is the *only* thing I need to do is just:
> > 1. sudo nano /etc/network/interfaces and make a change to the management interface
> > 2. sudo /etc/init.d/networking restart
> > 3. sudo sudo nsm_sensor_ps-restart
>
> First, what are you changing on the management interface? If you are
> changing IP addresses, there will may be a bit more to do. And if you
> are changing the IP address of the interface you are on (with ssh) it
> gets more complex. I would actually change the config and reboot to
> make sure it comes up clean. (Or does not come up at all...)
Ultimately I want to come up with a cheatsheet for someone really new to install SO in a control systems lab. I'm sniffing ICS traffic just fine and Bro has lit up with stuff I've thrown at the devices. FlowBAT works great too.
I'm all ears on what to do to get my monitor port squared away and accessible to the internet for updates. I am quite sure I'll have to reinstall SO at some point or move my setup close to my router somehow.
>
> > are there other things I need to reconfig and/or restart as well.
> >
> > My sensor isn't within range of a router, so I have to use either the Wifi to do any updates or I can try a 1-port wifi network extender that I use with my VOIP phone.
>
> WiFi is not inherently bad. But nore is it inherently stable. :) But
> if it is what you have it is what you have. Things like using a USB
> extension cable and sticking it in the focal point of a wok, while
> laughable, actually can work very well!
>
> > I've made some changes...and sometimes sudo apt-get-update doesn't hit the servers. Any help to a newbie will be very appreciated.
>
> The first thing is to look into logs to see why.
Yeah I figured there are logs, but I don't really know what linux logs to work with.
>
> > Obviously in a production environment I wouldn't use wifi, but I am trying to learn Security Onion for use in monitoring ICS/SCADA devices that I have access to. This is ground breaking stuff for a SCADA engineer like me to do.
>
> I am doing a network design for a major plant. A major control network.
> (Names have been changed to protect... Well, me.) And we have two
> fiber runs to each building along different paths. But a tertiary
> fail-over link back to the main building with WiFi. No matter how bad
> the backhoe guy gets, we will have some connectivity.
Excellent! Good to see some NSM happening in ICS. Nobody has been really looking. I'll admit I cringed a little when you said there was Wifi, but as long as you know what you're doing. :)
>
>
> Now, I touched on a lot of thing, because you asked a lot of things. I
> recomend this thread stay with "What is needed when I change an IP." Add
> a new one for "Why is SALT hating me?" :)
>
> And welcome to the party. New stuff is fun!
>
> Lee
New stuff is fun...when I get full understanding on what's going on...not just breaking it.
Cheers!
Chris
Lee Sharp
> I am changing the interfaces file going between eth1 and wlan0. I tried both in static and DCHP and DCHP worked fine on both last week. Now, when eth1 was connected to my IOGEAR GWU627 adapter with DCHP, something strange was happening. Another eth1 would show up in ifconfig with "eth1: avahi" etc etc with a strange IP address. I couldn't reach the internet (to do upgrades and whatnot). I changed the config back to wlan0 and it would only stay connected to my router for a little while. I got frustrated not knowing enough about linux networking inside of security onion that I reinstalled security onion. I tried just the eth1 DCHP as management interface and it still wouldn't grab a good IP from the device. I put it on my VOIP phone and it worked just fine.
169.x.x.x is what you see. And it means your network is unstable.
(Which could also be your salt problem.)
> Ultimately I want to come up with a cheatsheet for someone really new to install SO in a control systems lab. I'm sniffing ICS traffic just fine and Bro has lit up with stuff I've thrown at the devices. FlowBAT works great too.
>
> I'm all ears on what to do to get my monitor port squared away and accessible to the internet for updates. I am quite sure I'll have to reinstall SO at some point or move my setup close to my router somehow.
Several things in SO believe they know the IP address, so when it
changes, bad things happen.
As to your network problems, that is another thing to address.
> Excellent! Good to see some NSM happening in ICS. Nobody has been really looking. I'll admit I cringed a little when you said there was Wifi, but as long as you know what you're doing. :)
am working on, we are focused on connectivity, not security. It is a
different cleint I am working on security with. :)
And the WiFi is only there if all else fails. Without it, it would just
fail earlier.
> New stuff is fun...when I get full understanding on what's going on...not just breaking it.
Lee
Chris Sistrunk
I completely reinstalled security onion step-by-step and documented everything I did. It is now all working great. I think I got my wires crossed on what things were eth0 and what things were eth1. I probably at one point had my wifi extender plugged into my sniffing interface. With that said I now have it set up where the correct port is sniffing and the correct port is managing. DCHP is working fine for my management port. I was also able to add x11vnc (and added port 5900 to the Ubuntu firewall). Everything is all working and I documented what I did.
Now, If I can just figure out what some of these alerts mean! :)
DNP3 and modbus are picked up by Bro, but Snort is not alerting on these things...I know there are Snort rules for both.
I will be writing a blogpost on my setup and writing a book chapter for setting up SO in ICS. Stay tuned...and I appreciate Lee's help and everyone else as well.
Cheers!
Chris
Jim Solderitsch
Thanks
Jim