SO installation on Virtual Machine using one interface; unable to send packets using tcpreplay from another VM

[Jon Lam]

Hi,

I will keep this short since I think I need to create a virtual NIC. Currently, I am seeing the following messages when I tcpreplay on a "private/host-only " network from another Linux virtual machine. The SO installation is running on another VM using just one interface.

root@kali:~/PCAPS# tcpreplay -i eth0 -t samples/example.com-1.pcap
sending out eth0
processing file: samples/example.com-1.pcap
Warning in send_packets.c:send_packets() line 178:
Unable to send packet:
Warning in send_packets.c:send_packets() line 178:
Unable to send packet:
Warning in send_packets.c:send_packets() line 178:
Unable to send packet:
Warning in send_packets.c:send_packets() line 178:
Unable to send packet:

Can anyone vet my setup is valid?

Jon

[lyse...@gmail.com]

Hi Jon

 

Please send the output from sudo sostat-redacted

 

Regards,

Lysemose

--

Follow Security Onion on Twitter!

https://twitter.com/securityonion

---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.

For more options, visit https://groups.google.com/d/optout.

 

[Jon Lam]

Before I attach the output to the requested sostat-redacted command, I wanted to see what would happen if I added second interface to the SO VM.  When I start up SGUIL, it does not ask me if I want to monitor the "sensor interface" (i.e. eth1).  It just shows what it presented before with the only two networks to monitor as "eth0" or "ossec."  How do I enable "management" by SGUIL of this interface?  

Back to the original problem, I was able to send example.com-3.pcap using tcpreplay from the Kali box and it looks like the received bytes reflects the newly sent packets.  I can not confirm this using SGUIL though since the monitored network is not configured correctly.  However, tcpreplay-ing example.com-1.pcap and example.com-4.pcap results in 

Warning in send_packets.c:send_packets() line 178:

Unable to send packet: 

Warning in send_packets.c:send_packets() line 178:

Unable to send packet:

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.

For more options, visit https://groups.google.com/d/optout.

 

--

Jon

[Jon Lam]

My apologies, thank you for your support now and into the future!

Jon

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.

For more options, visit https://groups.google.com/d/optout.

 

--

Jon

--

Jon

[Heine Lysemose]

Hi Jon

You doe the right thing by adding a second interface, see https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#nic

You could probably get things working in Sguil by editing various config files here and there but the easiest thing would be tore-run sosetup again an dgetting things right.

Best,

Lysemose

[Jon Lam]

Lysemose,

I did re-run sosetup which reconfigures network interfaces.  I am not sure what else I could do to get Sguil to detect and monitor the second interface.  Do you have any other procedure to manually configure Sguil to do this?

Thanks in advance. 

Jon

--

Jon

[Wes]

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
>  
>
>
>
> --
>
>
> Jon
>
>
>
>
>
> --
>
>
> Jon
>
>
>
>
>
> --
>
> Jon

Jon,

What happens if you do the following?

sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "select * from sensor"

Are all of the sensor interfaces active (y)?

Thanks,
Wes

[Jon Lam]

Wes,

Sorry for the delay in my response time.  Yes.  All sensor interfaces are active.  Could it be that we need a virtual switch to perform the span or mirroring of the traffic?

Jon

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.

> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
>  
>
>
>
> --
>
>
> Jon
>
>
>
>
>
> --
>
>
> Jon
>
>
>
>
>
> --
>
> Jon

Jon,

What happens if you do the following?

sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "select * from sensor"

Are all of the sensor interfaces active (y)?

Thanks,
Wes

--

Jon

[Robbie Foster]

Just a suggestion. If you want to monitor 2 interfaces. Use 3 interfaces on vmware, ge0 mgt, ge1 second ethernet, ge2 on same interface as mgt for SO. Lie to it essentially

[Wes]

On Saturday, October 8, 2016 at 1:50:26 AM UTC-4, Robbie Foster wrote:
> Just a suggestion. If you want to monitor 2 interfaces. Use 3 interfaces on vmware, ge0 mgt, ge1 second ethernet, ge2 on same interface as mgt for SO. Lie to it essentially

Jon,

From your sostat, it appears your eth1 interface may not be configured correctly (are you sure you configured it correctly during setup?):

For example, sostat only shows the following:

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================

eth0: 12209

and...

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 2 days
55M .
21M ./2016-09-24
35M ./2016-10-06

/nsm/bro/logs/ - 2 days
728K .
224K ./2016-09-24
428K ./2016-10-06
72K ./stats

..there are no entries for eth1, other than in the OS's interface listing.

When you ran the MySQL command, did you see a [hostname]-eth1 interface in the securityonion_db database?

You may want to run soup to ensure the latest updates (sudo soup -y) and re-run setup. You may also have better success using a bridged interface for sniffing.

Thanks,
Wes

[Jon Lam]

No, the mysql database does not show a eth1 interface; just a eth0 and eth0-1 with the second one being a virtual interface within linux; which is what I tried to setup before a second virtual network adapter in Fusion. sostat shows a eth1 in addition to eth0. when i ran setup from the desktop i configured eth0 as the sniffing interface and eth1 as the management interface. i am going to investigate the bridging mode for one or both of the interfaces in vmware fusion. not sure how that is going to work yet. thanks for the pointers.

[Doug Burks]

Hi Jon,

It sounds like when you re-ran Setup, you only re-ran the first phase
of Setup for configuring /etc/network/interfaces. Have you tried
re-running the second phase of Setup to configure sniffing services on
eth1?

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--

Doug Burks