Setting up Security Onion in Proxmox VM
Rashad Ibn Abdul-Azeem
I have been trying to setup a test Security Onion install on Proxmox VE and have been getting a constant hang after and failed install, as well as no connectivity indicator when there is internet on from the VM. Tried manually config eth0, same results. Is it possibly a Proxmox Version or VM issue?
Wes
> Hello,
>
> I have been trying to setup a test Security Onion install on Proxmox VE and have been getting a constant hang after and failed install, as well as no connectivity indicator when there is internet on from the VM. Tried manually config eth0, same results. Is it possibly a Proxmox Version or VM issue?
Rashad,
I've not tried installing Security Onion in ProxMox, so I wouldn't be able to offer much assistance with this. It sounds like it may be more of a ProxMox issue than any type of issue with Security Onion.
Some things you could try:
-Manipulating configuration settings for the VM in ProxMox (memory, networking, boot, etc.)
-Attempting Ubuntu 14.04 install to see if you experience the same issue
-Obtaining fresh install media (verifying ISO) and installing Security Onion again
-Trying any other OS install in ProxMox
It may also be beneficial to pose your question(s) to the ProxMox forum:
It may also be worth considering a different virtual machine management solution if you continue to have issues.
You can find several here:
http://www.tecmint.com/opensource-commercial-control-panels-manage-virtual-machines/
Thanks,
Wes
-
Rashad Ibn Abdul-Azeem
I can see the TCP Dump fine from the Proxmox VM, but I am not seeing any traffic on any platform (ELSA, Sguil, Squert). Also I lost the internet connection on the VM but the dump is picking up some neighboring mirrored traffic from WAN port on my Mikrotik Router. On the VM I have eth1 as management and eth0 to a dedicated VM vmbr1 interface. sudo sostat is showing failed on the VMs after I changed *interfaces*. I think the fix is easy I have attached screen shot of sostat and /etc/network/interfaces. I am thinking solution is simple.
From all the forum searching Ive been doing Im the only one that has documented this far with Security Onion on Proxmox. Seems like I could get it running pretty easily if I could get the traffic flowing into the right channels. Sounds like an easy fix could you help?
Rashad
Wes
Rashad,
Unfortunately, I can't offer any suggestions for ensuring the traffic is hitting the promiscuous interface -- that would be configuration relative to ProxMox, ensuring that your WAN config, tap, etc. is configured appropriately.
Have you tried restarting NSM services to see if they no longer show the status of 'FAIL'?
After that, maybe try replaying PCAPs to the interface (eth0), with tcpreplay:
sudo tcpreplay -i eth0 /opt/samples/*.pcap
Also try checking the logs in:
/var/log/nsm/sosetup.log
/var/log/nsm/hostname-interface/barnyard2.log
/var/log/nsm/hostname-interface/snortu-x.log
Thanks,
Wes
Rashad Ibn Abdul-Azeem
sosetup.log
https://drive.google.com/open?id=1wv8TJx68uWw-QswyfuFNEbJSTkJ_mqHkemNG5V-zEmQ
barnyard2.log
https://drive.google.com/open?id=1F4kxGCx29F66cAj5VeKBEwH3QkurEEqz46ek9aa-v78
snort.log
https://drive.google.com/open?id=11CI8nN_nbfZCnsH4LKggSryr1yr53wgUTz_pHoWbhLQ
Wes
Rashad,
Does this box have internet access?
When you check with tcpdump, which interface are you checking? eth0?
Please include the output of sostat-redacted.
Thanks,
Wes
Rashad Ibn Abdul-Azeem
Got it something working on Squert Wes, only OSSEC, but nothing in Xplica, Sguil. Are these just simple configuration issues I can resolve using the wiki?
Wes
> Got it something working on Squert Wes, only OSSEC, but nothing in Xplica, Sguil. Are these just simple configuration issues I can resolve using the wiki?
Rashad,
You won't see anything in Xplico, as it is used for the the manual upload of cases.
The OSSEC events you see are most likely local events from the local system and are not generated through the analysis of traffic.
Again, which interface are you monitoring with tcpdump?
Please provide the output of sostat-redacted, attaching as a text file, or using a service like Pastebin.com.
Thanks,
Wes
Rashad Ibn Abdul-Azeem
Rashad Ibn Abdul-Azeem
Wes
> Forgot to change that to a .txt ext before I uploaded, do you need me to upload it again?
Rashad,
From your sostat output, it looks like there are several alerts that have been generated. Squert only shows the alerts from the current day. To see more/all, you''ll need to adjust the timeframe.
If you look in Sguil and you have not cleared any alerts from the queue, then you should see all of the alerts generated thus far, since setup.
You could try replaying traffic to eth1 to see if more alerts are generated:
sudo tcpreplay -i eth1 -M10 /opt/samples/*.pcap
You'll also want to look into why you are getting a 500 error for rule-update/PulledPork. You may want to make sure you have proper internet access and can access that URL.
Also take a look into your ELSA buffers:
ELSA Buffers in Queue:
8424
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
Since this is just a test machine, you could try running:
sudo securtiyonion-elsa-reset
to clear everything out.
Thanks,
Wes
Rashad Ibn Abdul-Azeem
Thanks so much, I ran the pcaps into eth1 and was able to see traffic in all except for sguil. So I ran the fix and reran the setup to clear the logs and see if everything kept up. I have logs in ELSA but not any in squert, I also installed an agent on my Win7 PC but havent been able to connect possible firewall issue? That ELSA buffer number seemed to stay high but now it seems to be hovering a little lower after running setup again. My main concern is I have logs in ELSA now but no PCAPs to reference them to. No pcaps showing in sguil or CAPme. Also OSSEC agents configured correctly with keys and agent, restarted OSSEC Service but not seeing any active connections.