Changing IP addresses of the server and sensors.
nixu...@gmail.com
I have a server and single sensor setup in my lab, but will be scaling out to multiple sensors late. I changed the IP of the server using the sosetup script and have already noticed that pivoting from Snorby to CapMe to view full packet captures has not updated the target IP properly and thus I have to manually enter the target IP.
What else should I expect to break through this transition (I will have to, as my lab has different IPs than my target network) and how do I fix them? I have yet to find where the first IP has been hardcoded.
Thanks,
Don
Pietro Delsante
Hi Don,
I had a similar issue some time ago, I found that the IP addresses are contained in quite a lot of configuration files.
I resolved it by running some greps and this is what I found:
~~~~~~~~~~~~~~~~~~~~~
* /etc/nsm/[HOSTNAME]-[IFNAME]/http_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/pads_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/pcap_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/sancp_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/sensor.conf:
SENSOR_SERVER_HOST="[SERVER-IP]"
* /etc/nsm/[HOSTNAME]-[IFNAME]/snort_agent-[N].conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/ossec/ossec_agent.conf:
set SERVER_HOST [SERVER-IP]
* /opt/bro/etc/node.cfg:
host=[SENSOR-IP]
* /root/.ssh/securityonion_ssh.conf
SERVERNAME=[SERVER-IP]
~~~~~~~~~~~~~~~~~~~~~
I may still be missing something, but if we managed to put it all together it would be also nice to have it on some wiki page :)
Regards,
Pietro
Pietro Delsante
Oh, by the way, my last message was about the sensor's configuration. If you are going to change the server's IP address as well, you migth want to configure:
* /etc/elsa_web.conf and /opt/elsa/web/conf/elsa.conf:
"pcap_url": "https://[SERVER-IP]/capme"
"base_url": "https://[SERVER-IP]:3154" (in case you configured the email settings)
I did not find any other reference in the server's configuration but, again, I may be missing something...
Regards,
Pietro
Doug Burks
re-running Setup? If you do so, then it should automatically
configure all IP address settings correctly. To answer your question
about Snorby, you can go to Administration, then General Settings and
update the IP address there.
Pietro, I've started a Wiki page with your suggestions and added some
additional information:
https://code.google.com/p/security-onion/wiki/ChangingIPAddress
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
Pietro Delsante
> Pietro, I've started a Wiki page with your suggestions and added some
> additional information:
> https://code.google.com/p/security-onion/wiki/ChangingIPAddress
Thanks a lot, Doug!
nixu...@gmail.com
Don
nixu...@gmail.com
Doug Burks
that this will delete all data and config).
If you don't want to re-run Setup, you can change passwords as follows:
- change Snorby password in the Snorby web interface
- change Sguil/Squert/ELSA password using the Sguil client or using
the nsm_server_user-passwd utility
On Tue, Oct 22, 2013 at 10:23 AM, <nixu...@gmail.com> wrote:
> Just out of curiosity, does one also run the setup script again to change all the passwords?
>
nixu...@gmail.com
Thanks!