I have a server and single sensor setup in my lab, but will be scaling out to multiple sensors late. I changed the IP of the server using the sosetup script and have already noticed that pivoting from Snorby to CapMe to view full packet captures has not updated the target IP properly and thus I have to manually enter the target IP.
What else should I expect to break through this transition (I will have to, as my lab has different IPs than my target network) and how do I fix them? I have yet to find where the first IP has been hardcoded.
Thanks,
Don
Hi Don,
I had a similar issue some time ago, I found that the IP addresses are contained in quite a lot of configuration files.
I resolved it by running some greps and this is what I found:
~~~~~~~~~~~~~~~~~~~~~
* /etc/nsm/[HOSTNAME]-[IFNAME]/http_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/pads_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/pcap_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/sancp_agent.conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/[HOSTNAME]-[IFNAME]/sensor.conf:
SENSOR_SERVER_HOST="[SERVER-IP]"
* /etc/nsm/[HOSTNAME]-[IFNAME]/snort_agent-[N].conf:
set SERVER_HOST [SERVER-IP]
* /etc/nsm/ossec/ossec_agent.conf:
set SERVER_HOST [SERVER-IP]
* /opt/bro/etc/node.cfg:
host=[SENSOR-IP]
* /root/.ssh/securityonion_ssh.conf
SERVERNAME=[SERVER-IP]
~~~~~~~~~~~~~~~~~~~~~
I may still be missing something, but if we managed to put it all together it would be also nice to have it on some wiki page :)
Regards,
Pietro
Oh, by the way, my last message was about the sensor's configuration. If you are going to change the server's IP address as well, you migth want to configure:
* /etc/elsa_web.conf and /opt/elsa/web/conf/elsa.conf:
"pcap_url": "https://[SERVER-IP]/capme"
"base_url": "https://[SERVER-IP]:3154" (in case you configured the email settings)
I did not find any other reference in the server's configuration but, again, I may be missing something...
Regards,
Pietro
Thanks a lot, Doug!
Don
Thanks!