vm network connection?
Leon Russell
Matt Gregory
What virtualization software are you using?
Can someone tell me what exactly the security onion configuration does to the vm network connection? why cant i ping the host or router in bridged or host mode
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Leon Russell
BRIDGED
can i use both interfaces wireless and Ethernet ?
Matt Gregory
Shane Castle
configured VMware Workstation to support SO. I'd be glad to answer any
questions about it. Please read it carefully.
----------
I have two virtual NICs defined to my SO VM. The first is the management
NIC, and the second is the sniffing NIC.
The management VNIC is defined on VMNet8, the NAT VMNet, so that its IP
address will not change. The second VNIC is the sniffing NIC and is
defined on the bridged VMNet; on its definition the "Bridged: Connected
directly to the physical network" button is selected. The definition of
the first network adapter, specifically, is "Custom: Specific virtual
network" and VMNet8 is selected. The definition for VMNet8 is such that
its DHCP server definitions exclude a portion of the address range and,
in the network definitions for the SO operating system, the IP address
is permanently assigned in the excluded portion of the network for
VMNet8, so there are no DHCP collisions.
This setup allows the SO VM to sniff the physical network traffic
to/from the host system. If you have two physical NICs and can use an
external switch or tap to route traffic, you can connect this to the
second NIC, specify another virtual network to be bridged to it, and use
the VM just as you would a real NSM box.
So, the short form is: NAT the management VNIC but bridge the sniffing
VNÍC. Don't assign an IP address to the second, but permanently assign
one to the management VNIC.
If you don't sniff the physical network you won't see any of the actual
traffic going to/from the physical host.
--
Mit besten Grüßen
Shane Castle
On 27.05.2014 09:29, Matt Gregory wrote:
> Wireless interfaces are not supported, although some folks may have
> hacked together a working setup. If your SO management interface is in
> bridged mode (bridged within VMware, not the SO operating system), then
> you should be able to reach it from your local network - make sure there
> are no firewalls blocking the traffic, including a host firewall on the
> machine VMware is installed on.
>
> Please post the output of sudo sostat-redacted
>
> Matt
>
>
> On Mon, May 26, 2014 at 9:41 PM, Leon Russell <lrusse...@gmail.com
> <mailto:lrusse...@gmail.com>> wrote:
>
> im using vmwaRE,
> BRIDGED
> can i use both interfaces wireless and Ethernet ?
>
> --
> You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to security-onio...@googlegroups.com
> For more options, visit https://groups.google.com/d/optout.
>
>
> You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to security-onio...@googlegroups.com
Leon Russell
> Can someone tell me what exactly the security onion configuration does to the vm network connection? why cant i ping the host or router in bridged or host mode
Matt,
ill get the sostat to you when I get back to the box, Shane , vmnet8 is behind nat, how are you associating the other vmnet to the physical lan card? and what do you mean don't assign it a ip? Also, I have 1 lan interface and matt said wlan is not supported,
Matt Gregory
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Leon Russell
============================================================
Service Status
=========================================================================
Status: SO-useronion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager X.X.X.X running 3868 2 27 May 23:46:41
proxy proxy X.X.X.X running 4237 2 27 May 23:46:56
SO-server-eth0-1 worker X.X.X.X running 4428 2 27 May 23:47:03
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:12136 errors:0 dropped:0 overruns:0 frame:0
TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2227570 (2.2 MB) TX bytes:15730 (15.7 KB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41856 errors:0 dropped:0 overruns:0 frame:0
TX packets:41856 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:67088626 (67.0 MB) TX bytes:67088626 (67.0 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
67088626 41856 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
67088626 41856 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2227570 12136 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15730 92 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 16G 5.6G 9.5G 38% /
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 395M 840K 394M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 88K 2.0G 1% /run/shm
/dev/sr0 61M 61M 0 100% /media/VMware Tools
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 737 root 3u IPv6 8231 0t0 TCP *:ssh_port (LISTEN)
sshd 737 root 4u IPv4 8233 0t0 TCP *:ssh_port (LISTEN)
avahi-dae 793 avahi 12u IPv4 8301 0t0 UDP *:5353
avahi-dae 793 avahi 13u IPv6 8302 0t0 UDP *:5353
avahi-dae 793 avahi 14u IPv4 8303 0t0 UDP *:51687
avahi-dae 793 avahi 15u IPv6 8304 0t0 UDP *:42086
cupsd 814 root 8u IPv4 8353 0t0 TCP X.X.X.X:631 (LISTEN)
mysqld 1502 mysql 26u IPv4 12530 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1502 mysql 53u IPv4 21468 0t0 TCP X.X.X.X:3306->X.X.X.X:43634 (ESTABLISHED)
searchd 1518 sphinxsearch 7u IPv4 10099 0t0 TCP *:9306 (LISTEN)
searchd 1518 sphinxsearch 8u IPv4 10100 0t0 TCP *:9312 (LISTEN)
ossec-csy 1658 ossecm 5u IPv4 10851 0t0 UDP X.X.X.X:46549->X.X.X.X:514
ntpd 2126 ntp 16u IPv4 12538 0t0 UDP *:123
ntpd 2126 ntp 17u IPv6 12539 0t0 UDP *:123
ntpd 2126 ntp 18u IPv4 12545 0t0 UDP X.X.X.X:123
ntpd 2126 ntp 19u IPv4 12548 0t0 UDP X.X.X.X:123
ntpd 2126 ntp 20u IPv6 12549 0t0 UDP [X.X.X.X]:123
ntpd 2126 ntp 21u IPv6 12550 0t0 UDP [X.X.X.X]:123
/usr/sbin 2212 root 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 2212 root 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2212 root 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2212 root 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
/usr/sbin 2261 www-data 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 2261 www-data 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2261 www-data 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2261 www-data 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
/usr/sbin 2263 www-data 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 2263 www-data 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2263 www-data 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2263 www-data 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
/usr/sbin 2270 www-data 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 2270 www-data 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2270 www-data 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2270 www-data 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
/usr/sbin 2272 www-data 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 2272 www-data 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2272 www-data 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2272 www-data 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
/usr/sbin 2273 www-data 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 2273 www-data 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2273 www-data 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2273 www-data 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
tclsh 3088 root 13u IPv4 17894 0t0 TCP *:7734 (LISTEN)
tclsh 3088 root 14u IPv4 17895 0t0 TCP *:7736 (LISTEN)
tclsh 3088 root 15u IPv4 19333 0t0 TCP X.X.X.X:7736->X.X.X.X:44801 (ESTABLISHED)
tclsh 3088 root 16u IPv4 28307 0t0 TCP X.X.X.X:7736->X.X.X.X:44995 (ESTABLISHED)
tclsh 3088 root 17u IPv4 20563 0t0 TCP X.X.X.X:7736->X.X.X.X:44808 (ESTABLISHED)
tclsh 3088 root 18u IPv4 20879 0t0 TCP X.X.X.X:7736->X.X.X.X:44809 (ESTABLISHED)
tclsh 3088 root 19u IPv4 20956 0t0 TCP X.X.X.X:7736->X.X.X.X:44810 (ESTABLISHED)
tclsh 3088 root 20u IPv4 27405 0t0 TCP X.X.X.X:7736->X.X.X.X:44978 (ESTABLISHED)
tclsh 3088 root 21u IPv4 24236 0t0 TCP X.X.X.X:7736->X.X.X.X:44908 (ESTABLISHED)
tclsh 3166 root 3u IPv4 19332 0t0 TCP X.X.X.X:44801->X.X.X.X:7736 (ESTABLISHED)
tclsh 3166 root 7u IPv4 24235 0t0 TCP X.X.X.X:44908->X.X.X.X:7736 (ESTABLISHED)
bro 3868 root 4u IPv4 19223 0t0 UDP X.X.X.X:33418->X.X.X.X:53
bro 4237 root 4u IPv4 19870 0t0 UDP X.X.X.X:46024->X.X.X.X:53
bro 4270 root 0u IPv4 20077 0t0 TCP *:47761 (LISTEN)
bro 4270 root 1u IPv6 20078 0t0 TCP *:47761 (LISTEN)
bro 4270 root 2u IPv4 20361 0t0 TCP X.X.X.X:47761->X.X.X.X:34283 (ESTABLISHED)
bro 4270 root 4u IPv4 19223 0t0 UDP X.X.X.X:33418->X.X.X.X:53
bro 4270 root 19u IPv4 21349 0t0 TCP X.X.X.X:47761->X.X.X.X:34291 (ESTABLISHED)
bro 4271 root 0u IPv4 20073 0t0 TCP *:47762 (LISTEN)
bro 4271 root 1u IPv6 20074 0t0 TCP *:47762 (LISTEN)
bro 4271 root 2u IPv4 20363 0t0 TCP X.X.X.X:47762->X.X.X.X:55210 (ESTABLISHED)
bro 4271 root 4u IPv4 19870 0t0 UDP X.X.X.X:46024->X.X.X.X:53
bro 4271 root 19u IPv4 21348 0t0 TCP X.X.X.X:34291->X.X.X.X:47761 (ESTABLISHED)
bro 4428 root 4u IPv4 20281 0t0 UDP X.X.X.X:53559->X.X.X.X:53
bro 4446 root 0u IPv4 20360 0t0 TCP X.X.X.X:34283->X.X.X.X:47761 (ESTABLISHED)
bro 4446 root 1u IPv4 20362 0t0 TCP X.X.X.X:55210->X.X.X.X:47762 (ESTABLISHED)
bro 4446 root 2u IPv4 20366 0t0 TCP *:47763 (LISTEN)
bro 4446 root 4u IPv4 20281 0t0 UDP X.X.X.X:53559->X.X.X.X:53
bro 4446 root 20u IPv6 20367 0t0 TCP *:47763 (LISTEN)
tclsh 4516 root 3u IPv4 20562 0t0 TCP X.X.X.X:44808->X.X.X.X:7736 (ESTABLISHED)
tclsh 4516 root 4u IPv4 20564 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 4516 root 6u IPv4 21464 0t0 TCP X.X.X.X:8001->X.X.X.X:51482 (ESTABLISHED)
barnyard2 4568 root 3u IPv4 21463 0t0 TCP X.X.X.X:51482->X.X.X.X:8001 (ESTABLISHED)
barnyard2 4568 root 4u IPv4 21467 0t0 TCP X.X.X.X:43634->X.X.X.X:3306 (ESTABLISHED)
tclsh 4600 root 3u IPv4 20878 0t0 TCP X.X.X.X:44809->X.X.X.X:7736 (ESTABLISHED)
tclsh 4616 root 3u IPv4 20955 0t0 TCP X.X.X.X:44810->X.X.X.X:7736 (ESTABLISHED)
/usr/sbin 4714 www-data 4u IPv4 12638 0t0 TCP *:443 (LISTEN)
/usr/sbin 4714 www-data 5u IPv4 12641 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4714 www-data 6u IPv4 12643 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4714 www-data 7u IPv4 12647 0t0 TCP *:444 (LISTEN)
tclsh 6671 root 3u IPv4 27404 0t0 TCP X.X.X.X:44978->X.X.X.X:7736 (ESTABLISHED)
tclsh 7225 root 3u IPv4 28219 0t0 TCP X.X.X.X:44995->X.X.X.X:7736 (ESTABLISHED)
syslog-ng 7730 root 11u IPv4 29753 0t0 TCP *:514 (LISTEN)
syslog-ng 7730 root 12u IPv4 29754 0t0 UDP *:514
=========================================================================
CPU Usage
=========================================================================
top - 01:57:16 up 2:16, 1 user, load average: 1.35, 2.51, 2.46
Tasks: 225 total, 4 running, 219 sleeping, 0 stopped, 2 zombie
Cpu(s): 22.6%us, 11.9%sy, 0.4%ni, 57.1%id, 7.8%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 4042836k total, 3811840k used, 230996k free, 45404k buffers
Swap: 6213668k total, 425020k used, 5788648k free, 545904k cached
%CPU %MEM COMMAND
6.9 2.0 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
4.5 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
4.4 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.3 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.3 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
2.9 1.6 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
2.3 0.7 /usr/lib/vmware-tools/sbin64/vmtoolsd -n vmusr --blockFd 3
1.7 5.7 /usr/bin/searchd --nodetach
1.1 0.0 [watchdog/0]
1.1 0.9 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
0.9 0.0 /var/ossec/bin/ossec-syscheckd
0.8 0.0 [kswapd0]
0.8 0.1 bash
0.7 3.5 snort -c /etc/nsm/SO-server-eth0/snort.conf -u sguil -g sguil -i eth0 -F /etc/nsm/SO-server-eth0/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U -m 112
0.6 2.3 delayed_job
0.5 0.5 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.4 0.7 /usr/sbin/mysqld
0.4 0.1 argus -i eth0 -F /etc/nsm/SO-server-eth0/argus.conf -w /nsm/sensor_data/SO-server-eth0/argus/2014-05-28.log
0.3 0.0 [kworker/0:2]
0.2 0.3 /usr/bin/xfce4-terminal
0.2 0.6 /usr/sbin/apache2 -k start
0.1 0.1 /usr/sbin/vmtoolsd
0.1 0.0 [flush-8:0]
0.1 1.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.0 [jbd2/sda1-8]
0.1 0.2 /usr/lib/x86_64-linux-gnu/colord/colord
0.1 0.0 /var/ossec/bin/ossec-analysisd
0.1 2.6 /usr/sbin/apache2 -k start
0.1 2.6 /usr/sbin/apache2 -k start
0.1 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.1 2.6 /usr/sbin/apache2 -k start
0.1 2.7 /usr/sbin/apache2 -k start
0.0 0.1 prads -i eth0 -c /etc/nsm/SO-server-eth0/prads.conf -u sguil -g sguil -L /nsm/sensor_data/SO-server-eth0/sancp/ -f /nsm/sensor_data/SO-server-eth0/pads.fifo -b ip or (vlan and ip)
0.0 0.0 sudo sostat-redacted
0.0 0.1 /usr/bin/Thunar --daemon
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.2 xfdesktop
0.0 2.6 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/0:0]
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.4 xfce4-panel
0.0 1.7 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2014-05-28/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB --mmap
0.0 0.0 /sbin/init
0.0 0.0 cron
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 [ksoftirqd/0]
0.0 0.0 PassengerHelperAgent
0.0 0.0 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 xfwm4 --replace
0.0 0.1 update-notifier
0.0 0.1 tclsh /usr/bin/sguild -c /etc/nsm/SO-useronion/sguild.conf -a /etc/nsm/SO-useronion/autocat.conf -g /etc/nsm/SO-useronion/sguild.queries -A /etc/nsm/SO-useronion/sguild.access -C /etc/nsm/SO-useronion/certs
0.0 0.1 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 16777251 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.1 bash
0.0 0.0 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http_eth0.log
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 [kworker/u:0]
0.0 0.0 [kworker/0:1]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 xfsettingsd --force
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/SO-useronion/sguild.conf -a /etc/nsm/SO-useronion/autocat.conf -g /etc/nsm/SO-useronion/sguild.queries -A /etc/nsm/SO-useronion/sguild.access -C /etc/nsm/SO-useronion/certs
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 xscreensaver -no-splash
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 /sbin/udevd --daemon
0.0 0.1 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 16777264 thunar-tpa Trash Applet Display the trash can
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 PassengerLoggingAgent
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 16777250 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [sync_supers]
0.0 0.0 nm-applet
0.0 0.0 xfce4-volumed
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 16777249 systray Notification Area Area where notification icons appear
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 Passenger spawn server
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.11 /org/gtk/gvfs/exec_spaw/3
0.0 0.0 xfce4-session
0.0 0.0 xfce4-settings-helper
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http_eth0.log
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 16777257 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http_eth0.log
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.11 /org/gtk/gvfs/exec_spaw/1
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 [bdi-default]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 supervising syslog-ng
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 lightdm
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 [kthreadd]
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 lightdm --session-child 12 15
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 [migration/0]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [devfreq_wq]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [ttm_swap]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 [kmpathd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/SO-useronion/sguild.conf -a /etc/nsm/SO-useronion/autocat.conf -g /etc/nsm/SO-useronion/sguild.queries -A /etc/nsm/SO-useronion/sguild.access -C /etc/nsm/SO-useronion/certs
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 [sh] <defunct>
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 cat /nsm/sensor_data/SO-server-eth0/pads.fifo
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 [xfce4-terminal] <defunct>
0.0 0.0 [kworker/u:1]
0.0 0.0 tpvmlpd2
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
0.0 0.0 [kworker/u:2]
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 600; RX2=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 600; RX2=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done
0.0 0.0 sleep 600
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 5 days
9.8M .
1.2M ./2014-05-24
1.3M ./2014-05-25
2.1M ./2014-05-26
3.4M ./2014-05-27
2.1M ./2014-05-28
/nsm/bro/logs/ - 5 days
2.4M .
436K ./2014-05-24
432K ./2014-05-25
444K ./2014-05-26
340K ./2014-05-27
116K ./2014-05-28
656K ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth0-1: 1401242238.231789 recvd=12125 dropped=0 link=12125
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: $)
Total rings : 2
Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/4428-eth0.1
Appl. Name : <unknown>
Tot Packets : 12125
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 8151
Num Free Slots : 8151
/proc/net/pf_ring/4547-eth0.3
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 11722
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4872
Num Free Slots : 4872
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
69
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
28 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
3 1:2012648 ET POLICY Dropbox Client Broadcasting
2 10000:2 PADS Changed Asset - domain DNS SQR No Error
2 10000:1 PADS New Asset - http WSDAPI
2 10000:1 PADS New Asset - unknown @www
1 10000:1 PADS New Asset - http DropboxDesktopClient/2.8.2 (Windows; 7; i32; en_US)
1 10000:1 PADS New Asset - unknown @domain
1 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
1 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
Total
41
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
28 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
4 1:2012648 ET POLICY Dropbox Client Broadcasting
2 1:2003310 ET P2P Edonkey Publicize File
2 10000:2 PADS Changed Asset - domain DNS SQR No Error
2 10000:1 PADS New Asset - http WSDAPI
2 10000:1 PADS New Asset - unknown @www
1 10000:1 PADS New Asset - http DropboxDesktopClient/2.8.2 (Windows; 7; i32; en_US)
1 10000:1 PADS New Asset - unknown @domain
1 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
1 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
Total
44
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
9 URL ipinfo.io
5 URL X.X.X.X
1 URL X.X.X.X
Total
15
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
28 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
3 1:2012648 ET POLICY Dropbox Client Broadcasting
1 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
Total
32
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
28 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
4 1:2012648 ET POLICY Dropbox Client Broadcasting
2 1:2003310 ET P2P Edonkey Publicize File
1 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
Total
35
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
7728 supervising syslog-ng
7730 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1502 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1414 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
-rw-r--r-- 1 root root 6234 May 28 01:57 /nsm/elsa/data/elsa/tmp/buffers/1401242214.02511
-rw-r--r-- 1 root root 49 May 28 01:57 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
ELSA Directory Sizes:
58M /nsm/elsa/data
2.5M /var/lib/mysql/syslog
1.2M /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2014-05-24 22:04:46 2014-05-28 01:56:50
Shane Castle
Placing it on the NAT vnet means that, wherever you are, it will always
have the same IP address and will not be subject to DHCP nonsense.
Putting it on the NAT vnet also means that there should be no issues
with getting rule or software updates. I have seen that SO really does
not behave well when the management interface gets DCHP-assigned
addresses. For the sniffing interfaces, yes indeed, they need to be
bridged to the physical network or they won't see any interesting traffic.
I think your statement about forwarding traffic really applies to host
node, not to NAT. I had to scratch my head over that, because this
forwarding issue does not occur for NAT mode (at least for VMware
Workstation).
--
Mit besten Grüßen
Shane Castle
Shane Castle
another system on the physical network. Sorry for that. If the SO will
only be accessed from the host box, though (most likely for a laptop),
it is not an issue.
--
Mit besten Grüßen
Shane Castle
Shane Castle
virtual network editor - shows vnet settings
DHCP settings - shows how vmnet8's DHCP server is set
Virtual machine settings - shows how the two virtual interfaces for SO
are set up
In the SO setup, assign an IP address in the range outside that owned by
the DHCP server for vmnet8. If the vnic is first in the list then it
should be assigned eth0 inside the SO VM. The other bridged vnic will
become eth1 and will be your listening interface.
The reason the first vnic is "custom" is historical because I was
experimenting with more than one NAT network for a while.
Note that if a vnet's bridging is defined as automatic, depending on the
automatic settings it will bridge to whatever is the physical network,
either wired or wireless, or you can create new virtual networks that
are bridged to specific physical network interfaces. VMware workstation
is pretty good. I just wish they'd get on the IPv6 wagon - they really
should have by now, but my understanding is Workstation 10 still is not
(I'm running 9 here).
--
Mit besten Grüßen
Shane Castle
Leon Russell
Doug Burks
https://code.google.com/p/security-onion/wiki/Hardware#NIC
You'll need at least two network interfaces: one for management
(preferably connected to a dedicated management network) and then one
or more for sniffing (connected to tap or span).
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Leon Russell
Doug Burks
to make it work.
Doug Burks
to make it work.
Doug Burks
Leon Russell
Doug Burks
for sniffing, but you may be able to make it work.
Leon Russell
Doug Burks
with wired interfaces. That's what Security Onion is designed for and
that's what we support.
Wireless interfaces introduce another set of variables to the
equation. Our small team simply doesn't have the resources to test
and support those additional variables for such a small percentage of
our users.
You're welcome to try it out and see if it works for you. If so,
please document your experience for others.
Thanks,
Doug
Leon Russell
why not bridge the management connection? the management ip is manually set anyway in SO setup. Maybe it does not matter either way but i just decided to ask since i was looking through this thread