Security onion set up on a Ubunut 14.04 and monitor all the PC in the network.

[Haris]

Hi I am trying to monitor my network using security onion and analyze the alerts for intrusion detection.

Right now my set up is like installed Ubuntu 14.04 ISO in PC and installed SO from PPA based on the instruction here https://github.com/Security-Onion-Solutions/security-onion/wiki/InstallingOnUbuntu.

And while doing the setup I have chosen Production Mode->Stand-alone->Best Practice->Snort->Emerging threat open

And the HOME_NET as 10.0.7.0/8 as my IP address are like 10.0.7.33 etc..

I can get the alert on Sguil by running this command curl http://testmyids.com
But only from the PC where I have installed the SO(IP=10.0.7.33). Where as when do the same command run from different PC(IP=10.0.7.34) it's not generating alert.

Right now I having only one interface eth0. And all the PCs are connected in this network.

So by proceeding with above set up can I monitor entire network?. Please give your suggestion.

[Wes Lambert]

Haris,

You'll need to assign a sniffing interface during setup.  In addition, this interface will need to be provided with traffic either through the use of a network tap or mirroring via SPAN port.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Haris]

Thanks for the replay, I am fairly new in IDS is there any documentation can you provide for the setup. I am not able to see the sniffing interface during the setup.

Also I have read that the IDS/IPS requires two network card. Is that require in the case of security onion.

[Wes]

On Thursday, December 21, 2017 at 10:55:41 AM UTC-5, Haris wrote:
> Thanks for the replay, I am fairly new in IDS is there any documentation can you provide for the setup. I am not able to see the sniffing interface during the setup.
>
> Also I have read that the IDS/IPS requires two network card. Is that require in the case of security onion.

Yes, it is recommended that you have two network cards:

-one for mgmt
-one for sniffing

Security Onion setup should provide all the configuration you need, aside from the hardware setup (unless running in a VM, in which you would need to add a second adapter to the VM).

Our documentation can be found here:

https://github.com/Security-Onion-Solutions/security-onion/wiki

Thanks,
Wes

[Haris]

Thanks for the feedback.

So I have two card with my PC. So so network monitoring do I need to connect both port router, or one leave open. And also confused about how the network is need to be set.

Please give replay.

[Wes]

You will either need a switch capable of port mirroring (and connect your sniffing NIC to a SPAN port on that switch), or you will need to use a network tap to sit in-between the connection you wish to monitor.

There's a fairly straightforward tutorial here as well:

https://toastersecurity.blogspot.com/2016/10/setting-up-security-onion-to-enhance.html

Thanks,
Wes

[Wes]

Here's another:

https://www.novainfosec.com/2014/06/04/webbreachers-hacking-and-hiking/

Thanks,
Wes

[Haris]

Thanks for your support, I will refer it.