Security Onion on Proxmox VE 4.4
238 views
Skip to first unread message
Apaan Kamu
Nov 10, 2017, 8:28:37 AM11/10/17
to security-onion
Hi, My name is Joshua
I'm working on a project to implement Security Onion and Honeypot on Proxmox Ve VM Nodes. I created 3 nodes : node 1 for SecOnion , node 2 for service server and node 3 for Honeyd. I used Public IP on all of my nodes. When i tried to portscan my service server on node 2 with Nmap, SecOnion did not detect the attack. My current config of Seconion is : Production Mode (StandAlone - best practice ) with SURICATA as IDS and emergin threat open options, pf_ring_min_num_slots on 4096 and i set my home network with my public ip network address. My problem is Security onion did not detect attacks to my service server, BUT it detected an attack to itself (i tried to bruteforce my security onion server). Thanks Guys
I'm working on a project to implement Security Onion and Honeypot on Proxmox Ve VM Nodes. I created 3 nodes : node 1 for SecOnion , node 2 for service server and node 3 for Honeyd. I used Public IP on all of my nodes. When i tried to portscan my service server on node 2 with Nmap, SecOnion did not detect the attack. My current config of Seconion is : Production Mode (StandAlone - best practice ) with SURICATA as IDS and emergin threat open options, pf_ring_min_num_slots on 4096 and i set my home network with my public ip network address. My problem is Security onion did not detect attacks to my service server, BUT it detected an attack to itself (i tried to bruteforce my security onion server). Thanks Guys
Wes
Nov 10, 2017, 9:17:49 AM11/10/17
to security-onion
On Friday, November 10, 2017 at 8:28:37 AM UTC-5, Apaan Kamu wrote:
> Hi, My name is Joshua
> I'm working on a project to implement Security Onion and Honeypot on Proxmox Ve VM Nodes. I created 3 nodes : node 1 for SecOnion , node 2 for service server and node 3 for Honeyd. I used Public IP on all of my nodes. When i tried to portscan my service server on node 2 with Nmap, SecOnion did not detect the attack. My current config of Seconion is : Production Mode (StandAlone - best practice ) with SURICATA as IDS and emergin threat open options, pf_ring_min_num_slots on 4096 and i set my home network with my public ip network address. My problem is Security onion did not detect attacks to my service server, BUT it detected an attack to itself (i tried to bruteforce my security onion server). Thanks Guys
> Hi, My name is Joshua
> I'm working on a project to implement Security Onion and Honeypot on Proxmox Ve VM Nodes. I created 3 nodes : node 1 for SecOnion , node 2 for service server and node 3 for Honeyd. I used Public IP on all of my nodes. When i tried to portscan my service server on node 2 with Nmap, SecOnion did not detect the attack. My current config of Seconion is : Production Mode (StandAlone - best practice ) with SURICATA as IDS and emergin threat open options, pf_ring_min_num_slots on 4096 and i set my home network with my public ip network address. My problem is Security onion did not detect attacks to my service server, BUT it detected an attack to itself (i tried to bruteforce my security onion server). Thanks Guys
Apaan,
Have you mirrored any traffic to the sniffing interface for your Security Onion box?
Thanks,
Wes
Apaan Kamu
Nov 10, 2017, 9:27:22 AM11/10/17
to security-onion
I'm afraid i didn't do that yet, i just use default setting without changing any other setting except for the one i listed above. I appreciate it if you can tell me how to do that, Thanks
Wes
Nov 10, 2017, 9:57:52 AM11/10/17
to security-onion
I can't tell you exactly, but can offer some reading:
https://forum.proxmox.com/threads/pve-3-2-setting-up-mirror-span-port-with-ovs.18402/
https://www.forwardingplane.net/2017/03/creating-internal-span-port-inside-proxmox-ovs/
The main idea is that you want to mirror all of the traffic from your LAN/amongst your PM machines to the sniffing interface on your SO box.
Thanks,
Wes
Apaan Kamu
Nov 12, 2017, 12:28:45 AM11/12/17
to security-onion
Thankyou so much wes, i'll read it up ASAP :)
Reply all
Reply to author
Forward
0 new messages