Re: [security-onion] Adding remote sensor to server
2,012 views
Skip to first unread message
Doug Burks
Feb 6, 2013, 7:40:08 PM2/6/13
to securit...@googlegroups.com
Hi Simon,
Did you follow the steps on our Installation page?
http://code.google.com/p/security-onion/wiki/Installation#If_you're_going_to_be_deploying_Security_Onion_in_productio
Thanks,
Doug
On Wed, Feb 6, 2013 at 7:19 PM, Simon <hall.s...@gmail.com> wrote:
> Hi Guys,
>
> I have a Security Onion server which I managed to attach a remote snort sensor from a Ubuntu 10.04 image and its showing up in Snorby correctly. But when I deploy a security onion image as a Sensor via sosetup and give it the servers IP address it doesnt appear.
>
> I tried to add the host and relivant mysql user name and password to the barnyard2.conf in /etc/nsm/$hostname$interface/barnyard2.conf and restarted barnyard2 but no sucess.
>
> Any Suggestions?
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
Did you follow the steps on our Installation page?
http://code.google.com/p/security-onion/wiki/Installation#If_you're_going_to_be_deploying_Security_Onion_in_productio
Thanks,
Doug
On Wed, Feb 6, 2013 at 7:19 PM, Simon <hall.s...@gmail.com> wrote:
> Hi Guys,
>
> I have a Security Onion server which I managed to attach a remote snort sensor from a Ubuntu 10.04 image and its showing up in Snorby correctly. But when I deploy a security onion image as a Sensor via sosetup and give it the servers IP address it doesnt appear.
>
> I tried to add the host and relivant mysql user name and password to the barnyard2.conf in /etc/nsm/$hostname$interface/barnyard2.conf and restarted barnyard2 but no sucess.
>
> Any Suggestions?
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Feb 6, 2013, 8:34:59 PM2/6/13
to securit...@googlegroups.com
Yes, Snorby should work as well. Alerts are sent to the Snorby
database over an ssh tunnel from the sensor to the server. Is autossh
running on the sensor?
Doug
On Wed, Feb 6, 2013 at 8:16 PM, Simon <hall.s...@gmail.com> wrote:
> Just an update on this it appears the SOSETUP process allows me to monitor the sensor with SGUIL on the server just not Snorby. Should the process also setup Snorby?
database over an ssh tunnel from the sensor to the server. Is autossh
running on the sensor?
Doug
On Wed, Feb 6, 2013 at 8:16 PM, Simon <hall.s...@gmail.com> wrote:
> Just an update on this it appears the SOSETUP process allows me to monitor the sensor with SGUIL on the server just not Snorby. Should the process also setup Snorby?
Doug Burks
Feb 7, 2013, 10:29:59 PM2/7/13
to securit...@googlegroups.com
What do you mean "connected to the Server with root"?
Have you seen this?
You will be prompted for an SSH account on the master server that has
sudo privileges. (Note: the management interface on the sensor must be
able to SSH to the management interface on the server, so please make
sure that your server has been set up and you have network
connectivity and no firewall rules that would block this traffic.)
Consider creating a separate SSH account on the master server for each
sensor so that if a sensor is ever compromised, its individual account
can be disabled without affecting the other sensors. To do this,
create a new user using the adduser command and then add the user to
the sudo group. Once Setup is complete, the user can be removed from
the sudo group.
http://code.google.com/p/security-onion/wiki/Installation
Doug
On Wed, Feb 6, 2013 at 8:40 PM, Simon <hall.s...@gmail.com> wrote:
> Yea autossh is running and connected to the Server with root at the moment since its just deployed in a VM test environment at the moment.
Have you seen this?
You will be prompted for an SSH account on the master server that has
sudo privileges. (Note: the management interface on the sensor must be
able to SSH to the management interface on the server, so please make
sure that your server has been set up and you have network
connectivity and no firewall rules that would block this traffic.)
Consider creating a separate SSH account on the master server for each
sensor so that if a sensor is ever compromised, its individual account
can be disabled without affecting the other sensors. To do this,
create a new user using the adduser command and then add the user to
the sudo group. Once Setup is complete, the user can be removed from
the sudo group.
http://code.google.com/p/security-onion/wiki/Installation
Doug
On Wed, Feb 6, 2013 at 8:40 PM, Simon <hall.s...@gmail.com> wrote:
> Yea autossh is running and connected to the Server with root at the moment since its just deployed in a VM test environment at the moment.
Reply all
Reply to author
Forward
0 new messages