Salt's test.ping doesn't work after fresh install of Security Onion

[Henry Collins]

I followed Doug's installation tutorial on YouTube and I did install everything as it was displayed in the video. However, when I try to write:
sudo salt '*' test.ping

I get the following message:
No minions matched the target. No command was sent, no jid was assigned.

I am running a virtual machine on VMWare (vSphere client) and I have set both eth0 and eth1 to use VMXNET 3 adapter. I tried to choose VMXNET 2 for eth1, but then the setup wizard did not detect eth1. With two VMXNET 3 adapters, I was able to get a prompt in the wizard with two different eth devices.

[Doug Burks]

Hi Henry,

Salt is only necessary if you're managing multiple sensors. Do you need salt?

If so, please attach your /opt/onionsalt/salt/top.sls.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Henry Collins]

Yes, I do need Salt. I am working on deploying Security Onion in our internal network, where many computers with different operating systems exist. I want to configure Security Onion in such a way that one computer would be the server and all others just sensors that send their logs to the server computer.

I have attached the requested top.sls file. Server's hostname is mob-sec.

[Doug Burks]

Replies inline.

On Tue, Feb 17, 2015 at 3:21 AM, Henry Collins <hcol...@gmail.com> wrote:
> Yes, I do need Salt. I am working on deploying Security Onion in our internal network, where many computers with different operating systems exist. I want to configure Security Onion in such a way that one computer would be the server and all others just sensors that send their logs to the server computer.

Do you mean that non-Security-Onion boxes will send their logs to your
Security Onion box (via syslog, OSSEC, or some other means)? If so,
then you don't need salt for that. You only need salt if you're
managing multiple Security Onion sensors.

> I have attached the requested top.sls file. Server's hostname is mob-sec.

What happens if you try the following?

sudo salt 'mob-sec' test.ping

[Henry Collins]

> Do you mean that non-Security-Onion boxes will send their logs to your
> Security Onion box (via syslog, OSSEC, or some other means)?

Yes.

> If so,
> then you don't need salt for that. You only need salt if you're
> managing multiple Security Onion sensors.

Ok, thanks for clarification.

> What happens if you try the following?
>
> sudo salt 'mob-sec' test.ping

Exactly the same as in the first post.

[Doug Burks]

Sounds like you don't need salt, so I'd recommend simply disabling the
salt-master and salt-minion services.

[Henry Collins]

Cool. Just a short extra question:

Where can I find more information on how to rig my sensors (other computers on the network), so that they would send their logs to mob-sec (security onion server)? I have read your Wiki, but couldn't find out that.

[Doug Burks]

If the machines can run an OSSEC agent, then do the following:
- on your Security Onion box, add new OSSEC agent(s) by running "sudo
/var/ossec/bin/manage_agents" and following the prompts
- download OSSEC agent(s) from http://www.ossec.net/ and install on
your machines, importing the OSSEC key created by the OSSEC server in
the previous step

If the machines can't run OSSEC, then perhaps you can configure them
to send their logs via standard syslog port 514 to our syslog-ng
collector.

[Henry Collins]

I have installed OSSEC agent on one of my computers and added it on Security Onion's server. Then, I extracted serial code from SO server and pasted it to OSSEC agent. It worked!

But what now? I can't see any packets in Snorby (I am using Snort). And I can't see my sensor show up on Snorby. Did I miss something? I tested Snort by curling testmyids.com and pinging the agent.

(don't know if it's a good idea to continue writing in this thread)

[Rehnquyst]

When you say you use snort, do you mean you have snort running on the non-SO box? Are you trying to run snort and ossec on the non-SO box and have data forwarded to the SO server?

[Henry Collins]

> When you say you use snort, do you mean you have snort running on the non-SO > box? Are you trying to run snort and ossec on the non-SO box and have data
> forwarded to the SO server?

No. I have Snort running only on the computer that runs SO. The computer that is not running SO, is running OSSEC, which I expect to capture packets and send to SO server, which would use Snort to order received packets.

[Doug Burks]

OSSEC does not capture packets. It is a Host Based Intrusion
Detection System (HIDS) and its main features are as follows:
- rootkit detection
- file integrity checking
- log collection (it collects the standard system logs from the box
its installed on)
- encrypted log transport to the OSSEC Server (your Security Onion box)
- log analysis and alerting (OSSEC has rules that look for certain
patterns in the logs and fires alerts when necessary)

OSSEC data is available to you as follows:
- OSSEC alerts at level 5 or higher (by default) are sent to the Sguil
database, where they are accessible via the Sguil client or the Squert
web interface
- all OSSEC alerts regardless of level are available in ELSA
- all raw logs from all OSSEC clients (even those logs that didn't
generate alerts) are available in ELSA

For more information about OSSEC, please see:
http://www.ossec.net/

[Henry Collins]

Okay, so if I use OSSEC agents, then I cannot get the same benefits as installing Snort and its big list of rules, that is downloaded via PulledPork, on every machine and instructing them to save their logs to the central server that runs Snorby?

Do you have any advice on this? Before trying SO, I was about to install Snort and PP on every machine that is being monitored and then instruct Barnyard2 to save logs on a remote machine that runs Snorby and MySQL database. I like Snort due to its large number of rules and would want to get the same benefits by using OSSEC due to its multiplatform nature.

If OSSEC agents do not capture so many logs as Snort with PP do, then how is it possible to achieve a similar level of detection with OSSEC? Is it possible?

[Henry Collins]

But SO has Snort and Snorby installed. Does it mean that we can only see intrusions on the computer that is running SO, since agents do not work as Snort?

[Rehnquyst]

Sorry, I thought to answer your questions it might be easier to explain how Snort works, and how SO typically works (or just how we use it in my org).

Snort can only analyse the traffic it sees. That means, if you only have it installed on one computer and --do nothing else-- then it'll only see traffic that goes in and out of that computer, and other broadcast traffic. What people typically do, is either set up the Snort machine (in this case SO) somewhere on the infrastructure where all traffic has to go through it, OR, set up a SPAN port / port mirroring on the switch so that all traffic on the network are mirrored / copied to the Snort machine (SO). This way Snort sees all traffic, and it can analyse all traffic.

This IMO is much easier than attempting to install Snort on all the computers you want to monitor and try to have them forward data to SO.

OSSEC and Snort are simply very different programs and do different things and you can't expect them to achieve the same level of detection.

[Henry Collins]

Thanks for the clarification, Rehnquyst.

I plan to install Snort on my gateways, so that I wouldn't need to have too much problem maintaining my Snort installations.

You mentioned that it is possible to copy traffic and send it to the machine that runs Snort (for example from some kind of gateway). Can you give some links or explain how one does that?

[Doug Burks]

For best results, collect traffic just before it hits your gateways
using taps or span ports:
https://code.google.com/p/security-onion/wiki/Hardware#Packets

Then connect the tap/span to a Security Onion sensor. Each gateway
would have its own Security Onion sensor, and all sensors would report
to your Security Onion master server.

This thread has strayed pretty far from the topic of salt, so if you
have further questions, please start a new thread.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Justin Engbroten]

I am getting the same error as indicated in this thread, but I am setting up a distributed SO deployment that will encompass a master server and several sensors. As of right now though, I just have the server and one sensor. I am attempting to iron out all details on how to install and configure salt to manage said sensors. On the Master, when I run salt-key --list all, It shows the master and minion in Accepted keys but nothing on the minion. When I run salt-call key.finger on the minion, it lists the key that correlates with the Accepted key listed on the master. All of that would make me think that everything is ok, however, when I attempt test.ping this is what I get:

On the master:

"No minions matched the target. No command was sent, no jid was assigned.

On the minion:

"the salt master could not be contacted. Is a master running?"

Not sure what's going on here.

[Wes]

Henry,

Please start a new thread instead of replying to an old one.

https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one

In your thread, please include the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com.

https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#include-sostat-redacted-output

Thanks,
Wes