SO setup on digitalocean droplet

409 views
Skip to first unread message

PC

unread,
Mar 17, 2017, 5:30:35 AM3/17/17
to security-onion
Hi everyone,

It's my first time, I am trying to install SO on my droplet. I am able to install SO but not sure how to setup the network setting properly in order for SO to work. I would like to do a master/sensors setup and use a local SO VM to access the master. Not sure what to put in during network configuration....

this is my testing master VPS network info.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 138.197.128.1 0.0.0.0 UG 0 0 0 eth0
10.20.0.0 * 255.255.0.0 U 0 0 0 eth0
10.137.0.0 * 255.255.0.0 U 0 0 0 eth1
138.197.128.0 * 255.255.240.0 U 0 0 0 eth0

eth0 Link encap:Ethernet HWaddr d2:3c:d1:62:45:64
inet addr:138.197.136.186 Bcast:138.197.143.255 Mask:255.255.240.0
inet6 addr: fe80::d03c:d1ff:fe62:4564/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6036 errors:0 dropped:0 overruns:0 frame:0
TX packets:8629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:733372 (733.3 KB) TX bytes:2688305 (2.6 MB)

eth1 Link encap:Ethernet HWaddr d6:12:f1:95:cc:16
inet addr:10.137.224.167 Bcast:10.137.255.255 Mask:255.255.0.0
inet6 addr: fe80::d412:f1ff:fe95:cc16/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:558 (558.0 B) TX bytes:578 (578.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Wes

unread,
Mar 18, 2017, 8:56:09 AM3/18/17
to security-onion

PC,

You may want to take a look here to get an idea of how to do this:
https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient

If you are looking to deploy a master and sensor(s) (distributed deployment), then you will need to at least configure:

-the master with a NIC for management
-a sensor with a NIC for management and a NIC for monitoring traffic

The setup script will quickly and easily walk you through this. As far as what to set for the particular IPs for the management NIC of each, that is up to you.

You will need a way to collect and mirror the traffic from the machines that you are monitoring to the monitor interface on the sensor(s).

Try consulting the referenced article above to see how this has been implemented with AWS.

Thanks,
Wes

PC

unread,
Mar 20, 2017, 3:28:15 PM3/20/17
to security-onion
Hi Wes,

Thank you for the information!

Do you have instruction on how to install it with netsniff-ng?

I am little confused, Do I need multiple sensors if I want to monitor traffic for multiple app servers? or I can just have one sensor server to receive the datas from multiple app servers(client)

or it is better to do one standalone(master and sensor) and listens for multiple app servers(clients) on the network.

thanks,

PC

Reply all
Reply to author
Forward
0 new messages