Internet not working after Security Onion Installation in AWS setup

[Nitesh Thakur]

Hi Team,

Recently i have started my project under which i am configuring SO on AWS to monitor mirror traffic. But unfortunately i am also facing Below issues.

• Internet is not working post installation: I am using Ubuntu 16.04, t2.large instance there are 2 interfaces on the instance eth0 and eth1 with no wireless interface.
• Somehow elastic stack is also in failed state after installation. During installation i haven't encountered any issues or error which may result in elastic stack failure. I tried restarting ELK stack but it's not working.
• AWS mirror events are reaching SO and i am able to see events through tshark on monitoring interface 1(eth1)

Not able attach SS for your reference hence pasting output of /etc/network/interfaces and service status for your reference. Need your support to mitigate these issues.

****************************************************************************************************

/etc/network/interfaces

root@ip-10-1-2-84:~# cat /etc/network/interfaces

# This configuration was created by the Security Onion setup script.

#

# The original network interface configuration file was backed up to:

# /etc/network/interfaces.bak.

#

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# loopback network interface

auto lo

iface lo inet loopback

# Management network interface

auto eth0

iface eth0 inet static

  address 10.1.2.84

  gateway 10.1.2.1

  netmask 255.255.255.0

  dns-nameservers 10.1.2.84

  dns-domain lab.com

auto eth1

iface eth1 inet manual

  up ip link set $IFACE promisc on arp off up

  down ip link set $IFACE promisc off down

  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done

  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

  # You probably don't need to enable or edit the following setting,

  # but it is included for completeness.

  # Note that increasing beyond the default may result in inconsistent traffic:

  # https://taosecurity.blogspot.com/2019/04/troubleshooting-nsm-virtualization.html

  # post-up ethtool -G $IFACE rx

**********************************************************************************************************

SO service outcome

root@ip-10-1-2-84:~# sudo so-status

sudo: unable to resolve host ip-10-1-2-84: Connection refused

Status: securityonion

  * sguil server                                                       [  OK  ]

Status: HIDS

  * ossec_agent (sguil)                                                [  OK  ]

Status: Bro

Name         Type       Host          Status    Pid    Started

bro          standalone localhost     running   6901   19 Sep 12:41:39

Status: ip-10-1-2-84-eth1

  * netsniff-ng (full packet data)                                     [  OK  ]

  * pcap_agent (sguil)                                                 [  OK  ]

  * snort_agent-1 (sguil)                                              [  OK  ]

  * snort-1 (alert data)                                               [  OK  ]

  * barnyard2-1 (spooler, unified2 format)                             [  OK  ]

Status: Elastic stack

  * so-elasticsearch/usr/sbin/so-elasticsearch-status: line 22: docker: command                                                                              not found

                                                                       [ FAIL ]

  * so-logstash/usr/sbin/so-logstash-status: line 25: docker: command not found

                                                                       [ FAIL ]

  * so-kibana/usr/sbin/so-kibana-status: line 22: docker: command not found

                                                                       [ FAIL ]

  * so-freqserver/usr/sbin/so-freqserver-status: line 22: docker: command not fo                                                                             und

                                                                       [ FAIL ]

  * so-curator/usr/sbin/so-curator-status: line 22: docker: command not found

                                                                       [ FAIL ]

  * so-elastalert/usr/sbin/so-elastalert-status: line 22: docker: command not fo                                                                             und

                                                                       [ FAIL ]

*************************************************************************************************************************

Thanks in Advance,

Nitesh 

[Wes Lambert]

You'll need to double-check your networking with regard to internet connectivity.  That may be why docker is not installed, and you are not able to run Elastic components.  Any reason why you are trying to run the full stack and not just a forward node?  Additionally, Bro and Suricata support for VXLAN decapsulation are planned, but are not yet natively available in SO, so I'm not sure of the value of the data currently.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/3a50e01d-31a4-4758-8057-5341f7ced7f6%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/