100% virtualized Security Onion environment
2,873 views
Skip to first unread message
l0ud
Jan 20, 2012, 6:23:36 AM1/20/12
to security-onion
Hii,
I just stumbled over this project which seems to be a pretty
straightforward way to set up an IDS without too much hassle.
I'm in the process of setting up sort of a honeypot / malware analysis
environment and I'm considering using Security Onion as my IDS set-up
to help with log monitoring and analysis.
I'm just wondering if anyone here has any experience with setting
Security Onion up on a VMWare Workstation and have it sniff the
traffic to and from other VM machines in a virtual LAN environment?
If anyone has experience with this or can tell me straight away that
this will or won't work - please let me know :)
Thanks
l0ud
I just stumbled over this project which seems to be a pretty
straightforward way to set up an IDS without too much hassle.
I'm in the process of setting up sort of a honeypot / malware analysis
environment and I'm considering using Security Onion as my IDS set-up
to help with log monitoring and analysis.
I'm just wondering if anyone here has any experience with setting
Security Onion up on a VMWare Workstation and have it sniff the
traffic to and from other VM machines in a virtual LAN environment?
If anyone has experience with this or can tell me straight away that
this will or won't work - please let me know :)
Thanks
l0ud
Doug Burks
Jan 23, 2012, 8:53:50 PM1/23/12
to securit...@googlegroups.com
Hi l0ud,
I believe this will work for you as long as you configure your
Security Onion VM for "Bridged" networking in VMWare Workstation.
Also note that you'll need to dedicate AT LEAST 1GB of RAM to your
Security Onion VM, perhaps more depending on traffic.
Please let us know how it goes!
Thanks,
Doug
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Please vote for Security Onion for 2011 Toolsmith Tool of the Year! |
http://goo.gl/PwTDi
l0ud
Jan 25, 2012, 4:50:06 AM1/25/12
to security-onion
Thanks Doug,
I'm about to get started on this little project today and I'll keep
you posted along the way - I'm hoping that this will prove to be a
cheap but useful set-up for malware analysis :)
I'm about to get started on this little project today and I'll keep
you posted along the way - I'm hoping that this will prove to be a
cheap but useful set-up for malware analysis :)
Kimi Ushida
Jan 26, 2012, 3:01:27 AM1/26/12
to security-onion
While not a permanent set for a production environment, I'm currently
using SO (separate server and sensor) completely virtualized in ESXi.
It seems to work quite well for the amount of traffic it sees. I
haven't done this in a completely virtual environment in the sense of
clients and servers all being in the same virtual space though.
using SO (separate server and sensor) completely virtualized in ESXi.
It seems to work quite well for the amount of traffic it sees. I
haven't done this in a completely virtual environment in the sense of
clients and servers all being in the same virtual space though.
l0ud
Jan 26, 2012, 8:31:02 AM1/26/12
to security-onion
Thanks Kimi,
The set-up I have in mind looks like this:
(INTERNET) <---> SO in VMWARE <--> 4 VM computers
My ASCII kung-fu isn't too awesome, but simply put I want to run SO
along with 4 Windows VM machines on one physical host, and have all
the traffic from the Windows machines pass through the SO machine.
I've been trying to have all the Windows machines and one of the SO
NIC's connected to a Virtual LAN, and have the other SO NIC bridged to
the Host PC and route all the traffic from the Windows machines to the
bridged NIC of the SO but I can't get it to work properly.
I thought I'd only have to bridge the two SO NIC's with the brctl
tool, and set the IP address of the Virtual LAN NIC on the SO computer
as the gateway for the Windows PC's and I'd be good to go.
No such luck, though..
I guess I'll just see if I can get started by setting all NIC's on all
machines to bridged mode to see if I can pick up the traffic on the SO
machine.
On Jan 26, 9:01 am, Kimi Ushida <kimiush...@gmail.com> wrote:
> While not a permanent set for a production environment, I'm currently
> using SO (separate server and sensor) completelyvirtualizedin ESXi.
The set-up I have in mind looks like this:
(INTERNET) <---> SO in VMWARE <--> 4 VM computers
My ASCII kung-fu isn't too awesome, but simply put I want to run SO
along with 4 Windows VM machines on one physical host, and have all
the traffic from the Windows machines pass through the SO machine.
I've been trying to have all the Windows machines and one of the SO
NIC's connected to a Virtual LAN, and have the other SO NIC bridged to
the Host PC and route all the traffic from the Windows machines to the
bridged NIC of the SO but I can't get it to work properly.
I thought I'd only have to bridge the two SO NIC's with the brctl
tool, and set the IP address of the Virtual LAN NIC on the SO computer
as the gateway for the Windows PC's and I'd be good to go.
No such luck, though..
I guess I'll just see if I can get started by setting all NIC's on all
machines to bridged mode to see if I can pick up the traffic on the SO
machine.
On Jan 26, 9:01 am, Kimi Ushida <kimiush...@gmail.com> wrote:
> While not a permanent set for a production environment, I'm currently
Jason Wallace
Jan 26, 2012, 11:33:10 AM1/26/12
to securit...@googlegroups.com
Just put your Win VMs and SO on the same virtual switch and enable
promiscuous mode in the virtual switch. That will let SO capture all
the traffic on that virtual switch. You don't need to be inline to see
the traffic from the Win VMs. Is there a reason you need to be inline?
promiscuous mode in the virtual switch. That will let SO capture all
the traffic on that virtual switch. You don't need to be inline to see
the traffic from the Win VMs. Is there a reason you need to be inline?
l0ud
Feb 3, 2012, 6:09:26 PM2/3/12
to security-onion
Hmm, I guess there is no reason to put it inline if it can pick up all
the traffic on the virtual switch :)
the traffic on the virtual switch :)
l0ud
Feb 4, 2012, 11:07:09 AM2/4/12
to security-onion
One question though - how do I set a switch to promiscous mode on
VMWare Workstation?
I've had a look at the Virtual network editor and I've done some
googleing but I haven't found any tutorial for this yet.
Or is the Virtual Switch in promiscous mode by default, perhaps?
l0ud
VMWare Workstation?
I've had a look at the Virtual network editor and I've done some
googleing but I haven't found any tutorial for this yet.
Or is the Virtual Switch in promiscous mode by default, perhaps?
l0ud
Richard Bejtlich
Feb 4, 2012, 1:40:39 PM2/4/12
to securit...@googlegroups.com
On Sat, Feb 4, 2012 at 11:07 AM, l0ud <oivin...@gmail.com> wrote:
> One question though - how do I set a switch to promiscous mode on
> VMWare Workstation?
>
> I've had a look at the Virtual network editor and I've done some
> googleing but I haven't found any tutorial for this yet.
>
> Or is the Virtual Switch in promiscous mode by default, perhaps?
>
> l0ud
>
> One question though - how do I set a switch to promiscous mode on
> VMWare Workstation?
>
> I've had a look at the Virtual network editor and I've done some
> googleing but I haven't found any tutorial for this yet.
>
> Or is the Virtual Switch in promiscous mode by default, perhaps?
>
> l0ud
>
Hello,
I'm using VMWare Workstation 8.x on Win 7.
I have two VMs running -- one is SO and the other is a different Linux distro.
On each VM I can see traffic from the other VM to the Internet, by
default I think.
I have the VMs using NAT not bridging.
Sincerely,
Richard
l0ud
Feb 6, 2012, 7:31:36 AM2/6/12
to security-onion
Thanks a lot Richard - I'll try the NAT set-up right away :)
l0ud
On 4 Feb, 19:40, Richard Bejtlich <taosecur...@gmail.com> wrote:
l0ud
On 4 Feb, 19:40, Richard Bejtlich <taosecur...@gmail.com> wrote:
Andrew Ratcliffe
Feb 6, 2012, 8:27:04 AM2/6/12
to securit...@googlegroups.com
I'm using VMware fusion on a Mac. I gave the SO vm two nics one on a NAT network and the second bridged. When the bridged nic tries to use promiscuous mode fusion asks me to confirm that I want to allow it. In that way I can see attacks against my Host OS. I've not tried the same approach with VMware workstation but it should work.
Sent from my iPhone
Jun Wan
Feb 7, 2012, 12:48:02 AM2/7/12
to securit...@googlegroups.com
Hi Guys,
I used SO on a physical machines, they worked very nice, thanks Doug for such wonderful free version enterprise grade IDS.
I have setup ESXi 5 home lab a while ago, install 2 SO VMs on diffrent hosts (on diffrent standnd V Switches SVS) , they don't pick up network traffic (except one ossc alert); promiscuous mode may be the issue, but i thought SO would put the Nics into promiscuous mode automatically, it certainly did this on my physiccal machine. Then I created a distributed V switch DVS), moved these SO VM machines into the DVS, still the same result, no capture traffic. Now my vCenter and ESX i5 licenses are expired (after 60 days), I can't access them any more, I will reinstall them soon.
Now I am going to put a VM SO (IDS only) in my work place (ESXi 4.1 environment), I would like to have the following specs on the SO VM:
Nic 1 would be connected to Vlan 10 in promiscuous mode, Nic 2 would be connected to Vlan 20 in promiscuous mode, VLAN 10 and VLAN 20 are routable to each other; Nic 3 would be connected to Vlan 10 (no-promiscuous mode) for remote network connectivity (run Sguil via Xming).
My questions are:
1.) What is the simplest way to setup a SO IDS VM in my ESX 4.1 environment to capture all the traffic in VLAN 10 and VLAN 20?
2.) Do I have to put this SO IDS VM in a distributed V switch? Can I put the SO IDS VM into standnd V Switches? What's the diffrence?
3.) Why do I need a bridge mode for my SO to work? which Nics need to be bridged in my case? I used bridge mode for my physical machine, it worked beautifully, please see the follwoing
SO physical machine
internet --------Nic1-----bridged-----Nic2---------LAN
4.) If the SO IPS/IDS VM works in ESX environment, does this means SO can replace VShield solution for small/medium size company's IT infrastrure.
Any information and help would be much appreciated.
Regards
John Wan
I used SO on a physical machines, they worked very nice, thanks Doug for such wonderful free version enterprise grade IDS.
I have setup ESXi 5 home lab a while ago, install 2 SO VMs on diffrent hosts (on diffrent standnd V Switches SVS) , they don't pick up network traffic (except one ossc alert); promiscuous mode may be the issue, but i thought SO would put the Nics into promiscuous mode automatically, it certainly did this on my physiccal machine. Then I created a distributed V switch DVS), moved these SO VM machines into the DVS, still the same result, no capture traffic. Now my vCenter and ESX i5 licenses are expired (after 60 days), I can't access them any more, I will reinstall them soon.
Now I am going to put a VM SO (IDS only) in my work place (ESXi 4.1 environment), I would like to have the following specs on the SO VM:
Dual Core Processor (quad core processor if it’s possible)
4 G RAM
150 G HD
3 NICsNic 1 would be connected to Vlan 10 in promiscuous mode, Nic 2 would be connected to Vlan 20 in promiscuous mode, VLAN 10 and VLAN 20 are routable to each other; Nic 3 would be connected to Vlan 10 (no-promiscuous mode) for remote network connectivity (run Sguil via Xming).
My questions are:
1.) What is the simplest way to setup a SO IDS VM in my ESX 4.1 environment to capture all the traffic in VLAN 10 and VLAN 20?
2.) Do I have to put this SO IDS VM in a distributed V switch? Can I put the SO IDS VM into standnd V Switches? What's the diffrence?
3.) Why do I need a bridge mode for my SO to work? which Nics need to be bridged in my case? I used bridge mode for my physical machine, it worked beautifully, please see the follwoing
SO physical machine
internet --------Nic1-----bridged-----Nic2---------LAN
4.) If the SO IPS/IDS VM works in ESX environment, does this means SO can replace VShield solution for small/medium size company's IT infrastrure.
Any information and help would be much appreciated.
Regards
John Wan
Heine Lysemose
Feb 7, 2012, 2:39:43 AM2/7/12
to securit...@googlegroups.com
I just have a simple input: Remember to set the vSwitch in promiscuous mode to allow SO to capture graffiti from the network/vSwitch. It is a setting you need to set to accept.
/Lysemose
Andrew Ratcliffe
Feb 7, 2012, 5:42:29 AM2/7/12
to securit...@googlegroups.com
You need to add a vswitch that has all 4095 vlans and allow promiscuous mode. Add a sniffing interface from SO to that vswitch.
Hope this helps
Andy
Sent from my iPhone
Sent from my iPhone
Scott Runnels
Feb 7, 2012, 7:39:42 AM2/7/12
to securit...@googlegroups.com
Hi Jun,
When you're setting up the ESXi VMs, you need to make sure you configure the switch allow Promiscuous packets. I posted some screenshots here: http://goodnewsnobodies.blogspot.com/2012/02/vmware-esxi-and-sniffing-intervm.html
You should be able to register your ESXi Server (you should have a key from when you downloaded it - even the free version) you just have to enter it in and you'll be off the races.
As to your specs, unless the production environment you're referring to isn't very active, I would worry that 150G of disc space is going to be your limiting factor. If you monitor more than 150G in a given day you're likely to see problems.
Doug may need to cover using SecurityOnion to monitor 802.1q tagged traffic - I don't have a equipment I can test that on at the moment.
v/r
Scott Runnels--
Scott Runnels
--
Scott Runnels
When you're setting up the ESXi VMs, you need to make sure you configure the switch allow Promiscuous packets. I posted some screenshots here: http://goodnewsnobodies.blogspot.com/2012/02/vmware-esxi-and-sniffing-intervm.html
You should be able to register your ESXi Server (you should have a key from when you downloaded it - even the free version) you just have to enter it in and you'll be off the races.
As to your specs, unless the production environment you're referring to isn't very active, I would worry that 150G of disc space is going to be your limiting factor. If you monitor more than 150G in a given day you're likely to see problems.
Doug may need to cover using SecurityOnion to monitor 802.1q tagged traffic - I don't have a equipment I can test that on at the moment.
v/r
Scott Runnels
Scott Runnels
--
Scott Runnels
Jun Wan
Feb 7, 2012, 7:19:03 PM2/7/12
to securit...@googlegroups.com
Thanks Scott and others, it's appreciated.
I have two questions:
1.) Should I create a seprated V switch (with 802.1q) on ESX and put the only VM (SO) into this V switch with promiscuous enable? or I just put this SO VM into any existing production V switch, where lots of VMs park and enable promiscuous on this V switch ?
2.) Where to configure 802.1q on the V switch? sorry, I should ask this question elsewhere, but while I am here, I try to learn lots from you guys:)
Some proposal in my mind would be:
802.1q
V switch with promiscuous enable (only VM SO in this V switch )---------------------------- Distributed V Switch (put all production VMs in this Distributed V Switch)
Is this workable? any advice and info would be much appreciated.
Doug, what's your opinion?
ps: my ESXi5 license is okay (if I change clock in BIOS), the issue is vCenter license. I am considering to use open source Citrix XenServer, but I am experiencing hardware compatibility or other weird issue during the setup, it pus me off straightway.
Thanks
Regards
John
Date: Tue, 7 Feb 2012 07:39:42 -0500
Subject: 100% virtualized Security Onion environment
From: srun...@gmail.com
To: securit...@googlegroups.com
I have two questions:
1.) Should I create a seprated V switch (with 802.1q) on ESX and put the only VM (SO) into this V switch with promiscuous enable? or I just put this SO VM into any existing production V switch, where lots of VMs park and enable promiscuous on this V switch ?
2.) Where to configure 802.1q on the V switch? sorry, I should ask this question elsewhere, but while I am here, I try to learn lots from you guys:)
Some proposal in my mind would be:
802.1q
V switch with promiscuous enable (only VM SO in this V switch )---------------------------- Distributed V Switch (put all production VMs in this Distributed V Switch)
Is this workable? any advice and info would be much appreciated.
Doug, what's your opinion?
ps: my ESXi5 license is okay (if I change clock in BIOS), the issue is vCenter license. I am considering to use open source Citrix XenServer, but I am experiencing hardware compatibility or other weird issue during the setup, it pus me off straightway.
Thanks
Regards
John
Date: Tue, 7 Feb 2012 07:39:42 -0500
Subject: 100% virtualized Security Onion environment
From: srun...@gmail.com
To: securit...@googlegroups.com
Liam Randall
Feb 7, 2012, 9:35:50 PM2/7/12
to securit...@googlegroups.com
The components of Security Onion works fine on 802.1q tagged traffic:
- daemonlogger records everything just fine
- bro works fine
- sguil will process everything just fine, but the export command on the console will not export a pcap w/o a minor modification to sguil.tk
If you need to limit the traffic recorded to a subset of vlans you can use one BPF on all of the components.
If you've already created your vswitch you can find the relevant settings under "Properties"
Under the vswitch properties --> general tab you can configure the VLAN ID
Under the vswitch properties --> security tab you can configure promiscuous mode.
If you are creating a new vswitch you can configure it during the wizard.
If you need vCenter and a distrbuted switch for multiple hosts you'll want real licenses. Do you have multiple boxes?
Not sure about the rest of your network topology; do you have these boxes connected upstream to a trunk port? Other vlans to be concerned about? If you want the SO box to see traffic from multiple boxes using the same vlan id yes you will need to use a distributed switch to replicated that traffic across both boxes.
Liam
Jun Wan
Feb 7, 2012, 11:19:52 PM2/7/12
to securit...@googlegroups.com, liam.r...@gmail.com
Hi liam,
Thanks for your replyI
In my work place, the ESXi4.1 has 4 hosts and each host has 8 Nics, please see the details below . We have licenses for vCenter and ESXi4.1.
The objective of my SO project is: Use a SO VM to moniotor all the traffic in VLAN 100 and VLAN 120.
My question is: where should I put the SO VM? (in a separated vSwitch3 with 802.1q ? or in the DvS)
ps: all other VMs are in VLAN 10 and VLAN 20
Thanks
John
![]()
Thanks for your replyI
In my work place, the ESXi4.1 has 4 hosts and each host has 8 Nics, please see the details below . We have licenses for vCenter and ESXi4.1.
The objective of my SO project is: Use a SO VM to moniotor all the traffic in VLAN 100 and VLAN 120.
My question is: where should I put the SO VM? (in a separated vSwitch3 with 802.1q ? or in the DvS)
ps: all other VMs are in VLAN 10 and VLAN 20
Thanks
John
Subject: Re: 100% virtualized Security Onion environment
Liam Randall
Feb 8, 2012, 12:35:02 AM2/8/12
to securit...@googlegroups.com
Sorry, i direct replied on this one.
Jun- also, just reread your original post. No SO does not feature replace vShield.
Let us know what you come up with.
Liam
---------- Forwarded message ----------
From: Liam Randall <liam.r...@gmail.com>
Date: Wed, Feb 8, 2012 at 12:29 AM
Subject: Re: 100% virtualized Security Onion environment
From: Liam Randall <liam.r...@gmail.com>
Date: Wed, Feb 8, 2012 at 12:29 AM
Subject: Re: 100% virtualized Security Onion environment
To: Jun Wan <junwe...@hotmail.com>
I think you'll want it in the monitoring interface in the DvS; configure the port, test it and confirm you are seeing the vlans as expected- it might be easier to peek using tcpdump to confirm you are seeing the correct vlans.
I think you'll want it in the monitoring interface in the DvS; configure the port, test it and confirm you are seeing the vlans as expected- it might be easier to peek using tcpdump to confirm you are seeing the correct vlans.
You can "peek" with something like:
sudo tcpdump -c 20 -i eth1
and you'll see something like this:
05:25:54.561440 vlan 20, p 0, IP HOST INFO.22122 > DIFFERENT.HOST.INFO.58681: Flags [P.], seq 4002198706:4002198950, ack 4206252472, win 226, length 244
05:25:54.561453 vlan 1, p 0, IP HOST.INFO.22122 > DIFFERENT.HOST.INFO.58681: Flags [P.], seq 824491697:824491941, ack 2299765417, win 226, length 244
...
Do us a favor please? Keep some notes and then drop them up on the wiki & back on this list.
Liam
Jun Wan
Feb 8, 2012, 12:25:16 AM2/8/12
to securit...@googlegroups.com, liam.r...@gmail.com
oops ! you can see the ESX network diagram here:
From: junwe...@hotmail.com
To: securit...@googlegroups.com
CC: liam.r...@gmail.com
Subject: RE: 100% virtualized Security Onion environment
Date: Wed, 8 Feb 2012 04:19:52 +0000
https://skydrive.live.com/redir.aspx?cid=f08f71c8afabf53e&resid=F08F71C8AFABF53E!2354&parid=root
From: junwe...@hotmail.com
To: securit...@googlegroups.com
CC: liam.r...@gmail.com
Subject: RE: 100% virtualized Security Onion environment
Date: Wed, 8 Feb 2012 04:19:52 +0000
Reply all
Reply to author
Forward
0 new messages