interfaces to configure SecOnion like a enterprise enviroment on virtualbox

417 views
Skip to first unread message

Diego Santos de Bem

unread,
Oct 9, 2014, 4:31:40 PM10/9/14
to securit...@googlegroups.com
hello bro,

please help me how i can configure the interfaces on SecOnion because in my tests on virtualbox (simple lab) i put 2 network interfaces
1 - Wan (eth0) bridge adapter
2 - Internal network ( eth1) internal network

interface 1 - (eth0)WAN Access to internet with dynamic IP - 192.168.1.10 ( this interface give me access to internet and she is a interface that i need to monitor? right?)
interface 2 - this would be for the local network inteface, to emulate a (corporative network) so I like to put my management interface.

so,.. when i configure the interface 1 WAN, the wan interface - eth0 goes into promiscuous mode and no longer have access to internet

so I think i'm setting wrong, how to configure packages to be analyzed (eth0) - WAN and then the packets are routed to interface eth1 (corporate network) as a TAP network?

could help me with the correct configuration?
so i am thinking...

i have to put 3 network cards to set

1 - eth0 (internet)
2 - eth1 ( sniff) monitor interface
3 - eth2 (CorpNetwork)
And than configure (tuntap network interface) eth1 to eth2

really did not understand how the data analyzed are routed to the internal network

Thanks

Sorry for my bad english

Lee Sharp

unread,
Oct 9, 2014, 9:28:23 PM10/9/14
to securit...@googlegroups.com
On 10/09/2014 03:31 PM, Diego Santos de Bem wrote:

> i have to put 3 network cards to set
>
> 1 - eth0 (internet)
> 2 - eth1 ( sniff) monitor interface
> 3 - eth2 (CorpNetwork)
> And than configure (tuntap network interface) eth1 to eth2

I am confused. Security Onion is not a router. It has a management
interface, and one or more sensor (sniffing) interfaces. That is all.
Are you expecting it to route and pass traffic?

Lee

Diego Santos de Bem

unread,
Oct 10, 2014, 8:57:43 AM10/10/14
to securit...@googlegroups.com
Tks lee,

This confuses me too, because I can do this with pfsense and snort where Snort analyzes the traffic and routes the traffic to internal LAN, would need to understand how the implementation of SecOnion in a virtual environment with virtualbox.

Doug Burks

unread,
Oct 10, 2014, 9:02:46 AM10/10/14
to securit...@googlegroups.com
pfSense is designed to be a firewall and route traffic. Security
Onion is not designed to route traffic. It is designed to sniff
traffic from a tap or span port.

For more info, please see:
https://code.google.com/p/security-onion/wiki/IntroductionToSecurityOnion
https://code.google.com/p/security-onion/wiki/Hardware
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

Lee Sharp

unread,
Oct 10, 2014, 11:42:48 AM10/10/14
to securit...@googlegroups.com
On 10/10/2014 07:57 AM, Diego Santos de Bem wrote:
> Tks lee,
>
> This confuses me too, because I can do this with pfsense and snort where Snort analyzes the traffic and routes the traffic to internal LAN, would need to understand how the implementation of SecOnion in a virtual environment with virtualbox.

pfSense is a router. It happens to have a snort plugin, but it is first
and foremost a router. There is no router in Security Onion. But since
you know pfSense, you can install pfSense in a vm for routing, and use
tee from pf instead of a tap, span, or mirror port.

Lee

PS: I helped write WISPr compliance in captive portal in M0n0wall that
was ported to pfSense. Small world. :)

Diego Santos de Bem

unread,
Oct 10, 2014, 1:58:32 PM10/10/14
to securit...@googlegroups.com
Thanks for the replies.. researching on google i found a SANs document specifying the configuration of the TAP.

http://www.sans.org/reading-room/whitepapers/detection/security-onion-cloud-client-network-security-monitoring-cloud-34335


Doubts clarified thanks!

Diego Santos de Bem

unread,
Oct 10, 2014, 2:07:17 PM10/10/14
to securit...@googlegroups.com
Just more one question, i can configure Security Onion on Virtualbox and rote the trafic of Wlan(eth0) to (Eth1) with linux

http://backreference.org/2010/03/26/tuntap-interface-tutorial/

I'll try to configure the TAP on own SecurityOnion will it work?

Doug Burks

unread,
Oct 11, 2014, 12:54:20 PM10/11/14
to securit...@googlegroups.com
I'm not sure that I understand your question. Most folks send traffic
to Security Onion from a span/mirror port on their existing switch or
install a dedicated hardware tap to copy the traffic.
https://code.google.com/p/security-onion/wiki/Hardware#Packets

Diego Santos de Bem

unread,
Oct 14, 2014, 10:38:15 AM10/14/14
to securit...@googlegroups.com
Tks for reply, I asked if i can create a virtual TAP on Linux to do the same thing as the network TAP, i pretend to do this installing the feature on securityOnion server....
SecurityOnion so also will the TAP

Doug Burks

unread,
Oct 14, 2014, 10:51:51 AM10/14/14
to securit...@googlegroups.com
In theory you can, but the simpler method is using a span/mirror port
on an existing switch or installing a dedicated hardware tap:
https://code.google.com/p/security-onion/wiki/Hardware#Packets

Diego Santos de Bem

unread,
Oct 14, 2014, 1:22:19 PM10/14/14
to securit...@googlegroups.com
Ok Doug, that was my doubt... thanks for clarifying
Att

Diego bem

Reply all
Reply to author
Forward
0 new messages