Security Onion and network configuring
Castle, Shane
A short guideline on setting up the management interface and the sensor interfaces would really be nice. All I really need is pointing in the right direction.
What I have done so far is, using the NM gui (which I didn't know where to find at first), I have defined the static IP address for the management interface, along with DNS names and servers, and unchecked the "Connect automatically" box for the interfaces which are sensor interfaces.
This seems to be OK so far. But, is there a better way?
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
Doug Burks
--
Doug Burks
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
SANS Augusta 6/11 - 6/16 | http://www.sans.org/augusta-2012-cs/
Castle, Shane
In the words of the immortal Emily Litella, "Never mind!"
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
ChrisOmarM
I tried to follow what it says in the link but i get this ....
chrism@SecurityOnion:~$ sudo /etc/init.d/network-manager stop
Rather than invoking init scripts through /etc/init.d, use the
service(8)
utility, e.g. service network-manager stop
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) utility, e.g. stop network-
manager
chrism@SecurityOnion:~$ stop network-manager
Command 'stop' is available in '/sbin/stop'
The command could not be located because '/sbin' is not included in
the PATH environment variable.
This is most likely caused by the lack of administrative priviledges
associated with your user account.
stop: command not found
chrism@SecurityOnion:~$ /sbin/stop network-manager
stop: Unknown job: network-manager
chrism@SecurityOnion:~$
Not sure what is up ... could it be the distro?
Please advice
thansk
> Have you not seen this?http://code.google.com/p/security-onion/wiki/NetworkConfiguration
Scott Runnels
It barks at you but it still stops the service when you issue the /etc/init.d/network-manager stop command.
Vr
Scott
ChrisOmarM
chrism@SecurityOnion:/etc/init$ sudo /etc/init.d/networking restart
* Reconfiguring network
interfaces... There is already a
pid file /var/run/dhclient.eth0.pid with pid 27995
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:1b:78:52:f1:99
Sending on LPF/eth0/00:1b:78:52:f1:99
Sending on Socket/fallback
DHCPREQUEST of 10.13.128.189 on eth0 to 255.255.255.255 port 67
DHCPACK of 10.13.128.189 from 10.13.128.1
bound to 10.13.128.189 -- renewal in 205103 seconds.
Cannot set device udp large send offload settings: Operation not
supported
Cannot set large receive offload settings: Operation not supported
Failed to bring up eth0.
Cannot set device rx csum settings: Operation not supported
Cannot set device tx csum settings: Operation not supported
Cannot set device scatter-gather settings: Operation not supported
Cannot set device tcp segmentation offload settings: Operation not
supported
Cannot set device udp large send offload settings: Operation not
supported
Cannot set large receive offload settings: Operation not supported
Failed to bring up eth1.
[ OK ]
its this ok? I did run a tcpdump in eth1 and i can't see packets
coming thru.
Thanks for your help in advance.
Chris M.
On Feb 29, 3:00 pm, Scott Runnels <srunn...@gmail.com> wrote:
> Hi Chris,
>
> It barks at you but it still stops the service when you issue the /etc/init.d/network-manager stop command.
>
> Vr
> Scott
>
ChrisOmarM
chrism@SecurityOnion:/etc/init$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth1: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500
qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:10:b5:a0:76:63 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
qlen 1000
link/ether 00:1b:78:52:f1:99 brd ff:ff:ff:ff:ff:ff
On Feb 29, 3:09 pm, ChrisOmarM <chris.rockf...@gmail.com> wrote:
> Ok. then i continued with the process and i get this
>
> chrism@SecurityOnion:/etc/init$ sudo /etc/init.d/networking restart
> * Reconfiguring network
> interfaces... There is already a
> pid file /var/run/dhclient.eth0.pid with pid 27995
> killed old client process, removed PID file
> Internet Systems Consortium DHCP Client V3.1.3
> Copyright 2004-2009 Internet Systems Consortium.
> All rights reserved.
Scott Runnels
Looks like the driver for your card might not support some of the extra flags from the interfaces file. What kind of network interface card are you using?
Can you paste your interfaces file into an email and let us take a quick look at it. Also let's know which is to be the I management interface and which is to be the sniffing interface.
On a side note I would highly suggest giving your SecurityOnion box a static IP Addressor give it a MAC based reservation from the DHCP server.
vr
Scott
ChrisOmarM
Here is the output of the interface file
chrism@SecurityOnion:~$ cat /etc/network/interfaces
auto lo
iface lo inet loopback
# Management interface DHCP
auto eth0
iface eth0 inet dhcp
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE
$i off; done
# Connected to TAP or SPAN port for all Internet traffic
auto eth1
iface eth1 inet manual
up ifconfig $IFACE -arp up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE
$i off; done
Here is what I'm seeing with mii-tool
chrism@SecurityOnion:~$ sudo mii-tool
eth0: negotiated 100baseTx-FD, link ok
eth1: no link
eth0 is the mgn and eth1 its the sniffing one.
thanks.
>
> Can you paste your interfaces file into an email and let us take a quick look at it. Also let's know which is to be the I management interface and which is to be the sniffing interface.
>
> On a side note I would highly suggest giving your SecurityOnion box a static IP Addressor give it a MAC based reservation from the DHCP server.
>
> vr
> Scott
>
Doug Burks
Replies inline.
On Wed, Feb 29, 2012 at 11:11 AM, ChrisOmarM <chris.r...@gmail.com> wrote:
> Thanks for your help Scott.
>
> Here is the output of the interface file
>
> chrism@SecurityOnion:~$ cat /etc/network/interfaces
> auto lo
> iface lo inet loopback
>
> # Management interface DHCP
> auto eth0
> iface eth0 inet dhcp
> post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE
> $i off; done
I assume it was the email line wrapping which caused the post-up line
to become two lines?
> # Connected to TAP or SPAN port for all Internet traffic
> auto eth1
> iface eth1 inet manual
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE
> $i off; done
>
>
> Here is what I'm seeing with mii-tool
>
> chrism@SecurityOnion:~$ sudo mii-tool
> eth0: negotiated 100baseTx-FD, link ok
> eth1: no link
You can try taking out the post-up command and restarting networking
to see if that allows eth1 to come up. However, it's been my
experience that cards that don't support all of those options will
produce the error messages you're seeing but will still come up
properly.
Also, have you double-checked the cabling just to make sure it's not a
layer 1 issue?
Thanks,
Doug
Castle, Shane
>Also, have you double-checked the cabling just to make sure it's not a
>layer 1 issue?
This could definitely be an issue. When I added a 4-port Gbit NIC, its lowest MAC address became eth0 and the two built-in Gbit interfaces became eth4 and eth5. What one thinks should be eth0 might not actually be eth0.
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of Doug Burks
Sent: Wednesday, February 29, 2012 09:28
To: securit...@googlegroups.com
Subject: Re: Security Onion and network configuring
Hi Chris,
Replies inline.
ChrisOmarM
interfaces up. But no info going thru eth1
chrism@SecurityOnion:/usr/sbin$ sudo mii-tool
chrism@SecurityOnion:/usr/sbin$ sudo tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
thanks.
On Feb 29, 11:33 am, "Castle, Shane" <scas...@bouldercounty.org>
wrote:
> >Also, have you double-checked the cabling just to make sure it's not a
> >layer 1 issue?
>
> This could definitely be an issue. When I added a 4-port Gbit NIC, its lowest MAC address became eth0 and the two built-in Gbit interfaces became eth4 and eth5. What one thinks should be eth0 might not actually be eth0.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
>
>
>
>
>
>
> -----Original Message-----
> From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of Doug Burks
> Sent: Wednesday, February 29, 2012 09:28
> To: securit...@googlegroups.com
> Subject: Re: Security Onion and network configuring
>
> Hi Chris,
>
> Replies inline.
>
Scott Runnels
I would also say check that eth0 isn't being used for monitoring just to be certain.
I like to use tshark to test if a SPAN or TAP is properly configured:
sudo tshark -i eth0 -T fields -e ip.src -e ip.dst
This will list just the src and dst ip addresses of the traffic crossing that NIC, if you see traffic that isn't from the local NIC or broadcast/multicast then the SPAN/TAP is properly configured.
Vr
Scott
Toan Cao Minh
Hi all,
I have an issue relating to network configuration so I raise to this topic for your helps.
Following the guide how to configure network for SO follow the url https://github.com/Security-Onion-Solutions/security-onion/wiki/NetworkConfiguration
I have to configure the sniffing interface in the /etc/network/interfaces and do some further things.
But for my current interfaces file, I have not seen any setting for my sniffing interface. My SO work normally and they can sniff traffic as normal.
I wonder to know where is the network configuration for my sniffing interface? Does it be configured automatically without settings in /etc/network/interfaces.
Thank you very much.
Steven J
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.