VMware Fusion Security Onion install and Mac OS X Shared Network
Visto 446 veces
Saltar al primer mensaje no leído
Jim Solderitsch
17 mar 2015, 12:06:4017/3/15
a securit...@googlegroups.com
I have updated my Security Onion install where SO is running as a virtual machine with two network adapters, one for admin and one for sniffing. I have a network created via Mac OS X internet sharing with the IP range 192.168.3.0/24. I want to point my sniffing interface -- eth1 -- to this network. One of my network adapters in Fusion is bound to this network via a USB ethernet adapter that I can select from the VM.
This works to the extent that I can ping hosts on the shared network from SO. I have a Raspberry PI acting as PLC, a Kali Linux VM serving as an attack point for my tests, and the Mac itself is acting as the ICS engineering workstation and HMI site via Wine-wrapped executables. These have the addresses 192.168.3.4, 192.168.3.20 and 192.168.3.1 respectively.
I guess I need to change HOME_NET in my configuration files? Or will the default private setting:
ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
work for my case? Right now I only really care about the particular subnet I mention in the first paragraph.
I expected I could use wireshark on eth1 from my admin interface to look at network traffic on the monitored network but wireshark in SO says I have no interfaces enabled for live monitoring. Is this to be expected?
I want to generate traffic on this private network using the modbus protocol and then monitor it from SO. Are there specific steps I need to go through to get this to work? Looks like snort is already setup to deal with modbus rules and I have some rules from the Digitalbond web site that I want to try.
I just want to make sure I have the network plumbing working before I get into the modbus details. Appreciate any tips/pointers.
Thanks
Jim
This works to the extent that I can ping hosts on the shared network from SO. I have a Raspberry PI acting as PLC, a Kali Linux VM serving as an attack point for my tests, and the Mac itself is acting as the ICS engineering workstation and HMI site via Wine-wrapped executables. These have the addresses 192.168.3.4, 192.168.3.20 and 192.168.3.1 respectively.
I guess I need to change HOME_NET in my configuration files? Or will the default private setting:
ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
work for my case? Right now I only really care about the particular subnet I mention in the first paragraph.
I expected I could use wireshark on eth1 from my admin interface to look at network traffic on the monitored network but wireshark in SO says I have no interfaces enabled for live monitoring. Is this to be expected?
I want to generate traffic on this private network using the modbus protocol and then monitor it from SO. Are there specific steps I need to go through to get this to work? Looks like snort is already setup to deal with modbus rules and I have some rules from the Digitalbond web site that I want to try.
I just want to make sure I have the network plumbing working before I get into the modbus details. Appreciate any tips/pointers.
Thanks
Jim
Doug Burks
17 mar 2015, 15:32:1017/3/15
a securit...@googlegroups.com
Hi Jim,
Replies inline.
On Tue, Mar 17, 2015 at 12:06 PM, Jim Solderitsch
<jsolde...@gmail.com> wrote:
> I have updated my Security Onion install where SO is running as a virtual machine with two network adapters, one for admin and one for sniffing. I have a network created via Mac OS X internet sharing with the IP range 192.168.3.0/24. I want to point my sniffing interface -- eth1 -- to this network. One of my network adapters in Fusion is bound to this network via a USB ethernet adapter that I can select from the VM.
>
> This works to the extent that I can ping hosts on the shared network from SO. I have a Raspberry PI acting as PLC, a Kali Linux VM serving as an attack point for my tests, and the Mac itself is acting as the ICS engineering workstation and HMI site via Wine-wrapped executables. These have the addresses 192.168.3.4, 192.168.3.20 and 192.168.3.1 respectively.
>
> I guess I need to change HOME_NET in my configuration files? Or will the default private setting:
>
> ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>
> work for my case? Right now I only really care about the particular subnet I mention in the first paragraph.
HOME_NET is the network you are trying to defend. As shown above, we
default to RFC1918 private address space which includes the specific
subnet you mentioned, so it should work for you without any changes.
> I expected I could use wireshark on eth1 from my admin interface to look at network traffic on the monitored network but wireshark in SO says I have no interfaces enabled for live monitoring. Is this to be expected?
Yes, Wireshark requires administrative privileges to open a network
interface in promiscuous mode. You could launch Wireshark as root and
this would allow you to put the interface into promiscuous mode and
sniff traffic. However, this is dangerous from a security perspective
as Wireshark has had many critical security issues over the years.
That's why Security Onion uses netsniff-ng for full packet capture and
runs it as a limited user.
> I want to generate traffic on this private network using the modbus protocol and then monitor it from SO. Are there specific steps I need to go through to get this to work? Looks like snort is already setup to deal with modbus rules and I have some rules from the Digitalbond web site that I want to try.
You should be able to add your Digitalbond rules to
/etc/nsm/rules/local.rules and restart Snort:
sudo nsm_sensor_ps-restart --only-snort-alert
> I just want to make sure I have the network plumbing working before I get into the modbus details. Appreciate any tips/pointers.
>
> Thanks
>
> Jim
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Tue, Mar 17, 2015 at 12:06 PM, Jim Solderitsch
<jsolde...@gmail.com> wrote:
> I have updated my Security Onion install where SO is running as a virtual machine with two network adapters, one for admin and one for sniffing. I have a network created via Mac OS X internet sharing with the IP range 192.168.3.0/24. I want to point my sniffing interface -- eth1 -- to this network. One of my network adapters in Fusion is bound to this network via a USB ethernet adapter that I can select from the VM.
>
> This works to the extent that I can ping hosts on the shared network from SO. I have a Raspberry PI acting as PLC, a Kali Linux VM serving as an attack point for my tests, and the Mac itself is acting as the ICS engineering workstation and HMI site via Wine-wrapped executables. These have the addresses 192.168.3.4, 192.168.3.20 and 192.168.3.1 respectively.
>
> I guess I need to change HOME_NET in my configuration files? Or will the default private setting:
>
> ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>
> work for my case? Right now I only really care about the particular subnet I mention in the first paragraph.
default to RFC1918 private address space which includes the specific
subnet you mentioned, so it should work for you without any changes.
> I expected I could use wireshark on eth1 from my admin interface to look at network traffic on the monitored network but wireshark in SO says I have no interfaces enabled for live monitoring. Is this to be expected?
interface in promiscuous mode. You could launch Wireshark as root and
this would allow you to put the interface into promiscuous mode and
sniff traffic. However, this is dangerous from a security perspective
as Wireshark has had many critical security issues over the years.
That's why Security Onion uses netsniff-ng for full packet capture and
runs it as a limited user.
> I want to generate traffic on this private network using the modbus protocol and then monitor it from SO. Are there specific steps I need to go through to get this to work? Looks like snort is already setup to deal with modbus rules and I have some rules from the Digitalbond web site that I want to try.
/etc/nsm/rules/local.rules and restart Snort:
sudo nsm_sensor_ps-restart --only-snort-alert
> I just want to make sure I have the network plumbing working before I get into the modbus details. Appreciate any tips/pointers.
>
> Thanks
>
> Jim
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jim Solderitsch
17 mar 2015, 16:59:1417/3/15
a securit...@googlegroups.com
On Tuesday, March 17, 2015 at 3:32:10 PM UTC-4, Doug Burks wrote:
> Hi Jim,
>
> Replies inline.
>
> Hi Jim,
>
> Replies inline.
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
Thanks for the reply. I think I got it working. I added the rules to local.rules, changed snort.conf to define the allowed addresses that can appear as Modbus Servers or clients and restarted. I used the restart command:
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
sudo rule-update
rather than the one you suggest. I then attempted to write a modbus register from an unexpected IP address and I got the expected alert in the squert UI.
I will investigate using netsniff-ng as an alternative.
Jim
Sameh abulfotooh
24 nov 2018, 6:09:2724/11/18
a security-onion
I have the same issue, I am on MAC, and the sniffing interface is not capturing any alerts, could you please help me and let me know how you fixed this issue.
Regards
Wes Lambert
26 nov 2018, 8:38:4426/11/18
a securit...@googlegroups.com
Hi Sameh,
Please open a new thread instead of responding to an old one.
In your new thread, please include a detailed description of your issue, and the ouput of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Responder a todos
Responder al autor
Reenviar
0 mensajes nuevos