Hi Jim,
Replies inline.
On Tue, Mar 17, 2015 at 12:06 PM, Jim Solderitsch
<
jsolde...@gmail.com> wrote:
> I have updated my Security Onion install where SO is running as a virtual machine with two network adapters, one for admin and one for sniffing. I have a network created via Mac OS X internet sharing with the IP range
192.168.3.0/24. I want to point my sniffing interface -- eth1 -- to this network. One of my network adapters in Fusion is bound to this network via a USB ethernet adapter that I can select from the VM.
>
> This works to the extent that I can ping hosts on the shared network from SO. I have a Raspberry PI acting as PLC, a Kali Linux VM serving as an attack point for my tests, and the Mac itself is acting as the ICS engineering workstation and HMI site via Wine-wrapped executables. These have the addresses 192.168.3.4, 192.168.3.20 and 192.168.3.1 respectively.
>
> I guess I need to change HOME_NET in my configuration files? Or will the default private setting:
>
> ipvar HOME_NET [
192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>
> work for my case? Right now I only really care about the particular subnet I mention in the first paragraph.
HOME_NET is the network you are trying to defend. As shown above, we
default to RFC1918 private address space which includes the specific
subnet you mentioned, so it should work for you without any changes.
> I expected I could use wireshark on eth1 from my admin interface to look at network traffic on the monitored network but wireshark in SO says I have no interfaces enabled for live monitoring. Is this to be expected?
Yes, Wireshark requires administrative privileges to open a network
interface in promiscuous mode. You could launch Wireshark as root and
this would allow you to put the interface into promiscuous mode and
sniff traffic. However, this is dangerous from a security perspective
as Wireshark has had many critical security issues over the years.
That's why Security Onion uses netsniff-ng for full packet capture and
runs it as a limited user.
> I want to generate traffic on this private network using the modbus protocol and then monitor it from SO. Are there specific steps I need to go through to get this to work? Looks like snort is already setup to deal with modbus rules and I have some rules from the Digitalbond web site that I want to try.
You should be able to add your Digitalbond rules to
/etc/nsm/rules/local.rules and restart Snort:
sudo nsm_sensor_ps-restart --only-snort-alert
> I just want to make sure I have the network plumbing working before I get into the modbus details. Appreciate any tips/pointers.
>
> Thanks
>
> Jim
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
security-onio...@googlegroups.com.
> To post to this group, send email to
securit...@googlegroups.com.
> Visit this group at
http://groups.google.com/group/security-onion.
> For more options, visit
https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com