Re: [security-onion] newbie install wireless question

[Matt Gregory]

Hi Darrell,

At the moment, the Security Onion interface configuration doesn't support wireless NIC configuration, as there is no logic to accept and configure wireless-specific settings like SSID, encryption, etc.

The network configuration script just disables NetworkManager and then configures /etc/network/interfaces, so you could manually edit that file to include your wireless interface prior to running sosetup to configure Security Onion itself.  I've never tried installing Security Onion with a wireless management interface, so let us know how it turns out; you might run into some unexpected gotchas.

Doug, is this something you would want to officially support?

Matt

On Tue, Mar 5, 2013 at 5:09 PM, Darrell Gray <darrell...@gmail.com> wrote:

I have installed Ubuntu 12.04 and security onion. When I run the setup command and go through the initial network configuration it disables my wireless and I cant seem to recover it. I want to use the wireless connection to manage the device and the Ethernet port for monitoring. This is the 2nd time I installed it and the same thing happened. Any help would be greatly appreciated!

Thanks
Darrell

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

[Doug Burks]

The vast majority of our users do NOT use wireless so Setup was never
designed for wireless connections. If you can use wired NICs, then
everything should Just Work (TM). If you really have to use a
wireless interface for management, you might be able to make it work
by doing the following:

- manually configure your wireless interface and your sniffing
interface(s) in /etc/network/interfaces per the following:
https://code.google.com/p/security-onion/wiki/NetworkConfiguration
(it's important to configure your sniffing interfaces properly so that
they get a proper view of the traffic)

- when you run Setup and it asks if you want to configure
/etc/network/interfaces, answer NO

Hope that helps!

Thanks,
Doug


On Tue, Mar 5, 2013 at 8:09 PM, David M. <david.m...@gmail.com> wrote:
> Darrell,
>
> Thanks for asking this question, as I was wondering the same thing in the past 24 hours. It seems as if I'll have to go and find an RJ-45 port around here somewhere. :-)
>
> David M.

>
>
> On Tuesday, March 5, 2013 5:09:29 PM UTC-5, Darrell Gray wrote:
>> I have installed Ubuntu 12.04 and security onion. When I run the setup command and go through the initial network configuration it disables my wireless and I cant seem to recover it. I want to use the wireless connection to manage the device and the Ethernet port for monitoring. This is the 2nd time I installed it and the same thing happened. Any help would be greatly appreciated!
>>
>> Thanks
>> Darrell
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Doug Burks
http://securityonion.blogspot.com

[Doug Burks]

You shouldn't have to do a full reinstall, you should be able to just
modify /etc/network/interfaces and then re-run Setup. But if you have
issues, you can always perform a full reinstall in less than 10
minutes.
Doug

On Thu, Mar 7, 2013 at 8:20 AM, David M. <david.m...@gmail.com> wrote:
> Doug,
>
> Thank you for the answer. Do we have to perform a full reinstall in order to follow those steps? Or just change network interfaces, run Setup, and go? I'm hoping to achieve the same level of interface optimization as would occur during a normal install & setup.
>
> Much appreciated!
> David M.

[Doug Burks]

Instead of joining the WPA2 network and sniffing there, have you
considered sniffing a standard span/tap between the wireless access
point and the rest of the wired network?
Doug


On Sat, Mar 23, 2013 at 8:27 PM, David M. <david.m...@gmail.com> wrote:
> Hi,
>
> After 2 weeks of troubleshooting, reading Ubuntu/Xubuntu forums, etc I haven't been able to get wireless working in Security Onion.
>
> I'm trying to join a WPA2 protected network, get a DHCP address for wlan0, and get the interface into promiscuous mode. Of course, I'd like the interface optimizations that would come with SO Setup, but at this point I'd just be happy to get wlan0 up and connected to the network.
>
> I've followed steps from the SO networking page, as well as many other attempts from blog posts, forum posts, etc. I've run wpa_passphrase, created /etc/wpa_supplicant.conf, created a wpa.sh script in /etc/init.d/ and then attempted to down/up the interface.
>
> So I'm not sure what else to do or try, but I'm hoping to get some advice. Thank you!
>
> PS - For clarity, I've already reinstalled and put the management interface on eth0 and that is working fine. Just having trouble configuring wlan0 and getting it to join a WPA2 network and sniff that traffic.

[David Matusiak]

Hi Doug,

Thank you for your response. Would sniffing at an intermediate point
be "better" for any reason?

I have the eth0 plugged into a 4 port switch that also feeds the WiFi
access point. However, the only traffic I see being captured is
network broadcasts for Dropbox. And I don't have access to a true hub
at this time... Which is why I thought it best to use the wlan0 card
to capture traffic from the wireless network.

If the WiFi traffic is WPA2 encrypted and you're not authenticated,
then how can you capture much via a span tap in between? I'm sure I'm
missing something simple here, so apologies for my ignorance.

Dave M.

[Eric Ooi]

Hey David,

To Doug's point, I have dd-wrt running on my wireless router and set it up so that one port mirrors all traffic (wired and wireless).  Even though I have WPA2 wireless encryption, the mirror port is unaffected by this and I can see all traffic -- wired or wireless.

Eric

[David Matusiak]

Thanks for the tips on using dd-wrt and a mirror port. I don't have a
spare wifi router right now and am just trying to get my wireless card
to join the network and sniff traffic. If anyone has good ideas on how
to get this working, then I'd certainly appreciate it.

David M.

[Mark Avadikian]

On Tuesday, March 5, 2013 at 5:32:46 PM UTC-5, Matt wrote:
> Hi Darrell,
>
>
> At the moment, the Security Onion interface configuration doesn't support wireless NIC configuration, as there is no logic to accept and configure wireless-specific settings like SSID, encryption, etc.
>
>
>
> The network configuration script just disables NetworkManager and then configures /etc/network/interfaces, so you could manually edit that file to include your wireless interface prior to running sosetup to configure Security Onion itself.  I've never tried installing Security Onion with a wireless management interface, so let us know how it turns out; you might run into some unexpected gotchas.
>
>
> Doug, is this something you would want to officially support?
>
>
> Matt
>
>
>
> On Tue, Mar 5, 2013 at 5:09 PM, Darrell Gray <darrel...@gmail.com> wrote:
>
> I have installed Ubuntu 12.04 and security onion. When I run the setup command and go through the initial network configuration it disables my wireless and I cant seem to recover it. I want to use the wireless connection to manage the device and the Ethernet port for monitoring. This is the 2nd time I installed it and the same thing happened. Any help would be greatly appreciated!
>
>
>
>
> Thanks
>
> Darrell
>
>
>
> --
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
> For more options, visit https://groups.google.com/groups/opt_out.

Just a note here after spending a few hours with the "wireless stopped working problem". After a second os and Security Onion install and setup I got the issue for the second second time. I was able to recover the wireless interface (and internet connection) this time by running security onion setup again and deselecting the wireless interface from security onion management or monitoring interfaces. Before the second attempt I installed an old NIC card I had around so I could have two interfaces and NOT use the wireless interface for one of the security onion setup choices (Management or monitoring). On this second setup attempt for security onion I first again included the wireless interface as one of the sniffing interfaces and I got the failure (disappearance or disabling of the wireless interface) issue again. I was able to recover it this time by running security onion network interface setup again and this time DESELECTED the wireless interface as a sniffing interface. My wireless interface came back and all is good with the world again. Solution was to NOT use the wireless interface for management or monitoring in the security onion network setup. fyi I am a complete newbie and in awe of this great package.

[Stephann Vibkronsk]

Hi Doug,

I have a similar case to which Darrell is presenting. I have my laptop with one ethernet NIC and one that is wireless. Setting up the wireless as the management interface and the ethernet card as the sniffing interface, it allows me to generate alerts on Squert, but connection is gone. I have seen your comments regarding SO is not thought to work with wireless interfaces. So, my questions would be the following:

• You say it is possible to configure manually the /etc/network/interfaces file to make it work. I've followed the link above, but I did that with no luck.
• On the other hand, I see I have more NIC in my device. Can I use any other card as an ethernet one? Or can I attach one maybe physically? 

I just want to avoid using virtual machines in order to get higher perfomance rates. Sorry if I am saying crazy stuff here. I am new here and do not know exactly how all this works.

Thanks in advance for your responses and your time.

El miércoles, 6 de marzo de 2013, 12:15:03 (UTC+1), Doug Burks escribió:

The vast majority of our users do NOT use wireless so Setup was never
designed for wireless connections.  If you can use wired NICs, then
everything should Just Work (TM).  If you really have to use a
wireless interface for management, you might be able to make it work
by doing the following:

- manually configure your wireless interface and your sniffing
interface(s) in /etc/network/interfaces per the following:
https://code.google.com/p/security-onion/wiki/NetworkConfiguration
(it's important to configure your sniffing interfaces properly so that
they get a proper view of the traffic)

- when you run Setup and it asks if you want to configure
/etc/network/interfaces, answer NO

Hope that helps!

Thanks,
Doug

On Tue, Mar 5, 2013 at 8:09 PM, David M. <david....@gmail.com> wrote:
> Darrell,
>
> Thanks for asking this question, as I was wondering the same thing in the past 24 hours. It seems as if I'll have to go and find an RJ-45 port around here somewhere. :-)
>
> David M.
>
>
> On Tuesday, March 5, 2013 5:09:29 PM UTC-5, Darrell Gray wrote:
>> I have installed Ubuntu 12.04 and security onion. When I run the setup command and go through the initial network configuration it disables my wireless and I cant seem to recover it. I want to use the wireless connection to manage the device and the Ethernet port for monitoring. This is the 2nd time I installed it and the same thing happened. Any help would be greatly appreciated!
>>
>> Thanks
>> Darrell
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.