How to add a new interface to sensor

[Manantsoa Rakotondrazaka]

Hello,

I added a new sniffing interface to my sensor but not know how to add it in the configuration.
I know the sosetup command but I don't know if I will loose all configurations when doing it as the sensor is already in production.

Does anyone did it already?

Thanks

[Doug Burks]

Hi Manantsoa,

If you've physically installed a new NIC after running Setup, there's
not an easy way to configure that for sniffing other than re-running
Setup.

If the NIC was physically in the system when you originally ran Setup,
then it would already be configured in /etc/nsm/ and all you would
need to do is enable it in /etc/nsm/sensortab and reboot.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[wedgeshot]

Doug,

Not the answer I was hoping for! :-D I need to do this myself on an existing machine.

Here is what I'm thinking: ( I peeked in sosetup, nsm_sensor_add and nsm_server_sensor-add )

The questions I ask below I'll try and answer as I go through it for myself but if anyone knows fell free to shout it out. I'll try and develop a script to perform these functions as I might have to repeat again down the road.

sosetup:
----------
run through nsm_sensor_add items ( most are checking things and then making directories and copying files )
Q: Do I need a new port for barnyard? (thinking yes) is that the normal 8100 in sensortab?

Now that I looked more just calling nsm_sensor_add with the proper port might work just fine.

Will need to investigate sensortab_names_get_on_port & sensortab_entry_add calls and see what they do.

--- under # NIDS sensor(s) ---
run through the remainder of the setup after nsm_sensor_add call

-- under # Bro
add those to the config.

Is there anything to add on the server or sguil database?

Thanks,
-B

[wedgeshot]

Update:

Today I had success adding another interface... not all scripted yet but I know what needs to happen. Most is simple as missed preparing the variables in sensor.conf.

I'm cobbling together a nsm_sensor_add_interface script from mostly sosetup that I'd like to possibly shoot you a copy next week if you like.

Monday, I'm going to restore snapshots on both sever and sensor add the missing pieces to the script and keep running it over until I get it right.

Answering my own questions:

A1 - yes to barnyard. I'm going with the let BY2PORT=$BY2PORT+100

A2 - nope everything happens on sensor. Once it's all running sguil client sees the new interfaces.

Cheers,
-B

[Doug Burks]

On Fri, Oct 2, 2015 at 10:03 PM, wedgeshot <wedg...@gmail.com> wrote:
>
> Update:
>
> Today I had success adding another interface... not all scripted yet but I know what needs to happen. Most is simple as missed preparing the variables in sensor.conf.
>
> I'm cobbling together a nsm_sensor_add_interface script from mostly sosetup that I'd like to possibly shoot you a copy next week if you like.
>
> Monday, I'm going to restore snapshots on both sever and sensor add the missing pieces to the script and keep running it over until I get it right.
>
> Answering my own questions:
>
> A1 - yes to barnyard. I'm going with the let BY2PORT=$BY2PORT+100
>
> A2 - nope everything happens on sensor. Once it's all running sguil client sees the new interfaces.

Sguil will see the new interfaces, but if you turn on "Show Rule", you
will probably get an error. The Sguil server has to have a rules
directory for those new interfaces. Here's the relevant code in
/usr/bin/sosetup:

# Create symbolic link for sensor rules directory on server
if [ "$SERVERNAME" = "localhost" ]; then
ln -s /etc/nsm/rules
/nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME" >> $LOG 2>&1
for i in `seq 1 $CORES`; do ln -s /etc/nsm/rules
/nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME"-$i >> $LOG
2>&1; done
else
echo "ln -f -s /etc/nsm/rules
/nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME" >> $SOSETUPSCP
for i in `seq 1 $CORES`; do
echo "ln -f -s /etc/nsm/rules
/nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME-$i" >>
$SOSETUPSCP
done
fi

[wedgeshot]

Thanks Doug. I'll check that out. I did see that piece in the script but looks to be no related call or ssh back to the server to run those commands. I'll be sure to exercise all functionality in sguil once I think I'm there and post back.

-Bob

[Doug Burks]

The snippet I copied creates a file called sosetupscp. Later in sosetup, sosetupscp is then scp'd to the master server and then there is an ssh call which executes the file. 

On Saturday, October 3, 2015, wedgeshot <wedg...@gmail.com> wrote:

Thanks Doug. I'll check that out. I did see that piece in the script but looks to be no related call or ssh back to the server to run those commands. I'll be sure to exercise all functionality in sguil once I think I'm there and post back.

 -Bob

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[wedgeshot]

I believe this should work but needs to be tested by someone other than me and approved to be included. I developed this on sever and sensor VM pair that I would snapshot, then test and and roll back after changes were made. If I had more time I could probably do better but I need to move on for now.

After changing sosetup:
cd /usr/bin ; ln -s sosetup sosetup-add-interface

Then run sosetup-add-interface which takes different path of execution is sosetup. I moved the #NIDS Sensor(s) into a function and then created the pieces to add what is needed. I have attached the diff versus the entire script because I did not want some to just download and run without some scrutiny.


- DOUG below is from current sosetup .. line 1279 has "$inter#face" that is a typo, right?

1275- cat << EOF >> /opt/bro/etc/node.cfg
1276-#[$HOSTNAME-$INTERFACE]
1277-#type=worker
1278-#host=localhost
1279:#inter#face=$INTERFACE
1280-#lb_method=pf_ring
1281-#lb_procs=$BRO_LB_PROCS
1282-
1283-EOF




Cheers,
-B

[Doug Burks]

On Thu, Oct 8, 2015 at 9:43 AM, wedgeshot <wedg...@gmail.com> wrote:
> - DOUG below is from current sosetup .. line 1279 has "$inter#face" that is a typo, right?

No, that is intentional.

[Barry G]

Hi, any changes in v16? I'd like to add a 3rd NIC to a sensor VM.

Thanks

[Wes Lambert]

Hi Barry,

If you already configured this interface in the NIC setup phase, then you should be able to unremark it in /etc/nsm/sensortab, however, if you didn't you will need to re-run setup again.

Thanks,

Wes

On Fri, Aug 10, 2018 at 8:40 PM Barry G <barry...@gmail.com> wrote:

Hi, any changes in v16? I'd like to add a 3rd NIC to a sensor VM.

Thanks

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.

For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/