Home network with virtualized security onion box questions
jme
First of all congrats for the effort placed in this wonderful suite and forgive me for my lack of expertise in the field.
I would like to make a couple of questions regarding the installation of a security onion box inside a very small network. I have seen others posts about this subject but none exactly like the one I describe. There is this small network that I am trying to test for anomalies with this wonderful toolbox.
I have one router connected to a linux box and to internet and a couple of mobile/laptop devices connected via wifi. Inside that linux box (ethernet) I have a VirtualBox with a VM hosting Security Onion. It is bridged (not specifically promiscuous -at least not set in the advanced network configurations-) to the LAN interface of the host. I am trying to monitor the whole network by using ettercap to make a mitm for all the hosts connected (the bridged lan and the mobile) so that traffic goes to the IP of the VM and then forwarded to the real destination. I haven't seen that method around so first of all I do not know if this is such a good idea. I won't be deploying a dedicated server for Security Onion for the time being since I don't have the resources for that but it seemed a great idea to test the software and to have some knowledge about what is happening around the network.
The other curious thing is that I see thousands and thousands of alerts in Snorby such as "ET P2P? Vuze BT UDP Connection" (seems reasonable if I understand them correctly since I am running rtorrent on the linux host) but I can't get to see alerts when I query (either via browser or via curl) to the test web http://testmyids.com from the linux host. No alerts are raised.
The funny thing is that if I query that URL from my mobile phone via wifi or from inside the security onion VM I see the alert to the corresponding IP. Moreover it seems that all the alerts raised involving the VM's host have its IP as a source (in the testmyids test both alerts are raised having the ips of the local machines as destination).
I would appreciate any comments, suggestionts or ideas regarding this subject since I found it very intersting and worth learning!
Thanks!
Juan
Doug Burks
Most folks use a tap or span port to get packets into their Security
Onion sensors:
https://code.google.com/p/security-onion/wiki/Hardware#Packets
Please try using a tap or span port and see if that makes your
alerting more consistent.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com