how to setup security onion server in vm to connect to other security onion sensor in vm

2,103 views
Skip to first unread message

sunil kumar

unread,
Aug 28, 2016, 4:43:51 PM8/28/16
to security-onion
Hi Doug Burks

I created the master server using VMware workstation 12, installed SO as server , applied all the updates per the directions on the "security onion Wiki page".Also installed vm guest SO SENSOR.SO HOW TO CONNECT SERVER TO SENSOR.PLEAZE HELP ME.THANK YOU

Wes Lambert

unread,
Aug 28, 2016, 4:59:36 PM8/28/16
to securit...@googlegroups.com

Sunil,

You will need to run setup on the sensor machine to connect it to the master.  Consult the sensor section in step 22 of this page:

https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment

Thanks,
Wes


On Aug 28, 2016 4:43 PM, "sunil kumar" <sunil2...@gmail.com> wrote:
Hi Doug Burks

I created the master server using VMware workstation 12, installed SO as server , applied all the updates per the directions on the "security onion Wiki page".Also installed vm guest SO SENSOR.SO HOW TO CONNECT SERVER TO SENSOR.PLEAZE HELP ME.THANK YOU

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

sunil kumar

unread,
Aug 30, 2016, 2:11:31 PM8/30/16
to security-onion
Many many Thanks
Wes

That was very helpful for me.

But i got another problem,sguil not connecting to localhost:7734.I tried to connect the server using ssh server port this shows me = mismatched sguil client(.0.9 openssl).ufw allow is enabled both side on port 7734/tcp.please help me,thank you

cheers
sunil kumar

Wes

unread,
Aug 30, 2016, 2:25:35 PM8/30/16
to security-onion

Did you enter the IP for destination sguild server (master server) in the Sguil client?

Thanks,
Wes

sunil kumar

unread,
Aug 30, 2016, 2:49:58 PM8/30/16
to security-onion
yes i put the server ip address of the server like this command
ssh mysystem.server.net -L 7734:sguildsystem:7734

sunil kumar

unread,
Aug 30, 2016, 2:51:16 PM8/30/16
to security-onion
where mysystem.server.net is my server ip

Wes

unread,
Aug 30, 2016, 2:58:28 PM8/30/16
to security-onion
On Tuesday, August 30, 2016 at 2:51:16 PM UTC-4, sunil kumar wrote:
> where mysystem.server.net is my server ip
Sunil,

You may want to try having a look here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/ConnectingtoSguil

Keep in mind, many folks use an analyst VM to connect to sguild and perform analysis tasks on a dedicated machine:

From https://github.com/Security-Onion-Solutions/security-onion/wiki/PostInstallation

"Full-time analysts should install Security Onion in a VM on their workstation (run through the Ubuntu installer, but do not run our Setup wizard). This gives you a local copy of Wireshark, NetworkMiner, and our customized Sguil client. Launch the Sguil client and connect to the IP/hostname of your production Sguil sensor (you may need to run so-allow as described in the previous step). This allows you to investigate pcaps without fear of impacting your production server/sensors."

Thanks,
Wes

sunil kumar

unread,
Aug 30, 2016, 3:15:02 PM8/30/16
to security-onion
Is it work on Xenial-server-ubuntu 16.04.
Install the securityonion-all metapackage
like this Please tell me this is the way


thanks
Wes

Wes Lambert

unread,
Aug 30, 2016, 3:17:59 PM8/30/16
to securit...@googlegroups.com

Sunil,

Security Onion is currently not supported on Ubuntu Server 16.04 Xenial.

Thanks,
Wes


sunil kumar

unread,
Aug 30, 2016, 3:32:23 PM8/30/16
to security-onion
Hello Wes sir, This is my last question which is better to use ubuntu 14.04 Desktop or Server


Many Many thanks

Wes

unread,
Aug 30, 2016, 7:35:07 PM8/30/16
to security-onion
On Tuesday, August 30, 2016 at 3:32:23 PM UTC-4, sunil kumar wrote:
> Hello Wes sir, This is my last question which is better to use ubuntu 14.04 Desktop or Server
>
>
> Many Many thanks

I would opt for server for a production install, but you can also use the already provided ISO image, here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/QuickISOImage

Thanks,
Wes

sunil kumar

unread,
Aug 31, 2016, 11:22:33 AM8/31/16
to security-onion
Hello Wes sir

I saw sguild.conf logs on master server
shows
DB Error during:INSERT INTO `event_sonion-VirtualBox-ossec_20160831`attaching a log text file
Then i did #sguil-db-purge
Will it effect Sguil database
Now finally connected to master server
but in Sensor VN sguil (agent status) ossec ,pcap,and snort is down
and SERVER shows up

finaly how to up in sguil sensor agent status and how to open elsa and squert in browser

sunil.txt

Wes Lambert

unread,
Aug 31, 2016, 6:46:19 PM8/31/16
to securit...@googlegroups.com
Sunil.

Please include the full output of sostat-redacted for the server and the master, attaching as a text file or using a service like Pastebin.com

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

sunil kumar

unread,
Sep 1, 2016, 6:09:55 AM9/1/16
to security-onion
Hello Wes sir

I have generate new keys and connected server to sensor VM.But in Sguil shows (agent status ) ossec,pcap,snort is down.Means server pcap,ossec,snort is up but in sensor pcap,ossec,snort down in Sguil .In status shows running both successfully.

thanks

sunil kumar

unread,
Sep 1, 2016, 6:46:17 AM9/1/16
to security-onion
Wes sir

I am attaching sensor and server Sguil pics.

sonion-virtualbox-eth1 This is my server monitor interface

sonion27-eth1 This is my sensor monitor interface

server agent status.JPG
server system msg.JPG
sensor agent status.JPG
sensor system msg.JPG

Wes Lambert

unread,
Sep 1, 2016, 6:48:13 AM9/1/16
to securit...@googlegroups.com

Again, please attach the output of sostat-redacted for each machine as a text file, or using a service like Pastebin.com.

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Message has been deleted

sunil kumar

unread,
Sep 1, 2016, 9:20:41 AM9/1/16
to security-onion
Hello Wes sir

i am sending server and sensor text file

server.txt
sensor.txt

Wes

unread,
Sep 1, 2016, 5:25:13 PM9/1/16
to security-onion
On Thursday, September 1, 2016 at 9:20:41 AM UTC-4, sunil kumar wrote:
> Hello Wes sir
>
> i am sending server and sensor text file

Sunil,

It looks as though your sensor is processing traffic and alerting on it:

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
2 1:2012811 ET DNS Query to a .tk domain - Likely Hostile
2 1:2008585 ET P2P BitTorrent DHT announce_peers request
2 1:2008581 ET P2P BitTorrent DHT ping request
1 1:2012247 ET P2P BTWebClient UA uTorrent in use
1 1:2013028 ET POLICY curl User-Agent Outbound
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2522583 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 292
1 1:2001219 ET SCAN Potential SSH Scan
Total

I don't see much of an issue other than it saying the agents are down in Sguil -- are you able to view alerts currently? Are you able to pivot to PCAP? Are you able to generate OSSEC logs by maybe failing to enter the correct password on the sensor a few times?

You could check to see if they are considered active in securityonion_db (Sguil's database) by performing something similar to the following:

sudo mysql -uroot -Dsecurityonion_db -e "select * from sensor where hostname='sensorhostname' and agent_type='snort'";

If you get an "N" for the status, then you could try updating with something similar to the following:

sudo mysql -uroot -Dsecurityonion_db -e "update sensor set active='N' where hostname='sensorhostname' and agent_type='snort'";

I would stop services before attempting this, however:

sudo service nsm stop

Thanks,
Wes

sunil kumar

unread,
Sep 3, 2016, 7:25:27 AM9/3/16
to security-onion
Hello Wes sir

In virtual box i setup one Master Server with two interface one management eth0 and monitor interface eth1.In sensor side two VM sensors machine separated with management interface eth0,eth0 and monitor interface eth1,eth1 each one.so thereare three eth0 and three eth1

So my question is that On master server side monitor interface eth1 is possible remove

and
sensor side two VM sensor machine management interface eth0,eth0.can it possible to remove management interface

Last i want on master server management interface eth0 and sensor side two VM's only monitor interfaces eth1,eth1.

Thanks
sunil kumar

Wes

unread,
Sep 4, 2016, 8:25:40 AM9/4/16
to security-onion

Sunil,

You should be able to configure all of this through the Setup wizard.

See step 18, here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages