how to setup security onion server in vm to connect to other security onion sensor in vm
sunil kumar
I created the master server using VMware workstation 12, installed SO as server , applied all the updates per the directions on the "security onion Wiki page".Also installed vm guest SO SENSOR.SO HOW TO CONNECT SERVER TO SENSOR.PLEAZE HELP ME.THANK YOU
Wes Lambert
Sunil,
You will need to run setup on the sensor machine to connect it to the master. Consult the sensor section in step 22 of this page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment
Thanks,
Wes
Hi Doug Burks
I created the master server using VMware workstation 12, installed SO as server , applied all the updates per the directions on the "security onion Wiki page".Also installed vm guest SO SENSOR.SO HOW TO CONNECT SERVER TO SENSOR.PLEAZE HELP ME.THANK YOU
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
sunil kumar
Wes
That was very helpful for me.
But i got another problem,sguil not connecting to localhost:7734.I tried to connect the server using ssh server port this shows me = mismatched sguil client(.0.9 openssl).ufw allow is enabled both side on port 7734/tcp.please help me,thank you
cheers
sunil kumar
Wes
Did you enter the IP for destination sguild server (master server) in the Sguil client?
Thanks,
Wes
sunil kumar
ssh mysystem.server.net -L 7734:sguildsystem:7734
sunil kumar
Wes
> where mysystem.server.net is my server ip
You may want to try having a look here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ConnectingtoSguil
Keep in mind, many folks use an analyst VM to connect to sguild and perform analysis tasks on a dedicated machine:
From https://github.com/Security-Onion-Solutions/security-onion/wiki/PostInstallation
"Full-time analysts should install Security Onion in a VM on their workstation (run through the Ubuntu installer, but do not run our Setup wizard). This gives you a local copy of Wireshark, NetworkMiner, and our customized Sguil client. Launch the Sguil client and connect to the IP/hostname of your production Sguil sensor (you may need to run so-allow as described in the previous step). This allows you to investigate pcaps without fear of impacting your production server/sensors."
Thanks,
Wes
sunil kumar
Install the securityonion-all metapackage
like this Please tell me this is the way
thanks
Wes
Wes Lambert
Sunil,
Security Onion is currently not supported on Ubuntu Server 16.04 Xenial.
Thanks,
Wes
sunil kumar
Many Many thanks
Wes
> Hello Wes sir, This is my last question which is better to use ubuntu 14.04 Desktop or Server
>
>
> Many Many thanks
I would opt for server for a production install, but you can also use the already provided ISO image, here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/QuickISOImage
Thanks,
Wes
sunil kumar
I saw sguild.conf logs on master server
shows
DB Error during:INSERT INTO `event_sonion-VirtualBox-ossec_20160831`attaching a log text file
Then i did #sguil-db-purge
Will it effect Sguil database
Now finally connected to master server
but in Sensor VN sguil (agent status) ossec ,pcap,and snort is down
and SERVER shows up
finaly how to up in sguil sensor agent status and how to open elsa and squert in browser
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
sunil kumar
I have generate new keys and connected server to sensor VM.But in Sguil shows (agent status ) ossec,pcap,snort is down.Means server pcap,ossec,snort is up but in sensor pcap,ossec,snort down in Sguil .In status shows running both successfully.
thanks
sunil kumar
I am attaching sensor and server Sguil pics.
sonion-virtualbox-eth1 This is my server monitor interface
sonion27-eth1 This is my sensor monitor interface
Wes Lambert
Again, please attach the output of sostat-redacted for each machine as a text file, or using a service like Pastebin.com.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Wes
> Hello Wes sir
>
> i am sending server and sensor text file
Sunil,
It looks as though your sensor is processing traffic and alerting on it:
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
2 1:2012811 ET DNS Query to a .tk domain - Likely Hostile
2 1:2008585 ET P2P BitTorrent DHT announce_peers request
2 1:2008581 ET P2P BitTorrent DHT ping request
1 1:2012247 ET P2P BTWebClient UA uTorrent in use
1 1:2013028 ET POLICY curl User-Agent Outbound
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2522583 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 292
1 1:2001219 ET SCAN Potential SSH Scan
Total
I don't see much of an issue other than it saying the agents are down in Sguil -- are you able to view alerts currently? Are you able to pivot to PCAP? Are you able to generate OSSEC logs by maybe failing to enter the correct password on the sensor a few times?
You could check to see if they are considered active in securityonion_db (Sguil's database) by performing something similar to the following:
sudo mysql -uroot -Dsecurityonion_db -e "select * from sensor where hostname='sensorhostname' and agent_type='snort'";
If you get an "N" for the status, then you could try updating with something similar to the following:
sudo mysql -uroot -Dsecurityonion_db -e "update sensor set active='N' where hostname='sensorhostname' and agent_type='snort'";
I would stop services before attempting this, however:
sudo service nsm stop
Thanks,
Wes
sunil kumar
In virtual box i setup one Master Server with two interface one management eth0 and monitor interface eth1.In sensor side two VM sensors machine separated with management interface eth0,eth0 and monitor interface eth1,eth1 each one.so thereare three eth0 and three eth1
So my question is that On master server side monitor interface eth1 is possible remove
and
sensor side two VM sensor machine management interface eth0,eth0.can it possible to remove management interface
Last i want on master server management interface eth0 and sensor side two VM's only monitor interfaces eth1,eth1.
Thanks
sunil kumar
Wes
Sunil,
You should be able to configure all of this through the Setup wizard.
See step 18, here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment
Thanks,
Wes