Security Onion in AWS - Promiscuous Mode

[Shanil Prasad]

Hey Guys,

I'd like to get people's experiences with setting up Security Onion in AWS, specifically the sensors that are configured to look at mirrored traffic. Because Amazon technically does not allow network interfaces to run in promiscuous mode, has anyone ran into scenarios where AWS SO sensors were not recieving mirrored traffic? How can I avoid a situation like this?

Thanks,

SP

[Doug Burks]

Hi Shanil,

Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Shanil Prasad]

On Saturday, September 5, 2015 at 6:48:06 PM UTC-7, Doug Burks wrote:
> Hi Shanil,
>
> Please see:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient
>

> On Fri, Sep 4, 2015 at 10:57 PM, Shanil Prasad wrote:
> > Hey Guys,
> >
> > I'd like to get people's experiences with setting up Security Onion in AWS, specifically the sensors that are configured to look at mirrored traffic. Because Amazon technically does not allow network interfaces to run in promiscuous mode, has anyone ran into scenarios where AWS SO sensors were not recieving mirrored traffic? How can I avoid a situation like this?
> >
> > Thanks,
> >
> > SP
> >
> > --
> > You received this message because you are subscribed to the Google Groups "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> > To post to this group, send email to securit...@googlegroups.com.
> > Visit this group at http://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com

Thanks Doug. We’re running into an issue where WinTap is successfully mirroring traffic on our Windows 2012 box (we verified with Wireshark) however it is not sending the mirrored traffic through to our Security Onion sensor via OpenVPN. Any ideas on what could be going on here?

Thanks again,

SP

[Doug Burks]

On Tue, Sep 8, 2015 at 9:21 PM, Shanil Prasad <rajur...@gmail.com> wrote:
> Thanks Doug. We’re running into an issue where WinTap is successfully mirroring traffic on our Windows 2012 box (we verified with Wireshark) however it is not sending the mirrored traffic through to our Security Onion sensor via OpenVPN. Any ideas on what could be going on here?

Sorry, I have no experience with WinTap. Josh Brower might be able to
provide some feedback.

[Shanil Prasad]

Will do. Are there any other known alternatives for Windows machines?

SP

[Anoop Perayil]

Hi Shanil,

How did it go?

Regards,
Anoop

[DefensiveDepth]

I have not maintained WinTAP over the past few years, as it was originally developed for a proof of concept project - however it is available on Github and is licensed under BSD, so feel free to test / fork , etc

https://github.com/defensivedepth/WinTAP

-Josh

[Arnold Chan]

Good day,

Is the OpenvVPN WinTap the same with DefensiveDepth's WinTap?

https://github.com/OpenVPN/tap-windows6 - OpenVPN
https://github.com/newtribesmission/wintap - DefensiveDepth

Thanks.

Cheers,
Arnold

[DefensiveDepth]

No it's not - here is the WinTAP I worked on a number of years ago:

https://github.com/defensivedepth/WinTAP

-Josh

[Arnold Chan]

Thanks Josh.

I try to rebuilt solution in VS2012 for the WinTap package from the source and getting the errors, are you able to point out what is wrong on this?
Thanks.

Cheers,
Arnold

------ Rebuild All started: Project: prottest, Configuration: Vista Debug x64 ------
prottest.c
prottest.vcxproj -> C:\WinTap\code\test\x64\VistaDebug\prottest.exe
------ Rebuild All started: Project: wtapdrv, Configuration: Vista Debug x64 ------
Stamping x64\VistaDebug\wtapdrv.inf [Version] section with DriverVer=07/10/2017,5.44.45.864
precompsrc.c
debug.c
ExCallbk.c
ndisbind.c
ntdisp.c
recv.c
send.c
recv.obj : error LNK2019: unresolved external symbol time referenced in function NdisprotReceiveNetBufferLists
x64\VistaDebug\wtapdrv.sys : fatal error LNK1120: 1 unresolved externals
------ Rebuild All started: Project: wintap, Configuration: Vista Debug x64 ------
wintap.c
wintap.vcxproj -> C:\WinTap\code\wintap\x64\VistaDebug\wintap.exe
------ Rebuild All started: Project: package (Package\package), Configuration: Vista Debug x64 ------
C:\Program Files (x86)\Windows Kits\8.0\build\WindowsDriver8.0.common.targets(1347,5): error MSB3030: Could not copy the file "C:\WinTap\code\sys\60\x64\VistaDebug\wtapdrv.sys" because it was not found.
------ Rebuild All started: Project: wtapdrv630, Configuration: Win7 Debug x64 ------
Stamping x64\Win7Debug\wtapdrv630.inf [Version] section with DriverVer=07/10/2017,5.44.54.777
precompsrc.c
debug.c
ExCallbk.c
ndisbind.c
ntdisp.c
recv.c
send.c
Generating Code...
recv.obj : error LNK2019: unresolved external symbol time referenced in function NdisprotReceiveNetBufferLists
x64\Win7Debug\wtapdrv630.sys : fatal error LNK1120: 1 unresolved externals
------ Rebuild All started: Project: setup, Configuration: Vista Debug x64 ------
netcfgapi.cpp
tapinstall.cpp
stdafx.cpp
Generating Code...
TapInstall.vcxproj -> C:\WinTap\code\x64\VistaDebug\setup.exe
========== Rebuild All: 3 succeeded, 3 failed, 0 skipped ==========

[DefensiveDepth]

Sorry Arnold, I have not maintained WinTAP over the past few years, as it was originally developed for a proof of concept project.

-Josh