No network traffic (just OSSEC alerts) #10147
Replies: 2 comments 1 reply
-
|
Addendum: I've tried so many contradictory recommendations from so many articles that it would really help me to know how best to configure br0 and bond0. Currently, on the host br0 is assigned an IP address through DHCP, and tcpdump confirms traffic but nothing from vnet1 or vnet2, meaning nothing from the VM's default network. Currently, bond0 has IPv4 disabled (which I changed back to Automatic (DHCP assigned IP Address), but both fail. Both bond0 and eth1 share the same MAC address, bond0 showing as master and eth1 showing as slave, but the tcpdump traffic from bond0 and eth1 in the guest are just broadcast traffic to 192.168.0.255. In order to eliminate hardware failure as a cause I switched the monitor interface to a USB network adapter that I know is good. Same results. If the community forum isn't the place to get a Security Onion answer, I would gladly pay anyone who knows linux bridges and QEMU-KVM to clear this hurdle. Accordingly, if anyone knows of an online tutorial to solve this OR a consultant that a small business could afford, please let me know. I'll name my firstborn child after you. |
Beta Was this translation helpful? Give feedback.
-
|
I don't know if this is relevant to your configuration, but when I deployed in Proxmox there was some extra work required to get the traffic from my NIC to show up in the bridge interface the VM was using as the monitoring bond -- details are here: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! That was generous of you. After a week I didn't think anyone had seen it. I followed the steps in the 3 links listed in the ProxMox section of the documentation. I was able to get iommu passthrough enabled, but not all of the commands in the procedure worked in my Ubuntu 22.04 host, so there's still no traffic. I need to find precisely that sort of instruction set for QEMU-KVM, but I'm not finding it in the Security Onion documentation or in the community forum, or even in 11-year-old bug reports. Thank you again. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I've been a fan for over a decade, having deployed dozens of Security Onion IDS's, but this is my first in QEMU-KVM, and the bridging threw me until I found a faulty ethernet cable. The installation from ISO and SOUP upgrade were without error, but there's no network traffic in the Alerts, and the Grid shows only 1 line and nothing when expanded. I see OSSEC alerts, but only a few pings in Suricata. Tcpdump works on both the bridge br0 from the host and bond0 from the guest. I've rebuilt many times and read literally hundreds of articles, to no avail. Any help would be greatly appreciated.
Secifications-
Security Onion version: 2.3.230
Deployment: On-prem with internet access
Installation: ISO install (centOS7)
I built both CentOS (from ISO) and Ubuntu (from network), but asking for help with centOS (to reduce the possible variables).
Nodes: 2
Node hardware specs:
$ sudo lshw -C network (from the host)
*-network
description: Ethernet interface
product: 82572EI Gigabit Ethernet Controller (Copper)
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:02:00.0
logical name: enp2s0
version: 06
serial: xx:xx:xx:xx:b3:37
size: 100Mbit/s
capacity: 1Gbit/s
width: 32 bits
clock: 33MHz
capabilities: pm msi pciexpress bus_master cap_list rom ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=e1000e driverversion=5.15.0-69-generic duplex=full firmware=5.6-8 latency=0 link=yes multicast=yes port=twisted pair speed=100Mbit/s
resources: irq:26 memory:f7c40000-f7c5ffff memory:f7c20000-f7c3ffff ioport:e000(size=32) memory:f7c00000-f7c1ffff
*-network
description: Ethernet interface
product: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:03:00.0
logical name: enp3s0
version: 07
serial: xx:xx:xx:xx:02:5f
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=5.15.0-69-generic duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=192.168.0.10 latency=0 link=yes multicast=yes port=twisted pair speed=1Gbit/s
resources: irq:19 ioport:d000(size=256) memory:f0004000-f0004fff memory:f0000000-f0003fff
Nodes configuration: One management node, 1 search node (1 Zeek, 1 Suricata)
Experiencing issues monitoring network traffic?: YES. Sniffing from a hardware tap connected to a bridge in a QEMU-KVM virtual machine with 2 NICs: Management is NAT, and Monitor is bridged (with one of the NICs slaved and set to promiscuous). The traffic is miniscule.
so-status: shows all services running
Any failures when you run sudo salt-call state.highstate?: NO
Does the SOC Grid page doesn't show anything?: NO, there's one line for the ID, role, IP Address, Description, etc, but nothing underneath it.
My issue: There is no network traffic showing through the tap (just OSSEC alerts, but tcpdump works)
Applicable logs: SOUP and setup ran without errors, so I am including Suricata and Stats logs. The Sensoroni log is filled with entries like this:
"timestamp=2023-04-18T00:01:17.413300623Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.122.36/sensoroniagents/api/node"
suricata.log
stats.log
Beta Was this translation helpful? Give feedback.
All reactions