security onion & suricata configuration #10437
Replies: 2 comments 9 replies
-
|
Is your sniffing interface connected to a tap or span port? |
Beta Was this translation helpful? Give feedback.
-
|
no i work with some network administrator so i have juste install the security onion iso i don't known if he follow the VMware section in the doc they did not presice me if the interface that i use for the supervision is in the vlan 4095 ,like it is explain in the doc . So u can help me why if i change suricata.yaml after restart i lost the new config . |
Beta Was this translation helpful? Give feedback.
-
If you don't configure the VM interfaces correctly, then Suricata won't be able to see network traffic properly and therefore will never generate any alerts.
You shouldn't modify suricata.yaml directly as it controlled by salt and gets overwritten on a regular basis: |
Beta Was this translation helpful? Give feedback.
-
|
I have just had confirmation from the administration team, he says that the interfaces come from the vlans but not exactly the recommended vlan 4095, just a vlan that we want to supervise, which is vlan 150, hence the ens192 interface, in fact I see suricata logs except that if I do actions like nmap after "so-rule enablee" of course I have no alerts and also when I look at the network traffic of the interface in question with tcpdump -i ens192 I can see the ip of my supervision network and by the way i have the right ip in the security onion dashboard interface. Ok so you mean all the configuration i have to do in suricata.yaml i do it in /opt/so/saltstack/local/pillar/minions/mrc-onion_standalone.sls or global.sls |
Beta Was this translation helpful? Give feedback.
-
Yes, also see https://docs.securityonion.net/en/2.3/tuning.html for more information about tuning BPFs, rules, and alerts. |
Beta Was this translation helpful? Give feedback.
-
|
ok thank you |
Beta Was this translation helpful? Give feedback.
-
|
excuse me I have another question I use version 2.3.240 of security onion and I just ossec at the the alerts interfaces but if I watch the old video of the previous versions by default as soon as they do an action on the network they have suricata alerts without any configuration so I did what wrong to make it not work |
Beta Was this translation helpful? Give feedback.
-
|
Have you reviewed the Troubleshooting Alerts section of our documentation? |
Beta Was this translation helpful? Give feedback.
-
|
I just solved the problem I share in case someone is in the same situation infact am on vsphere and I have configured two NICs for my iso security onion one for management and another for supervision except that after the 'installation I found myself with a bond0 interface and almost all the modules work with this interface, namely suricata, steno to solve my problem I had to enter the mac address of my second network card in the network manager /etc/ sysconfig/network-scripts/ifcfg-bond0 then I added the mac to the "HWADDR=" variable after this a make a simpple ping and getitng suricata alert . Thanks you for all !!! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello please i need helps i have been work-on for all the weeks on the same issue , i have install security onion version 2.3.240 with 2 NIC one for management and the others one for the supervision so now my issue is i have by default only ossec alerte i want juste testing the environement with a nmap rule detection with the rules in all.rules of suricata configuration .i have try to uncoment in all.rules(nmap rules ) but nothing work and i have try also to use local.rules and writing a new rules in this file and i have add -local.rules in the suricata.yaml file in rule-files section but a few minute after so-suricata-restart everything disappear it does'nt work .
In summary i want to know right thing i means the section and all right configuration that i must change in file all.rules ,local.rules,suricata.yaml for configure a personal suricata alerte detection .
Beta Was this translation helpful? Give feedback.
All reactions