Not be able to ping the monitoring interface for SO, and no detect events and alerts

[habibbarika]

I am not able to ping from Linux1 or Linux2 to the security onion interface. And no detect alert for arpspoof attack from Linux1 to Linux2. I used VMWare workstation with Bridge and Vmnet1 (Host-only), as given in the figure.

[Mav1814]

Hi,
It's normal not to be able to ping Security Onion. When you ping it, it says Destination Host Prohibited.

[jwmasekre]

Specifically, your monitoring interface shouldn't have an IP address to ping anyways.

As far as no traffic, I believe you have to do some extra configurations, including creating a vswitch, to get traffic to that port. I'll follow this up with instructions once I find them

[habibbarika]

Creation of virtual switch not existe in VMWare workstation, but in Esxi

[habibbarika]

This is my configuration 👍

Thanks lot !

[habibbarika]

Is there a command to check/modify the monitoring interface?

[dougburks]

You ran ifconfig ens35 in your screenshot above. You can also run ifconfig bond0. Additionally, you can run tcpdump on bond0 and/or ens35 to verify that they are seeing the traffic that you expect them to see.

[habibbarika]

[habibbarika]

I have new installation ens36 instead ens35.
Arpspoof attack ;

Now i receive traffic :

But the SOC no detection (Alert, Hunt)

Thanks

[habibbarika]

SOC 👍

[habibbarika]

With bond0 interface 👍

[dougburks]

Try creating traffic that would match your enabled NIDS rules in /opt/so/rules/nids/all.rules.

For example:
https://docs.securityonion.net/en/2.4/managing-alerts.html#nids-testing

[habibbarika]

Thank you very much Doug!

actually, there is no rule activated for arpspoof (It doesn't even exist). Your answer helped me discover the meerkat rules (How to enable/disable the rules). I use so 2.4.

It's the only this rule does match 👍

If you can help me create a rule for arpspoof or DoS (with Hping3). At least direct me to a site or link.

thanks again !

[habibbarika]

Arp attacks related to layer 2 of OSI model. Suricata and Snort IDPS is developed to detect attacks at the higher level of OSI model. Suricata doesn't have mechanism to detect such type attacks.