IDH - Interface configuration?

[MDCAllan]

Hello!

We are deploying a new SO 2.4 grid. So far things are going pretty well. Our deployment is a total of 15 nodes including an IDH node. We just need a little help sorting out some of the finer details where I assume 2.4 is still working out some kinks and/or needs more documentation. Keep up the great work!

When I read the documentation for the IDH, I'm operating on the impression that the additional non-management interfaces are supposed to "auto configure" themselves with open ports, etc. We have DCHP reservations for all 5 of the additional interfaces on the IDH node and those interfaces are attached to the networks we want to deploy honeypots to, but none of the interfaces are coming online, pulling a lease, or opening the honey ports. The documentation does not explain how to assign IP's or configure DHCP for the additional interfaces. I'm not sure if this should be done according to rocky linux standards, or if there's a salt/yaml/config thing that needs to be done using an SO command or special file that needs editing. I don't want to break something by poking around too much as this is a purpose built system.

Any help greatly appreciated, also, great job on 2.4! We're super excited to deploy agents and start hunting! Already have 4 forward nodes successfully monitoring 4 gateways in the environment with 2.4, and in this deployment we scaled out to 6 Search nodes to allow better load balancing across our server cluster. Fantastic!

Thanks!

[defensivedepth]

IDH services will run on all IP-configured NICs. There is no auto-configure in place for NICs other than the NIC that is selected as the Management NIC during setup. You should be able to set up the others manually without issue.

[MDCAllan]

Thanks Defensivedepth!

The "nmtui" tool included in Rocky 9 makes it easy to activate and configure interfaces (and enable autoconnect). Might be worth mentioning this in the SO Docs.

Indeed the interfaces are honeypotting now! Thanks!

[dougburks]

The "nmtui" tool included in Rocky 9 makes it easy to activate and configure interfaces (and enable autoconnect). Might be worth mentioning this in the SO Docs.

I've updated the docs:
https://docs.securityonion.net/en/2.4/idh.html#activating-additional-network-interfaces

[MDCAllan]

Nice!

Getting closer... I enabled the IDH playbooks and we started hammering the various honeypot services and not seeing any alerts...

I suspect it has something to do with this... I just don't know what "word" it wants... "false" seems to be the default, but true is not an option.

FYI I love the GUI configuration tools on the new SO web interface. This is so much better for guys like me who can't handle yamls very well ;)

[defensivedepth]

A couple things:

• Do you have any Plays enabled other than the IDH ones?
• Tail the elastalert logs and see if there are any errors: sudo tail -f /opt/so/log/elastalert/elastalert.log

[MDCAllan]

Yea I selected a handful of plays to throw in the mix for starters. I searched the plays and activated all plays with the keyword "install" - Combined with the IDH plays that's about 100 active plays. We currently have about 1500 active plays on our 2.3 deployment and that seems to be working. I think you're on the right track though... Thanks so much for the continued assistance on this!

Found some errors:

WARNING        elasticsearch POST https://soman:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.011s]  
ERROR           elastalert Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\nline 1:12: first argument of ["Install-TransportAgent" and winlog.channel : "MSExchange Management"] must be [boolean], found value ["Install-TransportAgent"] type [keyword]')

WARNING        elasticsearch POST https://soman:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.011s]
ERROR           elastalert Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\nline 1:82: Unknown column [winlog_channel]')

WARNING        elasticsearch POST https://soman:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.012s]
ERROR           elastalert Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\nline 1:13: first argument of [:] must be [string], found value [process.parent.pid] type [long]; consider using [==] instead')

WARNING        elasticsearch POST https://soman:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.013s]
ERROR           elastalert Error running query: RequestError(400, 'planning_exception', 'Found 20 problems\nline 1:36: Unresolved expression\nline 1:92: Unresolved expression\nline 1:149: Unresolved expression\nline 1:198: Unresolved expression\nline 1:260: Unresolved expression\nline 1:36: Unresolved expression\nline 1:92: Unresolved expression\nline 1:149: Unresolved expression\nline 1:198: Unresolved expression\nline 1:260: Unresolved expression\nline 1:36: Unresolved expression\nline 1:92: Unresolved expression\nline 1:149: Unresolved expression\nline 1:198: Unresolved expression\nline 1:260: Unresolved expression\nline 1:36: Unresolved expression\nline 1:92: Unresolved expression\nline 1:149: Unresolved expression\nline 1:198: Unresolved expression\nline 1:260: Unresolved expression')

I deactivated plays with "msexchange" in their title and that first error went away. Not sure what to do with the others.

[defensivedepth]

With the move from Lucene to EQL, there are still some field mapping issues. That's what I am seeing in those logs. It is on our list to dig into them deeper soon.

I would suggest you focus on a few key Plays, enable them, and confirm that they are generating alerts as expected.

To be clear, these shouldnt impact the IDH alerts - I have confirmed those should be working as expected.

[MDCAllan]

I rebuilt the new grid from scratch (wiped all the virtual drives and reinstalled all nodes).

Alerts from IDH nodes are working now. I have no idea what was corrupted with the previous grid but it probably wasn't worth doing battle with any longer. Thanks so much for all of your help. All a great learning experience for me.

We deployed our new grid with 4 separate honeypots, each with "tasty" hostnames and each with multiple interfaces on separate networks. Better this way anyway.

Luckily we deploy on proxmox so rebuilding the grid is just a lot of busywork pushing buttons for a day.

[defensivedepth]

Good to hear! Happy hunting!