IPTables-dropped continiously prompting after install Security Onion 2.4

[Usku81]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

6

RAM

16

Storage for /

269GB available

Storage for /nsm

592GB available

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I installed Security Onion 2.4.60 with ISO file. First, I noticed nothing from SOC but Pending Reboot. And when I rebooted, It continiously displaying [165400.436562] IPTables-dropped IN=eno1 OUT= MAC= ff:ff:ff:ff:ff:ff:b8:85:84:ab:22:a8:08:00 SRC=192.168.10.212 DS=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=54862 PROTO=UDP SPT=137 DPT=137 LEN=58 every 30 seconds I guess.

My installation is standalone but my PC (Dell all-in-one) has 1 interface, so used USB ethernet adapter. But my 2 interfaces is in same local network. I don't know if this caused it. Is it only for informational purpose or pointing why I can't take alerts?

• PC: Dell OptiPlex 7460

• 2 network adapter. I unplugged USB ethernet adapter. But it was same before I unplug second interface.

• Suricata rules are enabled but not a single alerts shown. I assume these 2 has connection.
  

• As shown below, curl testmynids.org/uid/index.html should trigger rule of Suricata and generate alert. but nothing shows.
  

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Those are kernel messages https://docs.securityonion.net/en/2.4/console.html#console

What does sudo nmcli con show output for monitoring interfaces?

[Usku81]

Hello, thanks for your reply. This is output.
connection.id: enp0s20f0u5c2
connection.uuid: 4a5f8515-2bd5-40a7-be91-73da077da8ea
connection.stable-id: --
connection.type: 802-3-ethernet
connection.interface-name: enp0s20f0u5c2
connection.autoconnect: no
connection.autoconnect-priority: 0
connection.autoconnect-retries: -1 (default)
connection.multi-connect: 0 (default)
connection.auth-retries: -1
connection.timestamp: 0
connection.permissions: --
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries: --
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: default
connection.mdns: -1 (default)
connection.llmnr: -1 (default)
connection.dns-over-tls: -1 (default)
connection.mptcp-flags: 0x0 (default)
connection.wait-device-timeout: -1
connection.wait-activation-delay: -1
802-3-ethernet.port: --
802-3-ethernet.speed: 0
802-3-ethernet.duplex: --
802-3-ethernet.auto-negotiate: no
802-3-ethernet.mac-address: --
802-3-ethernet.cloned-mac-address: --
802-3-ethernet.generate-mac-address-mask:--
802-3-ethernet.mac-address-blacklist: --
802-3-ethernet.mtu: auto
802-3-ethernet.s390-subchannels: --
802-3-ethernet.s390-nettype: --
802-3-ethernet.s390-options: --
802-3-ethernet.wake-on-lan: default
802-3-ethernet.wake-on-lan-password: --
802-3-ethernet.accept-all-mac-addresses:-1 (default)
ipv4.method: auto
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv4.addresses: --
ipv4.gateway: --
ipv4.routes: --
ipv4.route-metric: -1
ipv4.route-table: 0 (unspec)
ipv4.routing-rules: --
ipv4.replace-local-rule: -1 (default)
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-iaid: --
ipv4.dhcp-timeout: 0 (default)
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.dhcp-hostname-flags: 0x0 (none)
ipv4.never-default: no
ipv4.may-fail: yes
ipv4.required-timeout: -1 (default)
ipv4.dad-timeout: -1 (default)
ipv4.dhcp-vendor-class-identifier: --
ipv4.link-local: 0 (default)
ipv4.dhcp-reject-servers: --
ipv4.auto-route-ext-gw: -1 (default)
ipv6.method: auto
ipv6.dns: --
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 0
ipv6.addresses: --
ipv6.gateway: --
ipv6.routes: --
ipv6.route-metric: -1
ipv6.route-table: 0 (unspec)
ipv6.routing-rules: --
ipv6.replace-local-rule: -1 (default)
ipv6.ignore-auto-routes: no
ipv6.ignore-auto-dns: no
ipv6.never-default: no
ipv6.may-fail: yes
ipv6.required-timeout: -1 (default)
ipv6.ip6-privacy: -1 (unknown)
ipv6.addr-gen-mode: eui64
ipv6.ra-timeout: 0 (default)
ipv6.mtu: auto
ipv6.dhcp-pd-hint: --
ipv6.dhcp-duid: --
ipv6.dhcp-iaid: --
ipv6.dhcp-timeout: 0 (default)
ipv6.dhcp-send-hostname: yes
ipv6.dhcp-hostname: --
ipv6.dhcp-hostname-flags: 0x0 (none)
ipv6.auto-route-ext-gw: -1 (default)
ipv6.token: --
proxy.method: none
proxy.browser-only: no
proxy.pac-url: --
proxy.pac-script: --

[cm-ops]

Was looking for something similar to the below:

[root@so-standalone pki]# nmcli con show
NAME                UUID                                  TYPE      DEVICE
ens160              88e2b879-ab34-4a36-8411-d8d462136ad0  ethernet  ens160
docker0             04acae04-100e-4027-938e-f52fbe26ba8a  bridge    docker0
lo                  b7feb7e8-a0dd-4946-89eb-cac303c52091  loopback  lo
sobridge            bce9c47b-69a3-4770-a493-da8a8de7668a  bridge    sobridge
bond0               be4d9414-85c2-4e50-87e7-c33a34cb5853  bond      bond0
bond0-slave-ens192  e55d831c-d6b3-41fa-a4e5-11f14f54a9ae  ethernet  ens192
ens192              07d501e2-e7df-4c9c-a099-19ffa2e246ff  ethernet  --

Wanted to see the two interfaces.

[petiepooo]

If you just have your two ethernet interfaces connected to a switch and in the same network, you probably have the sensor's monitor interface connected to a normal switchport. That's not enough; it has to be configured as a SPAN port so it sees all packets, not just broadcast/multicast. Please reread this section of the docs: https://docs.securityonion.net/en/2.3/hardware.html#packets
Also see this (not affiliated) youtube video on using a small Netgear switch to provide a SPAN: https://www.youtube.com/watch?v=G8uAhSZnSnA
It's worth noting too that not all USB Ethernet adapters support monitor (promiscuous) mode. You may want to use USB for your admin connection and the on-board port for monitoring.