No alerts on the alerts interface

[abdullahi0000]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

6

RAM

16GB

Storage for /

76.5GB

Storage for /nsm

147.8

Network Traffic Collection

span

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

hello everyone
am doing a final year project and am using security onion together with kali linux and metasploitable in vmware workstation, i want the security onion to monitor the traffic between the other two machines and detect any intrusions .

i followed the official youtube installation guide and i cant see any alerts on the alerts interface , but am seeing some detections on the detections and hunt interface and dashboard. regarding storage i allocated 200GB based on the youtube installation guide

please help me my project submission deadline is approaching soon, any guidance would be greatly appreciated. thank you in advance

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Please review the Troubleshooting Alerts section of the documentation:
https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts

[Sarra2611]

I have the same problem ever since i've upgraded to the version 2.4.80, No alerts are being generated no matter what i do. Even using the testmynids doesn't work. I tried even creating simple rules but no alerts. I have downloaded the agent on my machine, i can see events in the dashboard and hunt interface but no alerts are being generated. I checked the troubleshooting alerts in the documentation and i tried fixing the issue to no avail. Can you please help?

[dougburks]

@Sarra2611 From #1720:

Start a new discussion instead of replying to somebody else's discussion
Please search to see if you can find similar discussions that may help you. However, in order to avoid confusion, please do NOT reply to somebody else's discussion with your own issue. Instead, please start a new discussion and in that new discussion you can provide a hyperlink to the related discussion.

[abdullahi0000]

Hi thanks for the reply however I’ve tried all those troubleshooting methods but I still can’t receive no alerts, on the home_net configuration i included the network am watching traffic for, my network set up is inside the vmware theres 3 vms security onion , kali linux and metasploitable, so i wanted the sec onion to monitor the traffic , they are all on the same subnet address 192.168.253.0/24 NAT

…

On Mon, 15 Jul 2024 at 1:40 PM, Doug Burks ***@***.***> wrote: Please review the Troubleshooting Alerts section of the documentation: https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts — Reply to this email directly, view it on GitHub <#13331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BFKNGEB7RTC6FEMD26U6HOLZMORJ5AVCNFSM6AAAAABKYNPQ26VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMBUHE3DKMI> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/13331/comments/10049651 @github.com>

[dougburks]

What was the outcome of the first step of the Troubleshooting Alerts section?

If you have metadata enabled, check to see if you have metadata for the connections. Depending on your configuration, this could be Suricata metadata or Zeek metadata.

[abdullahi0000]

I am using zeek for meta data generation

…

On Thu, 18 Jul 2024 at 2:02 PM, Doug Burks ***@***.***> wrote: What was the outcome of the first step of the Troubleshooting Alerts section? If you have metadata enabled, check to see if you have metadata for the connections. Depending on your configuration, this could be Suricata metadata or Zeek <https://docs.securityonion.net/en/2.4/zeek.html#zeek> metadata. — Reply to this email directly, view it on GitHub <#13331 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BFKNGEGMRNLKZWNI565JKCTZM6OF5AVCNFSM6AAAAABKYNPQ26VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMBYGMZTKOA> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/13331/comments/10083358 @github.com>

[dougburks]

The point of that first step and my point in asking about it here is to see if you're actually getting the metadata that you expect:

• If you ARE getting the metadata that you expect, then that narrows the problem down to Suricata.
• If you ARE NOT getting the metadata that you expect, then the traffic may not even be reaching your Security Onion box.

So to be very clear: if you go to SOC Dashboards and select the Connections dashboard, do you see all of the connections that you expect to see?

[abdullahi0000]

here some screenshots of the dashboard

[dougburks]

Looking at your screenshots, there are very few Zeek logs and they seem to be for multicast traffic. This would indicate that the unicast traffic that you're looking for is not reaching your Security Onion box. You'll need to figure out how to get the traffic to Security Onion.