-
Version2.4.80 Installation MethodSecurity Onion ISO image Descriptionother (please provide detail below) Installation TypeStandalone Locationon-prem with Internet access Hardware SpecsMeets minimum requirements CPU4 RAM16 Storage for /64.44 GB Storage for /nsm124.52 Network Traffic Collectionother (please provide detail below) Network Traffic SpeedsLess than 1Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailI have configured security onion on vmware pro in standalone mode, i have three other vms that i want to be monitoring. I have downloaded agents on these vms and i can see them through fleet. I have followed the instructions as shown in the youtube guide. I've added sigma and suricata rules in order to monitor the traffic and to trigger alerts. But no alerts are triggered whatsoever. For example, i can see in the dashboard the events that there is vsftpd traffic, but when i have a rule that triggers an alert for any ftp traffic, i have no alerts. I tried the testmynids and it also doesn't trigger alerts. The only alerts that are being triggerd are the failed logins for the console. I used tcpdump on my snifing interface and there is no other traffic beside icmp and SSDP. I don't know what to do. Should i configure a tap or span in order to forward the traffic or what else to do? I've followed the troubleshooting guide and got nothing. Everything seems to work just fine. I've been stuck on this for days and I would appreciate your response. Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Please review the Troubleshooting Alerts section of the documentation and let us know the outcome of each step as that will help pinpoint where the issue may be: |
Beta Was this translation helpful? Give feedback.
-
|
I have figured out that the traffic is not reaching the Security Onion console. Using Tcpdump on my sniffing interface I see none of the traffic that is going through my network. I changed the metadata from zeek to suricata, and the outcome is the same. I followed the installation throughly and I can't figure out what the problem is. |
Beta Was this translation helpful? Give feedback.
-
|
If traffic is not reaching Security Onion, then it is not a Security Onion problem. You'll want to review your VMware configuration and make sure that the virtual sniffing interface is set to the right VMware network and that it is going into promiscuous mode properly. If you are trying to sniff traffic from other VMs, then the virtual sniffing interface needs to be set to the same network as those VMs (this may be NAT or bridged depending on how they are configured). |
Beta Was this translation helpful? Give feedback.
-
|
I re-did the installation on virtual box and it works just as expected. I guess I had some issues with my VMware. Thank you for your help ! |
Beta Was this translation helpful? Give feedback.
If traffic is not reaching Security Onion, then it is not a Security Onion problem. You'll want to review your VMware configuration and make sure that the virtual sniffing interface is set to the right VMware network and that it is going into promiscuous mode properly. If you are trying to sniff traffic from other VMs, then the virtual sniffing interface needs to be set to the same network as those VMs (this may be NAT or bridged depending on how they are configured).