No Alerts

[AB00-sys]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

6

RAM

16

Storage for /

76.5 GB

Storage for /nsm

147.8 GB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hi,

i've just installed security onion using the official installation guide on youtube , but I'm not getting anything at all in the alerts. ive gone through the troubleshooting alerts but there doesn't seem to be anything helping. please help what am i missing, there's some data on the dashboard, hunt and detection,.

another question i have is that am running sec onion inside vmware , my home network and the vmware network aren't on the same subnet address , so i assigned the sec onion an ip from the vmware NAT network , and monitor that network of the vmware, is this set up correct?

[analyst@so-eval ~]$ ls /opt/so/log/
agents elasticfleet influxdb nginx salt soc strelka telegraf
docker-registry elasticsearch kibana raid sensor_clean.log sostatus suricata yarasync
elastalert idstools kratos reposync sensoroni stenographer tcpreplay

thanks.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

i've just installed security onion using the official installation guide on youtube , but I'm not getting anything at all in the alerts. ive gone through the troubleshooting alerts but there doesn't seem to be anything helping. please help what am i missing, there's some data on the dashboard, hunt and detection,.

Can you share more information about the data are you seeing on the dashboard?

Per the first troubleshooting step at https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts, please go to SOC Dashboards, click the dropdown menu, select the Connections seen by Zeek or Suricata dashboard, and see if the connections you expect to see in your network traffic are listed there. If you are unsure and need further assistance, please share screenshots.

another question i have is that am running sec onion inside vmware , my home network and the vmware network aren't on the same subnet address , so i assigned the sec onion an ip from the vmware NAT network , and monitor that network of the vmware, is this set up correct?

Per https://docs.securityonion.net/en/2.4/vmware.html, your Security Onion VM should have 2 network interfaces, one for management (with an IP address) and the other for sniffing (with no IP address). The sniffing interface should be configured to monitor whatever network you want to monitor. That might be a few different things depending on your goals:

• the main network interface of the host if you want to monitor traffic to and from the host
• another physical interface of the host if you want to monitor traffic from a tap or span port
• a virtual network inside VMware itself if you want to monitor traffic between VMs

[AB00-sys]

here's some screenshots of the dashboard

plus when i was setting up and i followed the installation on the youtube , i have set two interfaces ens160 for management and has an ip and ens192 for sniffing/monitoring so when i enter the command tcpdump its only listeining to ens160 and not ens192 and theres some traffic being captured, but when i enter tcpdump ens192, it'll listen but theres no traffic at all.

so i want the sniffing interface to monitor other vms inside the vmware - am performing attacks on metasploitable from kali linux so i want that to be monitored and alert, how can i configure it? All the 3 vms : security onion , Kali Linux and metasploitable are on the same subnet address and are on NAT

[dougburks]

If you run tcpdump on the sniffing interface and you don't see any traffic, then it's not a Security Onion problem.

You will need to double-check your VMware configuration to make sure that the virtual network interface is set to the proper virtual network and is allowed to go into promiscuous mode.

[AB00-sys]

Thanks I’ve fixed it now, there’s traffic on the sniffing interface and there’s alerts,but When I run sudo tcpdump, it’s only listening to the management interface and not the sniffing interface. However, when I run tcpdump -i ens192, which is the sniffing interface, it listens correctly. Shouldn’t the default be the sniffing interface? How can I configure this on the SOC web interface or through the terminal? Thanks.

…

On Mon, 29 Jul 2024 at 5:05 PM, Doug Burks ***@***.***> wrote: If you run tcpdump on the sniffing interface and you don't see any traffic, then it's not a Security Onion problem. You will need to double-check your VMware configuration to make sure that the virtual network interface is set to the proper virtual network and is allowed to go into promiscuous mode. — Reply to this email directly, view it on GitHub <#13367 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BJ723LXJ4PME6CLCPBO6SP3ZOZD2RAVCNFSM6AAAAABLF5G7UKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMJYGAZDGNA> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/13367/comments/10180234 @github.com>

[dougburks]

First, it's important to note that we were simply using tcpdump temporarily to verify traffic on the interface. Once you start receiving traffic and start generating alerts, then you shouldn't really need to run tcpdump after that.

Second, please note that Security Onion does not configure or control tcpdump in any way.

It sounds like what you are describing is default behavior for tcpdump. From the tcpdump man page at https://www.tcpdump.org/manpages/tcpdump.1.html (emphasis added):

-i interface
--interface=interface
Listen, report the list of link-layer types, report the list of time stamp types, or report the results of compiling a filter expression on interface. If unspecified and if the -d flag is not given, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, ``eth0''.

Since ens160 comes before ens192, then that's the first interface that tcpdump chooses.

Also see:
https://stackoverflow.com/questions/19430339/capturing-on-a-non-default-interface-with-tcpdump
https://unix.stackexchange.com/questions/654939/how-does-tcpdump-choose-the-default-nic-to-listen-on