NO ALERTS #13978

AB00-sys · 2024-11-24T15:28:29Z

AB00-sys
Nov 24, 2024

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

12288

Storage for /

69.2

Storage for /nsm

133.7

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi everyone,

I need some help setting up Security Onion in VMware Workstation Pro for a project. I know this isn’t strictly a Security Onion issue, but I’m struggling with configuring the interfaces properly and could really use some guidance.

Here’s my setup:
1. Security Onion VM (2 interfaces):
• Management Interface: On NAT, has an IP.
• Sniffing Interface: On Host-Only.
2. Kali Linux VM: On NAT.
3. Metasploitable VM: On NAT.

All 3 VMs are on the same NAT subnet. My goal is for the sniffing interface in Security Onion to monitor traffic between the Kali and Metasploitable VMs (e.g., attack traffic) and generate alerts. Unfortunately, I’m not getting any alerts, and it seems the sniffing interface isn’t capturing the traffic.

Additional Details:

•	When I run sudo tcpdump on Security Onion, it listens to the management interface (ens160) and captures traffic.
•	However, when I manually specify the sniffing interface with sudo tcpdump -i ens192, it listens but shows no traffic.

This leads me to believe that it’s not a Security Onion problem but a misconfiguration in VMware or the network interfaces.

Main Issues:

•	The sniffing interface doesn’t seem to capture any traffic.
•	I’m unsure how to correctly configure the network interfaces in VMware Workstation Pro for this to work.

I know the issue is likely with the VMware networking configuration rather than Security Onion itself, but I’d greatly appreciate any advice or guidance on setting up the interfaces to enable proper traffic monitoring.

This is for a project, and I’m running out of time, any help would mean a lot!

Thank you in advance!

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by eb-op

Nov 26, 2024

Hey AB00-sys,

Have you tried putting the Kali and Metasploitable VM on a host-only network? If you need to, you can give a secondary NIC to the Kali box for NAT.
Hope this helps.

View full answer

eb-op · 2024-11-26T14:46:10Z

eb-op
Nov 26, 2024

Hey AB00-sys,

Have you tried putting the Kali and Metasploitable VM on a host-only network? If you need to, you can give a secondary NIC to the Kali box for NAT.
Hope this helps.

1 reply

AB00-sys Dec 1, 2024
Author

Thanks, this really helped me.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

NO ALERTS #13978

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

NO ALERTS #13978

Uh oh!

AB00-sys Nov 24, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 1 reply

Uh oh!

eb-op Nov 26, 2024

Uh oh!

AB00-sys Dec 1, 2024 Author

AB00-sys
Nov 24, 2024

Replies: 1 comment 1 reply

eb-op
Nov 26, 2024

AB00-sys Dec 1, 2024
Author