Monitor Interface issues

[josephvmcintyre-svg]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I have been beating my head on the keyboard trying to get the monitor interface to collect traffic correctly. I have tried adding via the so-monitor add cmd. This cmd adds to the bond0 interface, but when I do a tcpdump for bond0 --> all I see is STP and ARP traffic.

I have two virtual interfaces on my build
Proxmox --> pfSense(VM) --> 2 nics ( 1x WAN; 1x LAN)
pfSense serves as the DHCP for the network. We'll say 10.xxx / 24

SOC -- 10.250 / 24 --> Allow 10.xxx/24 to manage.

Unifi US 16 - lite switch
1 --> LAN
2 --> Monitor (configured as a mirror port; mirroring the LAN port on the Unifi)

Snippet of traffic (looks to me like the Unifi switch is only broadcasting the default VLAN1)

04:43:32.122436 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 6c:63:f8:35:f3:58, length 300
04:43:32.392222 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.6c:63:f8:35:f3:58.800f, length 36
04:43:34.392340 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.6c:63:f8:35:f3:58.800f, length 36
04:43:35.132515 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 6c:63:f8:35:f3:58, length 300
04:43:35.267029 IP 192.168.1.20.52383 > 255.255.255.255.scp-config: UDP, length 218
04:43:35.359694 IP6 fe80::6e63:f8ff:fe35:f358.48882 > ff02::1.scp-config: UDP, length 218
04:43:36.392613 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.6c:63:f8:35:f3:58.800f, length 36

Problem is, so-suricata is bound/listening on bond0.

I cannot get the traffic to show up when putting my #2 monitor connection on bond0 using so-monitor-add

The only thing I can think of is that the Unifi switch isn't configured properly.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[AheadOfTheDead]

I am having the same issue. I found when setting it up though my managenet port is enp0s18 and enp0s19 is my monitor port. I have those set up as an ovs bridge. Enp0s19 has no ip and goes to the nic and then to the switch. I have the switch port setup as a monitor session. I added all the vlans to it. When in security onion I can run a "sudo tcpdump -i enp0s19" and see the traffic from the different vlans but I dont get any alerts or see them in the web gui. I did the same so-monitor-add enp0s19 command but that didn't change the bond0. Still not getting any traffic through the gui.

[josephvmcintyre-svg]

I think I have figured it out! I reset the unifi switch to factory defaults. Went through adopting it to my controller again while my pfSense network was plugged in -- poof! Like magic - once I reconfigured the mirror port --> verified the vmbr mappings to the correct nic on the server --- I got flooded with traffic.