Send Alerts (Sysmon/OSquery) to second virtual nic for monitoring also?

[mgivens4182]

I have installed a virtual mesh network using Nebula. Is it possible to have SO receive additional alerts via the new virtual nic along with the current "real network" nic? Looking for any ideas?

Thanks - Mike

[weslambert]

If you can present the virtual NIC as a legitimate NIC to Security Onion, then when you run setup, you should be able to select it, and it will be added to the bond configuration for the monitor interface. Then all of those interfaces will be aggregated into a bond0 interface.

[mgivens4182]

It's a virtual nic that is installed on the SO server - that I can ping and ssh too. Is there documentation on re-running the setup? Thanks in advance!
-Mike

[mgivens4182]

Running through the queries this morning I ran across this one: Would this be possibly what I am looking for to add a sensor nic from the virtual nic I added to the SO system?

==========
20d ago
Author innovate-support
"Thanks so much. That worked. For those who use these discussion boards to get detailed answers, here's the steps I took to accomplish this.

Possibly snapshot your VM just in case you screw something up.
Add additional interface to VM and reboot just to make sure OS picks it up and applies drivers
Log into OS and run ifconfig command to see what name was applied to it. My particular one got named ens160. Yours will probably be different.
Run nmcli con show command to view current interface bond-slaves
Run the following command to bond to the new interface, making sure your interface name is correct. Mine was ens160
sudo nmcli con add type ethernet ifname ens160 master bond0
Run nmcli con show command again to confirm it was added as a bond-slave
You should now be able to see data being collected on the newly monitored interface"

[mgivens4182]

OK.. I did the above and did not receive any errors.
did:
sudo nmcli con add type tun ifname nebula1 master bond0
then:
nmcli con show
And it shows it now as part of the slave bond0.

THANKS!

But now I need to change my management interface IP address. I have searched and cannot find out where to do this? In the 2.0 docs - it states "This will be supported in the future" https://docs.securityonion.net/en/2.3/ip.html

There has to be a way!

[weslambert]

You'll want to be careful with adding as described, as there could be certain settings (MTU, disabled interface settings) for the interface that need to be disabled for high fidelity capture. Otherise, you may not be capturing traffic as expected. We are addressing this with a new so-monitor-add script in the next version.

…

On Tue, Jan 19, 2021 at 11:29 PM mgivens4182 ***@***.***> wrote: OK.. I did the above and did not receive any errors. did: sudo nmcli con add type tun ifname nebula1 master bond0 then: nmcli con show And it shows it now as part of the slave bond0. THANKS! But now I need to change my management interface IP address. I have searched and cannot find out where to do this? In the 2.0 docs - it states "This will be supported in the future" https://docs.securityonion.net/en/2.3/ip.html There has to be a way! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2618 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAM3KFVXICJWCAQDZPV4NDS2ZL2ZANCNFSM4WBY6K7A> .

-- https://twitter.com/therealwlambert https://securityonion.net/