so v2 so-test and so-tcpreplay not working?

[iqworks]

Hi, perhaps there is something i didnt do during or after the install/setup?

thanks for any advice or suggestions

[jertel]

When requesting support you will need to provide the information requested in the pinned topic #1720 . Without this information, it's difficult to assist.

You might try reviewing /opt/so/log/tcpreplay/init.log for errors.

[iqworks]

jertel, thanks for pointing me to 1720. I created a pdf with the answers to some of the 1720 results. learned some valuable commands.
ok, i am going to give you as much as know to give you:

First, I have been working with VMs since April 2021.
Current version - securityonion-2.3.61-STENODOCKER.iso
CentOS 7
EVAL
Show so-status (see PDF)
Salt-call state.highstate – WHAT!? 😊 (results are in the PDF) have to study up on this.
Soup.log – see PDF (is there a link that explains how to transfer a log file from so to my host)
grid status - from what I see, you have to get on SOC for this? I am not able to get on the SOC yet, I get errors. But please to refer to another post I put out with this one?? #5063
security sudo stuff.pdf
here is my install_summary
security onion install logl.pdf
thanks as always

[jertel]

Hello! Please do not provide troubleshooting information in the form of PDFs, as PDFs are a known attack vector. Plain text files are sufficient and should be attached to this issue by dragging them or pasting them into your reply, rather than providing Google Drive links. These suggestions are being made in the interest of keeping this community safe and secure.

Back to your questions...

1. I see in your screenshot in the original post that you are using a mixed case hostname iqHostname. Using uppercase characters has been a problem for other Security Onion users so I would advise against that.
2. Since you've confirmed this is a single node grid (which simplifies things, fortunately), your next step in troubleshooting the so-tcpreplay error is to follow my first suggestion of inspecting the /opt/so/log/tcpreplay/init.log. Review it and look for errors or warnings that could indicate the problem.
3. Transferring files between your VMs and hosts is out of scope of this discussion forum. Both Windows and Linux should have the secure copy command available from the terminal shell scp. Alternatively look into your VM software on how to share folders between the host and VM.

[iqworks]

[iqworks]

So, is a word docx or rtf acceptable?
This is what is in the PDF, it has the init.log results. And, there ARE errors. i think it is my configuration. I included that as well.
security sudo stuff.docx
thanks for your help.

[jertel]

No, Word and other rich text format files are also vulnerable to attacks.

The simplest and most common way our users provide log files is to copy the original file off of the VM. Short of that you can use copy/paste into notepad on Windows, saving with the.txt extension. Or if there's just a few lines, paste those lines directly into the GitHub reply and surround them by three backticks ```.

[iqworks]

ok, let me try this.
security sudo stuff 2a.txt

[jertel]

Yes, that's it.

[iqworks]

ok, this is what is processing now.
VMnew iq SO STENODO Bridged4 2.txt

[iqworks]

I just checked that txt file I sent you and all of the step by step images are missing? I will try another way tomorrow. From: Jason Ertel ***@***.***> Sent: Friday, August 6, 2021 10:45 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] so v2 so-test and so-tcpreplay not working? (#5061) Yes, that's it. - You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5061# discussioncomment-1140445> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3Z2H757GJB2BGUTHODT3 QNQBANCNFSM5BRS7IAQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&m t=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campai gn=notification-email> . <https://github.com/notifications/beacon/ABKPV3YOXADFVXKAYARUOZLT3QNQBA5CNFS M5BRS7IA2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZG OAAIWNXI.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[iqworks]

I am using securityonion-2.3.61-MSEARCH.iso now.

is there anything else i can provide?
thanks

[iqworks]

i dont mean to inundate you with all of this stuff, i am just trying to make my connection to the SOC.
I have tried to narrow my questions down. and i am back to securityonion-2.3.61-STENODOCKER.iso
I believe the tcpreplay issue is because i am not using the right combination of IP addresses during setup.

have no idea what to enter here. If I use my laptops windows 10 ipconfig IPv4, I think this causes issues.

I am thinking that standard is the best way to go. But airgap always seems to work. should I be using airgap? I am still researching this one.

I am thinking that to speed up the setup, I don’t have to select anything here because I can install them later?

Still researching this one, but this factors in somewhere. I think this is what causes me to get the second IP prompt.

I think selecting for configure ntp servers, causes this last allow IP prompt comes up later, and, again, I have no clue WHAT to put in here.

when one of my setups failed I took a look at the sosetup.log and got this (to me this looks like an IP is incorrect):
Data failed to compile:
No matching sls found or registry in env base curl:
6 could not resolve host: raw.githubusercontent.com;
Unknown error command failed with error 6
Could not pull signature key file, please ensure connectivity to https:// raw.githubusercontent.com
Errors detected during setup; skipping post-setup steps to allow for analysis of failures.

thanks for your time and help

[jertel]

Yes, it's definitely a network configuration problem. Have you watched all the Security Onion YouTube videos and the free introduction training course yet? If not, I highly recommend doing so. Also, it would be good to review some basic network tutorials so you understand netmasks, IPs, CIDR blocks, etc. These are important concepts for a security analyst to understand. I'll give you a jump start on a couple of things, but you'll still need to study these concepts in depth.

VM Network Modes:

• Bridged: This allows your VM to participate on your local network just as if it was a physical server (or laptop, etc) connected to your network. On most consumer networks, it will be assigned a DHCP if the VM requests one, so if you choose this mode you could select DHCP during the Security Onion installation and let it assign you an IP. This is good for evaluation mode and standalone but not a good choice for distributed. But based on your previous posts it would appear that you aren't ready for setting up a distributed grid yet -- too much to learn first! So Eval would be a good choice to get started and learn more about the platform. This bridge mode might be the simplest option for you to get started.

• Host Only: This mode will allow your VM to talk to your Windows host machine but nothing else. This won't work well for you since you'll need to know the host only network range in advance. However, from your screenshot it looks like you already have a Host Only network defined, and it has a 192.168.40.x subnet, so if you proceeded with this you would want to pick a valid subnet IP such as 192.168.40.10. But keep in mind that this mode prevents your installation from reaching out to the Internet! So you'd still get the same error of not being able to resolve github.com.

• NAT: This is going to behave like a mini network inside your LAN. Your Windows host machine will route VM traffic trying to reach the Internet and then route responses back into the VM. It is a common network configuration when you want to prevent outside access to reach your VM, but still allow the VM to get to the Internet when it needs to. But this too requires you to manually setup the network IP and masks, etc. And it takes a little understanding to make sure you know what your host machine's network will be so you can allow access into the Security Onion web interface (your last screenshot input). So a good choice but will require you to understand how NATs work, especially with VM software.

[iqworks]

Jason, thanks for these explanations, they are great. Yep, I got a few things to study. Today I learned more details about airgap and cores. https://www.tripwire.com/state-of-security/ics-security/air-gap-industrial-control-networks/ What Is a CPU Core? A Basic Definition | Tom's Hardware (tomshardware.com) <https://www.tomshardware.com/news/cpu-core-definition,37658.html> Thanks again. I am trying to setup without airgap. So, yes, there is some IP address configuration that I am confused about. For instance, when setup asks for an IPv4 address, what should I enter? My windows 10 ipconfig IPv4? Or do I make one up. And the last IP (I think it is the allow IP?). I have no idea what to put here. But there are post I made today for this forum posts that shows more information for my setup. Thanks for your time, I mean it From: Jason Ertel ***@***.***> Sent: Tuesday, August 10, 2021 5:12 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: Jason Ertel ***@***.***>[Security-Onion-Solutions/securityonion] so v2 so-test and so-tcpreplay not working? (#5061) Yes, it's definitely a network configuration problem. Have you watched all the Security Onion YouTube videos and the free introduction training course yet? If not, I highly recommend doing so. Also, it would be good to review some basic network tutorials so you understand netmasks, IPs, CIDR blocks, etc. These are important concepts for a security analyst to understand. I'll give you a jump start on a couple of things, but you'll still need to study these concepts in depth. VM Network Modes: * Bridged: This allows your VM to participate on your local network just as if it was a physical server (or laptop, etc) connected to your network. On most consumer networks, it will receive be assigned a DHCP if the VM requests one, so if you choose this mode you could select DHCP during the Security Onion installation and let it assign you an IP. This is good for evaluation mode and standalone but not a good choice for distributed. But based on your previous posts it would appear that you aren't ready for setting up a distributed grid yet -- too much to learn first! So Eval would be a good choice to get started and learn more about the platform. * Host Only: This mode will allow your VM to talk to your Windows host machine but nothing else. This won't work well for your since you'll need to know the host only network range in advance. However, from your screenshot it looks like you already have a Host Only network defined, and it has a 192.168.40.x subnet, so if you proceeded with this you would want to pick a valid subnet IP such as 192.168.40.10. But keep in mind that this mode prevents your installation from reaching out to the Internet! So you'd still get the same error of not being able to resolve github.com. * NAT: This is going to behave like a mini network inside your LAN. Your Windows host machine will route VM traffic trying to reach the Internet and then route responses back into the VM. It is a common network configuration when you want to prevent outside access to reach your VM, but still allow the VM to get to the Internet when it needs to. But this too requires you to manually setup the network IP and masks, etc. And it takes a little understanding to make sure you know what your host machine's network will be so you can allow access into the Security Onion web interface (your last screenshot input). So a good choice but will require you to understand how NATs work, especially with VM software. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5061 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV36CAQF6JX727P23MWTT4G56ZANCNFSM5BRS7IAQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> . <https://github.com/notifications/beacon/ABKPV33657ZVDYEYPYIGT2DT4G56ZA5CNFSM5BRS7IA2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAI2K7Q.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[iqworks]

As I said, this information is great. As you suggested, I have been looking at videos and documentation for the past 4 + weeks about security onion (and from your last email, it hit me that there was a learning curve 😊).

During setup, when it gets to the point where it asks for an IPv4 IP address, I thinik the answer is here.
So, the new plan is to use VMnet8's IPv4 address in the prompt where SO asks for an IPv4 address. This is because VMnet0 has no IP subnet and VMnet4 is a host subnet and cannot communicate outside the LAN, so my VMnet8 has a subnet of 198.162.80.0 and its IPv4 address when I look at my host network settings is 198.162.80.1 – this is what I will use. And no airgap. its time for me to see some VMware DHCP videos.

well i mean, VMnet8's subnet 198.162.80.0/24 should go into the IPV4? Not sure but will try. when i look at my windows 10 ipconfig (like ifconfig), it says VMnet8 has an IPv4 of 198.162.80.1 (but i thought this was the gateway?
any i will try to create using 0/24 first.

I will get there, just have to study more and make sense out of this stuff.

thanks again as always and for the lessons!