Confused about IP addresses to use during setup

[iqworks]

Hi, my VMnets are setup like this:
(I am using VMware Workstation 16 pro)

iq SO STENODO Bridged3.pdf

VMnet0 - auto bridged.
VMnet4- host-only.
VMnet5 - custom - not used anywhere else.
VMnet8 - NAT.

here is what i put, but i dont think it is right?
manager IP - i used the IPv4 of my laptop from ipconfig.
access URL - is my IP from ipconfig
allowed IP - i was told to use a VMnet not used by anything else, so i put in
VMnet5 so 192.168.50.17
and of course when i tryed my laptops IPv4 in https://192.168.x.x, i got access denied errors.
so i am a little lost when it comes to what IPv4 i should use and where..

thanks for any advice or suggestions

[fluffyunicorn24]

Have you tried doing an so-allow with your IP from the SO console?

[iqworks]

Thanks for getting back. Yea, that’s the main issue, I am not getting to my SOC from my host chrome browser.
I showed the IPs I used but I don’t think they are right.
I tried https://192.168.50.17 and my host name and no go. Is there other information I can give you
For this? I am including another PDF with more information about VM setup. it also shows the results of my so-allow.
security sudo stuff.pdf
thanks again for your advice and suggestions

[fluffyunicorn24]

Try leaving off the subnet... like this:
so-allow
a
"the internal ip of your host system you want to access the gui from"

[iqworks]

Ok, not sure what you meant by "leaving off the subnet" ?
did sudo so-allow, a and my NAT IP and my NAT IP 192.168.80.0, which is on VMnet8.
I tried https://192.168.80.5 in my host chrome, no go.

I am using my host IPv4 in the first post I made, should I have used that? Or should I
Make up an IP address, or how do I figure out how to do this?

I did a “sudo install_summary” its in this PDF (the missing parts are the last parts of my host ipconfig IPv4 address).
security onion install logl.pdf
thanks as always

[fluffyunicorn24]

I might be wrong, but it sounds like you may have mis-configured your IPs. I have VMWorkstation Pro at home I can try it on, but if you can, try installing an ubuntu desktop image and assign it the same VMnet your SO is on. Then do a so-allow for that IP and see what happens.

[iqworks]

Yea, I believe my configuration is off to. Did you get a chance to look at the PDFs to see how I setup the VM? Maybe that could give you additional ideas. Thanks for your time in reviewing them. So, you mean use “securityonion-2.3.61-STENODOCKER.iso” , and use Linux/Ubuntu instead of Linux/CentOS 7 ?? Or you mean use “ubuntu-20.04.2.0-desktop-amd64.iso”? From: fluffyunicorn24 ***@***.***> Sent: Thursday, August 5, 2021 3:45 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Confused about IP addresses to use during setup (#5063) I might be wrong, but it sounds like you may have mis-configured your IPs. I have VMWorkstation Pro at home I can try it on, but if you can, try installing an ubuntu desktop image and assign it the same VMnet your SO is on. Then do a so-allow for that IP and see what happens. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5063 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV363QCIQYTFZJ6ERDU3T3MH7TANCNFSM5BRWI6GQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> . <https://github.com/notifications/beacon/ABKPV33DEMI4UWJSGRI4NMTT3MH7TA5CNFSM5BRWI6G2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAIVRYY.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[fluffyunicorn24]

You need a second VM that’s behind that NAT. Ubuntu is easy and free so I would suggest that. Set it up as another VM and try it that way.

[iqworks]

Thanks so much for even taking the time.
OK, here is my plan:
1 – create a new SO VM.
Use two adapters. One using VMnet8 (NAT) and the other using VMnet0 (auto-bridging).
Linux - ubuntu 64 bit? (I am thinking that ubuntu would give me a desktop over the SO?)
During setup, make my NIC ens33.
The management IP should be 192.168.80.0/24.
The gateway IP is 192.168.80.1.
Access URL should be 192.168.80.0/24
Allowed IP will be 192.168.80.0/24.
Ip a to get the IP address.
And use this address when using so-allow a-analyist

Thanks again

[fluffyunicorn24]

Your plan sounds good, just a couple of notes:
-the second VM is to allow you a gui to access your SO in. This is because you are setting this up on VMWorkstation and not a server with a domain.
-The management IP should be static as in choose an IP in the VMnet subnet range so if your VMNet subnet IP is 192.168.80.0/24 then you could do 192.168.80.10 or something.

• Get the gateway IP from your NAT settings. I have seen the gateways be .2 so I would make sure it matches.
  -When it is done setting up, go to your Ubuntu system, open Firefox and type https://
  -if you cant access it, check your IP on the Ubuntu and add it into the SO with a so-allow --> option a -->

[iqworks]

Thanks, a second VM that’s behind that NAT? Not sure what you mean. Since I am pretty much new to this VM stuff, I am trying to get familiar with the vernacular. Do you mean to add another network card with another VMnet? Or something else. How do I Put a “second VM that’s behind that NAT” ? What does “You need a second VM that’s behind that NAT” mean? Does it mean I need to create a new VM using an Ubuntu iso? From: fluffyunicorn24 ***@***.***> Sent: Thursday, August 5, 2021 6:27 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Confused about IP addresses to use during setup (#5063) You need a second VM that’s behind that NAT. Ubuntu is easy and free so I would suggest that. Set it up as another VM and try it that way. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5063 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV35HCOCR7USKKBMANQDT3M25FANCNFSM5BRWI6GQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> . <https://github.com/notifications/beacon/ABKPV34B5U7RUDPYKC6WLMDT3M25FA5CNFSM5BRWI6G2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAIVUJA.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[iqworks]

Hi, this is what is processing now.
VMnew iq SO STENODO Bridged4 2.txt

[iqworks]

Ok, what does “you need a second VM that’s behind that NAT” mean? Are you saying I need to add another VMnet network to this VM network card? Or are you saying that I need to the security onion iso, but while I am installing it, I need to select linux/ubuntu or are you saying I need to Make a new VM from a new ubuntu iso with the same install and setup parameters I have used in the PDF I sent you to setup my security onion VM? From: fluffyunicorn24 ***@***.***> Sent: Thursday, August 5, 2021 6:27 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Confused about IP addresses to use during setup (#5063) You need a second VM that’s behind that NAT. Ubuntu is easy and free so I would suggest that. Set it up as another VM and try it that way. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5063 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV35HCOCR7USKKBMANQDT3M25FANCNFSM5BRWI6GQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> . <https://github.com/notifications/beacon/ABKPV34B5U7RUDPYKC6WLMDT3M25FA5CNFSM5BRWI6G2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAIVUJA.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[fluffyunicorn24]

It’s ok! I still get thrown off when I use vmworkstation sometimes. You need your second vm to be on the same vnet as your SO (the one that is NAT).

I apologize I’m a little tired now, so it will be easier for me to just explain what the typical steps are. I can try to look over your configs tomorrow. But so you don’t have to wait here’s how I set up mine:

Set up your Security Onion vm with 2 network adapters as well as the other hardware requirements. One network adapter should be NAT, the other can be bridged. If you need to see your VMnet settings go to Edit –> Virtual Network Editor –> Select the NAT network –> Select NAT Settings.

When you go through the install of SO and it asks for your management NIC, ens33 and then the IP- put your NAT IP address here. Aka the IP in the VMNet you assigned as NAT. Again this can be found in Edit –> Virtual Network Editor –> Select the NAT network –> Select NAT Settings

When you finish setting up SO, configure the other VM, like Ubuntu and assign it to the same VMnet that is NAT and assigned to your SO.

On the Ubuntu machine in terminal do a “ip a” and get the IP address. Make sure you do an so-allow for that IP.

I hope this helps.

[iqworks]

Thanks! I am doing it now. From: fluffyunicorn24 ***@***.***> Sent: Friday, August 6, 2021 9:41 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Confused about IP addresses to use during setup (#5063) Your plan sounds good, just a couple of notes: -the second VM is to allow you a gui to access your SO in. This is because you are setting this up on VMWorkstation and not a server with a domain. -The management IP should be static as in choose an IP in the VMnet subnet range so if your VMNet subnet IP is 192.168.80.0/24 then you could do 192.168.80.10 or something. * Get the gateway IP from your NAT settings. I have seen the gateways be .2 so I would make sure it matches. -When it is done setting up, go to your Ubuntu system, open Firefox and type https:// -if you cant access it, check your IP on the Ubuntu and add it into the SO with a so-allow --> option a --> - You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5063# discussioncomment-1140201> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3YLO6HQTNETYKARLFTT3 QF75ANCNFSM5BRWI6GQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&m t=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campai gn=notification-email> . <https://github.com/notifications/beacon/ABKPV3YROU32PHYSBJCFHOLT3QF75A5CNFS M5BRWI6G2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZG OAAIWL2I.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[iqworks]

I just checked that txt file I sent you and all of the step by step images are missing? I will try another way tomorrow. Now reading your instructions again, it looks like I need to create 2 VM one SO with 2 VMnets, and, An ubunto vm with the same 2 VMnets? From: fluffyunicorn24 ***@***.***> Sent: Friday, August 6, 2021 9:41 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: iqworks ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Confused about IP addresses to use during setup (#5063) Your plan sounds good, just a couple of notes: -the second VM is to allow you a gui to access your SO in. This is because you are setting this up on VMWorkstation and not a server with a domain. -The management IP should be static as in choose an IP in the VMnet subnet range so if your VMNet subnet IP is 192.168.80.0/24 then you could do 192.168.80.10 or something. * Get the gateway IP from your NAT settings. I have seen the gateways be .2 so I would make sure it matches. -When it is done setting up, go to your Ubuntu system, open Firefox and type https:// -if you cant access it, check your IP on the Ubuntu and add it into the SO with a so-allow --> option a --> - You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5063# discussioncomment-1140201> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKPV3YLO6HQTNETYKARLFTT3 QF75ANCNFSM5BRWI6GQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&m t=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campai gn=notification-email> . <https://github.com/notifications/beacon/ABKPV3YROU32PHYSBJCFHOLT3QF75A5CNFS M5BRWI6G2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZG OAAIWL2I.gif>

…

-- This email has been checked for viruses by AVG. https://www.avg.com

[iqworks]

here is my virtula network editor

hope i am not giving you to much.
08/10/2021 – I have tried to narrow my questions down.

have no idea what to enter here. If I use my laptops windows 10 ipconfig IPv4, I think this causes issues.

I am thinking that standard is the best way to go. But airgap always seems to work. should I be using airgap? I am still researching this one.

I am thinking that to speed up the setup, I don’t have to select anything here because I can install them later?

Still researching this one, but this factors in somewhere. I think this is what causes me to get the second IP prompt.

I think selecting for configure ntp servers, causes this last allow IP prompt comes up later, and, again, I have no clue WHAT to put in here.

when one of my setup failed I took a look at the sosetup.log and got this (to me this looks like an IP is incorrect):
Data failed to compile:
No matching sls found or registry in env base curl:
6 could not resolve host: raw.githubusercontent.com;
Unknown error command failed with error 6
Could not pull signature key file, please ensure connectivity to https:// raw.githubusercontent.com
Errors detected during setup; skipping post-setup steps to allow for analysis of failures.

thanks again for your time

[fluffyunicorn24]

Ok. In you virtual network editor click on VMNet 8 (NAT) and select “NAT Settings” under virtual information. Take a screenshot of that please.

[fluffyunicorn24]

Also I would do air gap on your setup.

[iqworks]

Here you go

yep, using airgap will let me install. I have been trying to install without using airgap. I am going through the forum to see differences using airgap and not using it. when i dont use it i get even more ip confusion :-)
it seems like airgap sets up a way to go out to the internet without you having to worry about the allow IP?

thanks as usual.

[iqworks]

does mean i can only use IP addresses between the start and end IP?