-
|
Hi all, Recently I have accomplished a distributed setup (one manager and one forward node). Setup goes well without errors and I have used a CentOS7 minimal install to setup SecurityOnion components (network installation), but no data is displayed in SOC front-end (no alerts, no hunt, no pcaps). According to my sensor clean install, exists some alerts: {"timestamp":"2022-04-10T10:25:46.329931+0000","flow_id":1707372723118060,"in_iface":"bond0","event_type":"alert","src_ip":"172.22.55.16","src_port":49707,"dest_ip":"168.63.250.82","dest_port":80,"proto":"TCP","community_id":"1:JKSMXPL0JbYyfbHPZ6Ttdac8NGw=","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2025275,"rev":4,"signature":"ET INFO Windows OS Submitting USB Metadata to Microsoft","category":"Misc activity","severity":3,"metadata":{"affected_product":["Windows_XP_Vista_7_8_10_Server_32_64_Bit"],"attack_target":["Client_Endpoint"],"created_at":["2018_01_31"],"deployment":["Perimeter"],"former_category":["INFO"],"performance_impact":["Low"],"signature_severity":["Minor"],"updated_at":["2020_09_17"]},"rule":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)"},"files":[{"filename":"/metadata.svc","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1420,"tx_id":0}],"app_proto":"http","payload_printable":"POST /metadata.svc HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/xml; charset="UTF-16LE"\r\nUser-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT\r\nSOAPAction: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata\"\r\nContent-Length: 1420\r\nHost: dmd.metaservices.microsoft.com\r\n\r\n..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.<.s.:.E.n.v.e.l.o.p.e. .x.m.l.n.s.:.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...x.m.l.s.o.a.p...o.r.g./.s.o.a.p./.e.n.v.e.l.o.p.e./.".>.<.s.:.H.e.a.d.e.r.>.<.h.:.c.d. .x.m.l.n.s.:.h.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s.m.e.t.a.d.a.t.a./.s.e.r.v.i.c.e.s./.2.0.0.7./.0.9./.1.8./.d.m.s.".>.<.h.:.c.v.>.1.0...0...2.2.0.0.0.<./.h.:.c.v.>.<.h.:.c.c.>.E.S.P.<./.h.:.c.c.>.<./.h.:.c.d.>.<./.s.:.H.e.a.d.e.r.>.<.s.:.B.o.d.y.>.<.D.e.v.i.c.e.M.e.t.a.d.a.t.a.B.a.t.c.h.R.e.q.u.e.s.t. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s.m.e.t.a.d.a.t.a./.s.e.r.v.i.c.e.s./.2.0.0.7./.0.9./.1.8./.d.m.s.".>.<.L.o.c.L.i.s.t.>.<.l.o.c.>.M.u.l.t.i.L.o.c.<./.l.o.c.>.<.l.o.c.>.e.n.-.G.B.<./.l.o.c.>.<.l.o.c.>.e.n.<./.l.o.c.>.<./.L.o.c.L.i.s.t.>.<.M.I.D.R.e.q.u.e.s.t.s.>.<.g.d.m.d.m.i.d.>.<.r.i.d.>.1.<./.r.i.d.>.<.m.i.d.>.3.E.5.B.5.E.A.9.-.5.7.5.5.-.5.B.C.7.-.B.1.B.C.-.F.A.3.6.7.1.1.B.6.C.2.8.<./.m.i.d.>.<./.g.d.m.d.m.i.d.>.<./.M.I.D.R.e.q.u.e.s.t.s.>.<.H.W.I.D.R.e.q.u.e.s.t.s.>.<.g.d.m.d.h.w.i.d.>.<.r.i.d.>.1.<./.r.i.d.>.<.h.w.i.d.s.>.<.h.w.i.d.>.D.O.I.D.:.M.O.N.I.T.O.R.\.D.e.f.a.u.l.t..M.o.n.i.t.o.r.<./.h.w.i.d.>.<./.h.w.i.d.s.>.<./.g.d.m.d.h.w.i.d.>.<./.H.W.I.D.R.e.q.u.e.s.t.s.>.<./.D.e.v.i.c.e.M.e.t.a.d.a.t.a.B.a.t.c.h.R.e.q.u.e.s.t.>.<./.s.:.B.o.d.y.>.<./.s.:.E.n.v.e.l.o.p.e.>.","stream":1,"packet":"AABeAAEBAFBWw6UjCABFAAAoHehAAIAGVy+sFjcQqD/6UsIrAFBmwXICj85+pVAQBAV8YwAAAAAAAAAA","packet_info":{"linktype":1}} Also, some pcaps exists in /nsm/pcap dir: But nothing is showed in SecurityOnion Console. What could have gone wrong? Some data: Manager IP: 172.22.60.9/28 so-status output on manager: Checking container statuses so-status output on forward node: Checking container statuses There is an error when I run "soup" in forward node: Preparing soup at Sun Apr 10 10:19:09 UTC 2022Checking to see if this is a manager. Please run this command on the manager; the manager controls the grid. Starting service at 10:19:19.052139 Enabling highstate. Many thanks for your help. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
As the error message indicates, you don't need to run If you just have a forward node and a manager node (and no search nodes), then your logs are likely sitting in a queue on the manager waiting for a search node to ingest them. From https://docs.securityonion.net/en/2.3/architecture.html#distributed:
|
Beta Was this translation helpful? Give feedback.
-
|
Thaks @dougburks ... According to this, do I need to install another node with search node role? Is it not possible to to install all search engines in the same manager host? |
Beta Was this translation helpful? Give feedback.
-
|
Issue is solved .... Sorry for the noise .... |
Beta Was this translation helpful? Give feedback.
As the error message indicates, you don't need to run
soupon anything other than your manager:If you just have a forward node and a manager node (and no search nodes), then your logs are likely sitting in a queue on the manager waiting for a search node to ingest them. From https://docs.securityonion.net/en/2.3/architecture.html#distributed: