Hybrid grid -- does AMI image as sensor support using on-prem as manager?

[lsampas]

We have an on-prem manager and several on-prem sensor nodes. I was able to launch the SO AMI successfully and connect it to the manager. The AMI sensor is string to sniff bond0 rather than eth1. While eth1 is part of the bond, the bond fails because it's AWS.

Is using an AMI sensor with an on-prem manager supported?

Thanks,
Larry

[dougburks]

Did you follow the instructions at https://docs.securityonion.net/en/2.3/cloud-ami.html including the following?

(Distributed “Sensor” node or Single-Node grid only) Under the Network interfaces section select: Add Device to attach the previously created sniffing interface to the instance.
(Distributed “Sensor” node or Single-Node grid only) From the Network Interface drop-down menu for eth1 choose the sniffing interface you created for this instance. Please note if you have multiple interfaces listed you can verify the correct interface by navigating to the Network Interfaces section in the EC2 Dashboard.

[lsampas]

Yes. If I do a tcpdump -i eth1, I see traffic. If I do a ps -elf | grep zeek, I see the process trying to listen on bond0. If I do a tcpdump -i bond0, there' s no traffic.

dmesg and /var/log/messages have errors around bond0:
[422155.765815] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[422454.766410] bond0: The slave device specified does not support setting the MAC address
[422454.766474] bond0: The slave device specified does not support setting the MAC address

Apr 25 08:44:17 hc4pcapng3pv NetworkManager[801]: [1650876257.6154] device (eth1): Activation: starting connection 'bond0-slave-eth1' (45c58b5a-be5b-4b57-869b-6509400560c2)
Apr 25 08:44:17 hc4pcapng3pv kernel: bond0: The slave device specified does not support setting the MAC address
Apr 25 08:44:17 hc4pcapng3pv kernel: bond0: The slave device specified does not support setting the MAC address
Apr 25 08:44:17 hc4pcapng3pv NetworkManager[801]: [1650876257.6367] device (eth1): Activation: connection 'bond0-slave-eth1' could not be enslaved
Apr 25 08:44:17 hc4pcapng3pv NetworkManager[801]: [1650876257.6381] device (eth1): released from master device bond0
Apr 25 08:44:17 hc4pcapng3pv NetworkManager[801]: [1650876257.6385] device (eth1): Activation: failed for connection 'bond0-slave-eth1'

[dougburks]

Did you follow the instructions at https://docs.securityonion.net/en/2.3/cloud-ami.html#aws-sensor-setup?

SSH into the sensor node and run through setup to set this node up as a sensor. Choose eth0 as the main interface and eth1 as the monitoring interface.

[lsampas]

Yes. eth0 is the main interface. eth1 is the monitoring interface. so setup configured the bond:

[onion@hc4pcapng3pv etc]$ cat /etc/sysconfig/network-scripts/ifcfg-bond0-slave-eth1
MTU=1500
TYPE=Ethernet
NAME=bond0-slave-eth1
UUID=45c58b5a-be5b-4b57-869b-6509400560c2
DEVICE=eth1
ONBOOT=yes
MASTER=bond0
SLAVE=yes

[weslambert]

Do you receive a successful result when manually querying the metadata service? Could there have been a delay/lag or somehow SG rules interfering?

Ex. curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id

[lsampas]

I get a 401 on querying metadata. There's also some wonkiness on the monitoring interface:
[159677.230725] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[159677.240476] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[159677.993274] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready

I'm going to follow up with our AWS security policy team next week.