Don't see a results from pcap file in SO

[habibbarika]

I am very interested to security onion to put it in my monitoring lab.
My question is :
I know that to start it is strongly advised to import pcap files and analyze them. Unfortunately when I import from Malware analysis I don't see alerts and nothing in Hunt, this doesn't happen all the time. This is my pcap file :

2020-07-20-IcedID-infection-traffic.pcap.zip 5.9 MB (5,916,514 bytes)

Another question 👍

What is the difference between AF_Packet and Raw_packet and what's the type of packet supported bye Wireshark. Because I see in architecture the tree components support AF_Packet : Suricata, Zeek and Steno.
File.docx

Thank you !!!

[dougburks]

I know that to start it is strongly advised to import pcap files and analyze them. Unfortunately when I import from Malware analysis I don't see alerts and nothing in Hunt, this doesn't happen all the time. This is my pcap file :

Works fine for me:

Make sure you are using the hyperlink provided by so-import-pcap or manually setting your time range correctly.

What is the difference between AF_Packet and Raw_packet and what's the type of packet supported bye Wireshark. Because I see in architecture the tree components support AF_Packet : Suricata, Zeek and Steno.

From https://docs.securityonion.net/en/2.3/af-packet.html:
AF-PACKET is built into the Linux kernel and includes fanout capabilities enabling it to act as a flow-based load balancer. This means, for example, if you configure Suricata for 4 AF-PACKET threads then each thread would receive about 25% of the total traffic that AF-PACKET is seeing.

For more information about AF-PACKET, please see:
https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt

[habibbarika]

Thank you very much Doug. Always dynamic, continuous!

[habibbarika]

I downloaded the following pcap:

I changed the schedule and used your solution with the /tmp folder to help Suricata access, but nothing appears!! It's weird !

thank you again !

[dougburks]

Looking at your screenshot, it says this PCAP has already been imported; skipping. If you go to Hunt and change the time frame to start at 2020/05/27 and end at 2020/05/29, does it return any events?

If you really want to import the pcap again, you should be able to delete the subdirectories under /nsm/import/ and then run so-import-pcap again.

[habibbarika]

Hi Doug !

I’m starting over :

Import again :

Importation completed !

All service start correctly :

Message error when I lunch SOC Web interface. Execute soup command two times:

Many updates! More than 30 minutes! More than a complete installation



Access to SOC: after update the same error

I reinstall!!!  Looks like I'm having bad luck with security onion, yet I love it!

I apologize for the length of my post! :(

Thanks very much !

[dougburks]

I'd recommend downloading the latest version 2.3.190 and performing a fresh installation:
https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md

If you're just going to be importing pcap files, then you can just do an import installation which will be much quicker and easier:
https://docs.securityonion.net/en/2.3/first-time-users.html

[habibbarika]

Hi Doug,

I reinstalled SO with import mode:

I imported the same file as you:

I modified the date :

In Hunt :

Thank you !!!

[dougburks]

If you have no NIDS alerts, then check the NIDS troubleshooting steps:
https://docs.securityonion.net/en/2.3/suricata.html#troubleshooting-alerts

[habibbarika]

Hi Doug,

I couldn't fix my PCAP problem, it's disheartening to start with this problem. I plan to teach it to my students, but it's off to a bad start. It's rare or I get stuck like that, I always find a solution to my problems.

As shown in my drawing, I am unable to ping from Kali to SO. Also, I can't capture traffic from kali attack on Windows 10 (Simple scan nmap -O -sV). Why ?

Anyway, thank you for your input!

[dougburks]

As shown in my drawing, I am unable to ping from Kali to SO.

Seems like a networking issue. Make sure that your Security Onion installation has a management interface in the same subnet as your Kali box and that there are no firewalls or other network devices that may be interfering with the traffic.

Also, I can't capture traffic from kali attack on Windows 10 (Simple scan nmap -O -sV).

If you've configured Security Onion for Import mode, then it doesn't support live traffic capture. Otherwise, this could be an issue with your tap, span, or virtualization platform.

[habibbarika]

Hi Doug,

If I understand correctly (so) must have a card for monitoring and another for management. Me, what I want to know, if it is possible to ping the monitoring card. I want to make sure that there is communication in my local network. On my monitoring network card, I activated promiscuous mode (.vmx file). Of course my bridge network, where there is my management card is to access the SOC and see the traffic to analyze. The ping to my management card is working fine, from my host machine.
For my installation, it is the EVAL version.

Thank you for your answers !!!

[dougburks]

From https://docs.securityonion.net/en/2.3/hardware.html#nic:

If you plan to sniff network traffic from a tap or span port, then you will need one or more interfaces dedicated to sniffing (no IP address).

[habibbarika]

Hi Doug,
A question about sysmon!
Does the file you created in Git cover all events supported by sysmon or not. How many events supported by sysmon without configuration file ?

Is the list of events limited to the following table:

Thank you Doug !

[dougburks]

Does the file you created in Git cover all events supported by sysmon or not.

I didn't create the sysmon config. Per your screenshot, it was created by SwiftOnSecurity:
https://github.com/SwiftOnSecurity/sysmon-config

Is the list of events limited to the following table:

You can read more about Sysmon events at:
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events

This discussion has strayed from its original title of Don't see a results from pcap file in SO. If you have further questions or problems, please start a new discussion with an appropriate title.

[habibbarika]

Hi Doug,

Finally, I found my problem concerning the detection of alerts with Securita. I was just missing an update with the soup command. I'm happy, I can move forward to make the product usable in the French-speaking community.

Thank you so much !

[bdavedu]

Hi,

I have the same problem. When I import a PCAP file via SOC or via CLI, I only can see Dashboard for this PCAP but when I go to alerts and filter by dates there aren't any alert. How did you solve it ?

[dougburks]

@bdavedu From #1720:

Start a new discussion instead of replying to somebody else's discussion
Please search to see if you can find similar discussions that may help you. However, in order to avoid confusion, please do NOT reply to somebody else's discussion with your own issue. Instead, please start a new discussion and in that new discussion you can provide a hyperlink to the related discussion.