How To Ingest Data From TAP on SecurityOnion Virtual Machine

[Ryan8bit]

Note: Start on a Windows computer.

Note: Setup is finicky and there are many ways setup can go wrong.

Note: Based on the SecurityOnion Essentials playlist on YouTube.

Note: Version number of SecurityOnion may change.

Note: Watch the screen the whole time or change the computer settings to prevent the computer from going to sleep after inactivity (Important for long downloads. Also, the computer going to sleep may affect the recording of data using the TAP).

Check the amount of free storage left on your Windows computer (This PC) and your installed RAM (GB RAM usable) (Settings -> System -> About).

Download SecurityOnion ISO image. (This time the 20230113 image)

Get VMWare Workstation Pro if you don't have it already:

Get a VMWare account.
Buy the license key for the VMWare Workstation Pro and record the license key.
Go to My Profile.
Fill in your profile for the VMWare account to allow you to download the VMWare Workstation Pro. Edit and save your changes.
Download the VMWare Wokrstation Pro.
Install the VMWare Workstation Pro and use the license key.
Set up Ubuntu VMware (for the sole purpose of confirming the signature key):

Open VMWare Workstation Pro.
Create a New Virtual Machine.
Typical configuration.
Next.
Installer disc image file (iso): ubuntu-22.04-desktop-amd64.iso (This must be downloaded first. Version number may vary.)
Next.
Fullname: YourFirstName Username: yourfirstname Enter password. Next.
Virtual machine name: Keyconfirm (Maybe pick a name that was never picked before on the VMWare)
Max. disk size: 30 GB. Split virtual disk into multiple files.
Finish. Do NOT power on virtual machine after creation.
Edit virtual machine settings. Options. Shared Folders. Always Enabled.
Add. Next. Select a host path. (Choose a new folder named KeyShare that you create first.)
Next. Finish. (Make sure you copy the SecurityOnion iso to the shared folder.)
Ok.
Power on this virtual machine.
English(US) keyboard layout. Continue.
Normal installation. Download updates while installing Ubuntu. Continue.
Erase disk and install Ubuntu. Install Now. Continue.
Choose the time zone matching the geographic location you are working at. Continue.
Your name: YourFirstName Your computer's name: yourfirstname-virtual-machine
Pick a username: yourfirstname
Choose your password. Require my password to log in. Continue.
Restart Now.
Enter the password.
Skip.
Next.
Next. Next as many times as needed.
Done.
Use Ubuntu VMWare:

While program is running:
Right-click on the VM's tab.
Settings. Options. Shared Folders.
Add a shared folder named KeyShare to the folder storing the Virtual Machines on the host computer.
Disabled shared folder. OK.
Right-click on the VM's tab.
Settings. Options. Shared Folders.
Enable shared folder until next poweroff. OK.
Files. Other Locations. Computer. (Do not install updates)
mnt. hgfs. KeyShare (the shared folder).
Note: May need to delete previous ISO files in the VM for space reasons.
Copy securityonion iso. Paste it into the Home directory (/home/username).
Open up Terminal on Ubuntu VMware.
Check that you are in the home directory (Use ls or pwd).
wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -O - | gpg --import -
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.200-20230113.iso.sig
gpg --verify securityonion-2.3.200-20230113.iso.sig securityonion-2.3.200-20230113.iso
Output should show good signature. Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013.
Do not proceed if these conditions are not met.
Delete the copies of the security onion iso and sig files that are within the virtual machine.
Leave the virtual machine.
Adjust the IP:

Figure out the IP address of the device the TAP is reading data from.
Change the VMnet8 IP address and the ethernet address and default gateway (that the TAP connects to the host computer through) to be compatible with the IP address of the device the TAP is reading data from.
Control Panel. Network and Internet. Network and Sharing Center.
Change adapter settings.
Right-click on the ethernet adapter (the one plugged into the TAP) and the VMnet8 adapter.
Click Properties.
Double click Internet Protocol Version 4 (TCP/IPv4).
Under Use the following IP address, change the IP address, subnet mask, and default gateway to be compatible with the IP address of the device the TAP is reading from. The IP address should be an unused address. The default gateway should be in the format #.#.#.0. (The default gateway must be in the same subnet address as the IP address.) OK. Source: https://www.tp-link.com/us/support/faq/919/#:~:text=How%20to%20find%20and%20manually%20assign%20an%20IP,4%20Step%204%3A%20Set%20the%20IP%20address%20
Install SecurityOnion (standalone mode): Source: https://docs.securityonion.net/en/2.3/hardware.html Note: SecurityOnion only supports x86-64 architecture (standard Intel, AMD 64-bit processors).

Go to the Home Tab. Create new virtual machine.
Typical. Next.
Installer disc image file (iso): securityonion-2.3.200-20230113.iso
Linux. CentOS 7. Next.
Virtual machine name: CentOSFirst (or CentOSSecond, etc.)
Note: Make sure the name has not been used before on the VMware Workstation and choose a name with no spaces.
200.0 GB. Max disk storage. Split virtual disk. Next.
Customize hardware. 21620 MB memory. Number of processers: 4.
Note: Host computer must have at least 200 GB storage free. Computer must have over 20 GB RAM usable.
Add 2nd Network Adapter. Close.
Finish. Setup Security Onion:
Start the virtual machine (CentOSFirst, etc.).
Install Security Onion 2.3.200 (first option). Press Enter to begin installation.
Continue (yes).
Enter administrative username (analyst) and password.
Wait for the install to complete. Press Enter to reboot.
Select top option.
Log in to SecurityOnion.
Yes.
Install.
Standalone (Use spacebar). Ok.
Type AGREE. Ok.
Enter hostname: sostand
Description: [choose description if you want]
Management NIC: ens33 Ok. Note: spacebar used to select management NIC.
Static Ok.
On your outer computer (Windows), go to Command Prompt. Type in ipconfig.
Look under VMWare VMnet8.
Look at the IPv4 address (a.b.c.d), the subnet mask (e.f.g.h).
Assuming the subnet mask is 255.255.255.0, choose the IP address a.b.c.[not d]/24 Ok.
Note: Probably choose the fourth octet to be bigger than d.
Note: 24 is based on the subnet mask; the appropriate IP address will differ by subnet mask.
Note: Record the IP address you choose along with your passwords and usernames.
a.b.c.d Ok. (Fill in variables with appropriate numbers)
Leave default (8.8.8.8,8.8.4.4). Ok.
Leave default DNS search domain (searchdomain.local). Ok.
Ok.
Airgap.
ens34. Ok. Note: Use spacebar.
Leave default home network(s). Ok.
Basic. Ok.
Zeek for metadata.
Note: Used https://www.youtube.com/watch?v=TG-pPm7KVro

Use ETOPEN. Ok.
Install all 4 services (osquery, wazuh, playbook, strelka). Ok.
Keep default docker IP. Yes.
Enter an email address (only as username) [email protected]. Ok.
Enter a password.
IP (Leave default) Ok.
Set a password for the soremote.
Basic. Ok.
1 Zeek process.
1 Suricata process.
Whether to configure ntp servers. No.
Nodebasic. Ok.
so-allow. Yes.
192.168.0.0/16 Ok. (Based on computer; assumes a = 192 and b = 168)
Yes. (Shows the options that are set. Asks to proceed. Management IP will be the access IP (this IP you chose for the virtual machine).)
Setup will probably take a while.
Ok. (Press enter to reboot.)
Note: If error in setup, do not restart & use machine.
Log into SecurityOnion the first time:

Choose the first option to boot up.
Login to sostand (first password).
sudo so-status | less -R (run so-status over and over; type q to quit)
Wait around 10 minutes and verify the correct services are running using sudo so-status. Every service should be ok.
ifconfig | less -R (show ip address information; check for the ipv4 address under ens33: p.q.r.s) Figure out ip address web portal is using.
Use ipconfig on the Windows host computer. VMnet8 range should be recorded. m.n.o.0/24
sudo so-allow
Role: a (for analyst)
IP range: m.n.o.0/24
Note: a in this case is the letter 'a', not a variable.
Login to the SecurityOnion Web Console:

Download Google Chrome if you need to.
Open Google Chrome.
Go to the ipv4 address under ens33. https://p.q.r.s/
Click advanced then proceed to bypass the warning message.
Log into security onion. Type in the second account you made.
You are logged into the local SecurityOnion web console if you see a menu on the left, the SecurityOnion logo on the top row, and a screen with the title "Overview".
Connecting the TAP to the Computer:

Get a Dualcomm ETAP-2003 10/100/1000Base-T Network TAP.
Get a USB 3.0 to 10/100/1000 Gigabit Ethernet Internet Adapter.
Power the TAP.
Put the USB adapter into the USB port.
Put an ethernet cable from the USB adapter to the monitor port of the TAP.
Plug an ethernet cable from one of the inline ports to wherever you want to monitor, for example the router.
Start. Settings. Device Manager (search for this in the search bar).
Network Adapters. Click on > to the left.
Right-click on ASIX AX88179.
Install driver from the Internet if you have not already. Source: https://www.amazon.com/AmazonBasics-1000-Gigabit-Ethernet-Adapter/dp/B00M77HMU0/ref=asc_df_B00M77HMU0?tag=bingshoppinga-20&linkCode=df0&hvadid=80882875798354&hvnetw=o&hvqmt=e&hvbmt=be&hvdev=c&hvlocint=&hvlocphy=&hvtargid=pla-4584482455193510&th=1
Open Wireshark.
Check the ethernet connection the USB adapter is connected to.
Choose that connection to capture packets from.
Verify Wireshark is capturing packets from that TAP.
Source: #5592 Note: To sniff network traffic from a tap/span port, you need an interface deidcated to sniffing (no IP address).

Source: #9143 Note: Suricata and Zeek are for TAP/SPAN port traffic.

Connecting the TAP to the Security Onion VM:

Control Panel. Network and Internet. Network and Sharing Center.
Change adapter settings.
Right-click on the ethernet port (the one plugged into the TAP).
Click Properties.
Double click Internet Protocol Version 4 (TCP/IPv4).
Under Use the following IP address, change the IP address, subnet mask, and default gateway to fit under the VMnet8 subnet. The IP address should be an unused address. The default gateway should be in the format #.#.#.0. (The default gateway must be in the same subnet address as the IP address.) OK. Source: https://www.tp-link.com/us/support/faq/919/#:~:text=How%20to%20find%20and%20manually%20assign%20an%20IP,4%20Step%204%3A%20Set%20the%20IP%20address%20
Source: #9340 Source: https://www.google.com/search?q=nic+promiscuous+mode+windows+10&oq=NIC+permisious+mode&aqs=chrome.2.69i57j0i13i512j0i22i30l2j0i15i22i30j0i22i30l5.37586j0j15&sourceid=chrome&ie=UTF-8#fpstate=ive&vld=cid:89bb9f1f,vid:_CCbIGLgo0M

Go to Windows host computer. Windows Powershell. Run as administrator.
Get-netadapter | Format-list -Property ifAlias,PromiscuousMode,ifIndex
Look at the port the TAP is located at.
Look for the ifIndex.
If promiscuous mode is false: netsh bridge set adapter id=[ifIndex] forcecompatmode=enable
This puts the NIC card into promiscuous mode.
I don't know how it worked (getting it into promiscuous mode). May need to play around with it. May need to wait long enough. May need to shut down or restart computer. May need to run Wireshark (which may need to be downloaded). May need this command: netsh wlan show all | find /I "monitor mode"
Running Wireshark made promiscuous mode work, but only when Wireshark was running.
It seems Security Onion will not work with the TAP, because no data from the TAP shows up on the Hunt interface on the Security Onion Console.
Source: https://www.youtube.com/watch?v=TG-pPm7KVro&t=84s Source: https://www.minitool.com/backup-tips/vmware-bridged-network-not-working.html

Set Network Adapter 2 to Bridged in the settings of the standalone virtual machine. Check Replicate physical network connection state.
Restart or turn off SecurityOnion VM if not already turned off.
May need about 20 minutes.
Try:

sudo so-allow
b (for Logstash Beat)
m.n.o.0/24
Failed
sudo so-allow
e (for Elasticsearch REST API)
m.n.o.0/24
Failed
sudo so-allow
f (for Strelka frontend)
m.n.o.0/24
Failed
sudo so-allow
o (for Osquery endpoint)
m.n.o.0/24
Failed
sudo salt-call state.apply firewall
Restart the Virtual Machine.
Failed
sudo so-allow
s (Syslog device)
m.n.o.0/24
Failed
sudo so-allow
w (Wazuh agent)
m.n.o.0/24
Failed
sudo so-allow
p (Wazuh API)
m.n.o.0/24
Failed
sudo so-allow
r (Wazuh registration service)
m.n.o.0/24
Shut down VM.
Shut down computer.
Turned on computer.
Turned on VM.
Failed
Source: #9694

sudo so-monitor-add bond0
sudo so-monitor-add ens34
Note: May want to look under Grid tab and check if the status of the sostand module is OK (the good status) or Fault (the bad status). You will want to judge whether SecurityOnion is working after the status of the sostand module is OK.

Source: https://www.thegeekdiary.com/how-to-configure-interface-in-promiscuous-mode-in-centos-rhel/

ifconfig | less -R
Look under the interface the Security Onion Console is using. Check if it's in pormiscuous mode.
q
sudo ip link set [that interface] promisc on
sudo salt-call state.apply firewall
(May need to repeat this step to keep promiscuous mode on after restarting or shutting down the virtual machine.)
Verify the TAP is working by logging into the Security Onion Console's Hunt interface and entering the query: * | groupby observer.name
The TAP is working when observers other than sostand (the name of the standalone Security Onion instance) are visible in the bar graphs on the Hunt interface.

I cannot figure out how to ingest data from a TAP onto a SecurityOnion VMWare virtual machine. Help!

[cm-ops]

What does your VMWare network config look like?

[Ryan8bit]

Network Adapter: NAT
Network Adapter 2: Bridged, Replicate physical network connection state

Ifconfig within the VMWare:

IPConfig for the Windows Host Computer:

ens33 is the management NIC, which is used for the SecurityOnion Console web interface.

[cm-ops]

Can you also share a screenshot of your VMWare Virtual Network Editor showing how you have your bridged network set?

[Ryan8bit]

C:\Program Files (x86)\VMware\VMware Workstation\vmnetcfg.exe
Right click.
Run as administrator.

What if I change my VMnet8 to the meet the ipconfig values? I'll try that.

[cm-ops]

Have you also tried manually setting the Bridged connection to your NIC, instead of Automatic?

[Ryan8bit]

But ens34 is in ipv6. How do I connect the ipv6 address of ens34 to the TAP?

[cm-ops]

The only thing on ens34 I see is the MAC address, it is set to PROMISC

[Ryan8bit]

What should I do to connect the TAP to the Security Onion VMWare instance?

[cm-ops]

What is the physical interface the tap is connected to on your physical machine?

[Ryan8bit]

Ethernet 2.
Using the ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter.
The USB port connects to the USB adapter, which connects to the ethernet cable which connects to the TAP.
The TAP data does show in Wireshark (when I record from Ethernet 2), but does not show in Security Onion.

[Ryan8bit]

The USB adapter had to be removed.
The ethernet cable that was in the USB adapter belongs in the ethernet port on the computer and the monitor port of the TAP.
Wi-Fi may need to be disconnected temporarily to make it work.
The TAP must connect to the router and the switch using the inline ports.
Put the TAP's power cable between the computer and the TAP.

Make the first network adapter NAT.
Make the second network adapter Bridged. Replicate physical connection state.
A third network adpater was set like the second, but is probably not needed.

Make sure the ethernet adapter is in the router's subnet and the default gateway is the router.
Make sure the VMnet8 adapter is in the router's subnet and the default gateway is the router.

The words to diagnose whether the Security Onion TAP is working (in the Hunt interface) is:

• | groupby event.dataset

The words to diagnose whether winlogbeat is working is:

• | groupby observer.name

They are working if multiple items show up in the graph.

Thank you for your help! It was most appreciated.