OSSIM+PFSENSE ZONE LAN
-
still no reply :(
-
What does this have to do with pfsense?? If you want to setup OSSIM on a VM, you should be on the OSSIM site to be honest.
OSSIM has a management interface and then other interfaces that will be in the network its monitoring.. Are you trying to setup the appliance, from scratch, what version?
-
i have post this in alienvault too,trying to have answers…..what i want to do is there is a way to make ossim one of the pfsense LAN network,that means am i able to give it an dhcp address from LAN,when it becomes one of the lan machines it can detect any machines in that network but right now i cant find any link between ossim and the Lan machines,i have seen a lot of forums they all said they got ossim into DMZ zone or LAN zone in pfsense and the question is how ???
-
and again are you using the virtual appliance? Are you installing into a vm you created.. What version?
Put your management interface in the vmnet that is your lan. Once you have the management interface up you can bring up another interface that listens for traffic.
-
thanks for the reply first and yes pfsense and ossim in vm,pfsense 2.2.6 and ossim 5.2.2,yes i have one interface in ossim for management and other for listening traffic but how can i put the managemeny in the lan like you said
-
connect it to the vmnet you want.. Do you not know how to connect an interface in workstation to a specific vmnet?
-
i just connected to vmnet host only i created virtual network editor and give it the same address and subnet the lan has….is this how ?
-
is that the vmnet that pfsense lan and your other vms are connected to?
-
no every vms has its own vmnet,like win7 has vmnet2 and ossim has vmnet3 and pfsense la has vmnet1 but only ossim cant find away to get into
pfsense lan and get an dhcp addresse from that lan,the others like win7 once they open a browser and enter the address ip for GUI of pfsense they will have automatically registred and get an IP but with ossim their is no way like that !!? -
Well no duh dude put all the device u want to be on your lan on the same vmnet and your wan on diff vmnet
-
well even with different vmnet to the others machines it works but i did what you said with ossim put in it with the same vmnet that pfsense lan has which is vmnet1,the result pfsense ping to ossim but the other way noo !!
-
dude if you put all the vms on different vmnet - what works?? What vmnet did you put them on. There is a bridged one, host only and then nat and I believe internal.
Your wan of pfsense should be on your bridged vmnet connected to your machines real network, I assume your behind a router so lets say your normal real physical network is 192.168.1.0/24
So your machine gets from your router via dhcp lets say 192.168.1.100, pfsense wan would get say 192.168.1.101, now the lan of pfsense would be connected to host only or prob better internal. This network should be say 192.168.0.0/24
All your other vms should be connected to this internal vmnet. They should all be able to get IP address from pfsense dhcp server. They should all be able to ping each other (depending on vm software firewalls settings if running on on that vm)
The default lan rules on pfsense are any any, so yes you should be able to ping the pfsense lan IP, most likely 192.168.0.1
Your going to want to make sure your real network IP range is different than pfsense LAN network. Having same network on both sides of pfsense is not going to work. Once you have that all working you can put another ossim interface in this same network - does not need an IP this will be the interface that ossim.
Another maybe better option would be to put the ossim management interface in the host only vm. So your host can talk to ossim via this network. Not sure what the default ip range of that vmnet is. Then you would put the ossim monitor interface in the internal vmnet so it can see traffic on that network. REMEMBER your going to want this internal network in promiscuous mode so that ossim monitor interface will see ALL traffic on this network, not just broadcast traffic or traffic to its mac. I do not recall off the top of my head if this can be just done on the vmnic setting or the internal network in general. Have not used virtualbox in quite some time.
There also might be option for dhcp server on the internal network - your going to want to make sure this is OFF.. Since your going to want to use the network that pfsense is using on its lan, and use its dhcp server.
How is it your using virtualbox for a networking project, and don't understand how networking is done on virtualbox. I would really suggest you go over the manual for virtualbox before attempting to use it, especially for such a project. Here is link to the networking section https://www.virtualbox.org/manual/ch06.html
edit: here I drew you a picture
So example IPs in this layout would be
Your router
192.168.0.1Your Host
192.168.0.100 (real network and bridged vmnet)
192.168.3.2 ( host only network)Pfsense
192.168.0.101 ( real network, pfsense wan on bridged vmnet)
192.168.1.1 (vmnet internal, pfsense lan)Ossim
192.168.3.1 (host only vmnet - management interface)
Monitor/sniffing interface - No IP needed ( vmnet internal - promiscuous mode)VMs
192.168.1.2, 192.168.1.3, etc.. (vmnet internal, via dhcp from pfsense)You would then access ossim managment gui via its host only vmnet 192.168.3.1 from your hosts connection to that vmnet.
-
i use vmware and my internal network is 10.215.10.0/24 its diffrent than wan network for pfsense,putting interface ossim host only and with the same subnet that internal network of pfsense didnt make them all ping each other even ossim do not ping 10.215.10.1 that is the internal interface of pfsense and too the dhcp server is disable for all host only card from virtual network editor…so what's wrong
-
and thank you for the draw but all of it is correct exept of course 10.215.10.0/24 is the internal network and host only ip for ossim is 10.215.10.8
-
"putting interface ossim host only and with the same subnet that internal network of pfsense didnt make them all ping"
Why would they are not the same network, doesn't matter if you use the same IP ranges. Think of vmnet as switches.. If you have 2 switches that are not connected to each other.. Just because you put the same network IP range on them why would you think they could talk to each other.
Your ossim is going to want 2 interfaces, its managment interface and the interface it uses to monitor/sniff (this interface does not even need an IP)
Set it up as I drew and it will work.. You can use any actual network IP ranges you want, those were just examples showing that they are 3 different networks.
If your internal vmnet is not setup for promiscuous mode, then the ossim interface would only see broadcast traffic and traffic sent to its mac. You need this to be promiscuous so that that ossim will see all traffic on this network be it sent to its mac or not. So when vm1 talks to vm2 it will see these packets, when vm1 talks to pfsense it will see the traffic, etc. etc..
-
ok i understand now,one more thing to be sure how internal network should be i dont see it it in the options,my internal network as you whould say is vmnet1 host only
-
you can create multiple vmnets.. See the doc I linked too..
Here
https://www.virtualbox.org/manual/ch06.html#network_internal -
i am using vmware but still i will look for something like that in vmware and i will let you know how it will ends after applying just what you said,only one more question in my physical host what configuration should be made
-
Oh dude my bad, must of confused this with another thread.. I thought you were using virtual box.. DOH.. You can kick me ;)
vmware is the same principle to be sure. They call it custom. So same thing you have a bridged vmnet, and then a host only vmnet and then use a custom one for the pfsense lan, your other vms and your monitor interface for ossim.
Pretty sure the standard vmnets0 1 and 8 shouldn't be used for your custom vmnet.. Use one of the other ones.. If I recall 0 is bridged, 1 is host only and 8 is nat out of the box, these can be altered.. But just pick one of the other ones make sure its custom, and same thing your going to want promiscuous mode so that ossim can see all the traffic on this custom vmnet.
What version are you using 11?
-
no vmware workstation 12,so far when i put it in the same vmnet that is internal lan network for pfsense,now i receive logs from pfsense to ossim so that is good i think but not from the others vm that they are from same internal network,but still i am happy with that :) and i didnt figured out how management interface config should be in ossim i think that is the problem