How to cleanly get data to security onion?

happyrouter · Jul 6, 2021, 10:22 PM

Hi, so i made a huge mistake and i thought i could get a 'one box solution' by buying an over the top TLSense i7 6P - 6x Gigabit LAN, Intel i7 CPU, 128GB SSD, 16GB RAM with 6 x Intel I211-AT Gigabit NIC.

This is for a homelab setup that i use to learn about networking, try out new software, and ultimately replicate various configuration on client sites (i'm a sysadmin)

While it sounded good on paper, now that it's deployed i see immediately the packages on pfsense are a bit out of date, or just not avail (like the paid version of ntopng).

So, i guess my new approach is going to be moving data from the interfaces in promiscuous mode into a NUC running security onion, and do the analysis there.

Questions:
a) Am i right in this approach? What packages would still benefit from running on top of the pfsense box (since it's a monster, i might as well use it)

b) if i'm right , what woiuld be the 'best' way to move data from pfsense to the nuc/security onion?

c) am i missing anything? I'll admit i'm very new to this (today was my first install of pfsense) and i can use all the advice i can get... i'm into data analysis, security, bandwidth monitoring in real time, flow analysis, etc.

Note i'm happy to use paid version of software since i already made a big investment in the hardware running pfsense...

johnpoz · Jan 18, 2020, 12:06 PM

@happyrouter said in How to cleanly get data to security onion?:

moving data from the interfaces in promiscuous mode into a NUC running security onion

How exactly is that going to get your data to your NUC?

If you want your NUC to see data that is flowing over a port, this is normally done via your switching infrastructure with a port mirror or span port.

stephenw10 · Jun 3, 2022, 3:56 PM

You can do a span port on a bridge in pfSense to get all traffic to the NUC.

You can also use Snort in pfSense as sensor for Seciruty Onion by exporting logs to it.

I would be tempted to run vitualised on that hardware though to better use it's resources. Just run pfSense and Security Onion on there.

Steve

akuma1x · Jan 18, 2020, 5:13 PM

Exactly like @stephenw10 says. 1 VM running pfsense, another VM running whatever operating system Security Onion agrees with. Export from pfsense into Security Onion and do your analysis.

Jeff

happyrouter · Jan 18, 2020, 6:30 PM

Ok, thanks guys/gals! A span port it is!

vijay7 · Jul 6, 2021, 11:09 AM

@happyrouter
But SPAN port won't wont give the layer 7 application visibility, like the traffic belongs to facebook, netflix etc..

how to achieve this then ?

stephenw10 · Jul 6, 2021, 5:09 PM

Why do you think that?

A span port will give you visibility into everything from layer 2.

Steve

NollipfSense · Jul 6, 2021, 10:22 PM

@happyrouter Security Onion seems much software just to use Wireshark.

vijay7 · Jul 8, 2021, 2:32 PM

@stephenw10 incase of NtopNG, if you send span port traffic to it, it will give you great visibility into Layer7 traffic, why can be done with Security onion.

stephenw10 · Jul 8, 2021, 5:43 PM

Right, that's what I said, so what's the question here?

JonathanLee · Jun 3, 2022, 4:03 PM

@stephenw10

I am going to attempt this today with Security onion running as a VM inside Hyper-V I had it running before in Hyper-V to play around with, I could access it from any of the machines in my house. I am going to send my logs all to it. I hope that the machine running Hyper-V can data marshal what needs the logs however. I am learning that you can set up port mirroring so that the data sent from PfSense can be seen inside of the SEIM system.

JonathanLee · Jun 7, 2022, 4:32 PM

@jonathanlee

I got it to work only with Virtualbox only, Security Onion was accessible. I set up port forwarding. However I could not access it outside of of the guest machine. Many SSL errors. I have major issues now with Windows 10 running Hyper-V without it being enabled. I also had the blue screen of death. This was the reason for using virtualbox. Security Onion would not work correctly with Hyper-V for me. I also used a NIC mac to clone for data marshalling to test if it would clone my laptops IP and that worked.

This leaves me with questions like is there any container protected NICs security equipped network cards for high security systems like firewalls. My reason for the question is the data marshalling with a clone MAC, and how containers have no visibility with the antivirus on the physical machines. I have also been told during my cyber security classes that scanning for VM and containers are a current issue in the cyber security world. I stated to wonder if software could control a security chip built onto the NIC and take control of all NIC features with the physical host machine's software, and control approved container and virtual software access right on the card. Enough daydreaming for me. . .

If you want to check out more info on this adventure to try to get this to work in a virtual environment here is my aftermath issues, that really point out some current security issues with today's hardware.

More on Containers and Network Card Security Issues:
https://answers.microsoft.com/en-us/protect/forum/all/hyper-v-running-even-after-being-disabled/8d048265-d0d9-465d-b647-9e121ea059bf

VirtualBox Install of Security Onion:
https://docs.securityonion.net/en/2.3/virtualbox.html#:~:text=Click%20the%20icon%2C%20then%20select,%E2%80%9CAdvanced%E2%80%9D%20options%2C%20set%20%E2%80%9C

Port Forward with VirtualBox:
https://www.golinuxcloud.com/configure-nat-port-forwarding-virtualbox-cli/