-
Notifications
You must be signed in to change notification settings - Fork 521
NetworkConfiguration
If you're running Security Onion 14.04/16.04, all of this configuration will happen automatically if you choose "Yes, configure /etc/network/interfaces" in the Setup wizard.
NOTE! You may lose network connectivity during this process! Have a backup plan if attempting over SSH!
Stop Network Manager:
sudo /etc/init.d/network-manager stop
Prevent Network Manager from starting at next boot:
sudo mv /etc/init/network-manager.conf /etc/init/network-manager.conf.DISABLED
Next, configure your network interfaces in /etc/network/interfaces
.
You'll want a management interface (preferably connected to a dedicated management network) using either DHCP OR preferably static IP.
You'll want one or more interfaces dedicated to sniffing (no IP address). NIC offloading functions such as tso
, gso
, and gro
should be disabled to ensure that Snort/Suricata get an accurate view of the traffic (see http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html).
auto lo
iface lo inet loopback
# Management interface using DHCP (not recommended due to Bro issue described above)
auto eth0
iface eth0 inet dhcp
# OR
# Management interface using STATIC IP (instead of DHCP)
auto eth0
iface eth0 inet static
address 192.168.1.14
gateway 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
# If running Security Onion 14.04, you'll need to configure DNS here
dns-nameservers 192.168.1.1 192.168.1.2
# AND one or more of the following
# Connected to TAP or SPAN port for traffic monitoring
auto eth1
iface eth1 inet manual
up ifconfig $IFACE -arp up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
# If running Security Onion 14.04, you should also disable IPv6 as follows:
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
You may also want to set the RX buffer size in the post-up command like this:
post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
Note that 4096 is just an example and your NIC may have a different maximum rx size. To determine the maximum rx setting for your NIC:
ethtool -g ethX
If necessary, configure DNS in /etc/resolv.conf
:
http://en.wikipedia.org/wiki/Resolv.conf
http://www.cyberciti.biz/tips/howto-ubuntu-linux-convert-dhcp-network-configuration-to-static-ip-configuration.html
http://manpages.ubuntu.com/manpages/lucid/man5/resolver.5.html
Restart networking:
sudo /etc/init.d/networking restart
If you already had sensors running on these interfaces, you should restart them:
sudo so-sensor-restart
For more information on network configuration in Ubuntu, please see:
https://help.ubuntu.com/community/NetworkConfigurationCommandLine/Automatic
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs