I am following the security onion docs and am using vmware. I created the 2nd network adapter and set it to bridged for the monitor interface, ran the setup, selected evaluation mode, and setup the network interfaces.
My monitor interface does not see any traffic, I used wireshark to to test both interfaces and the management interface sees the traffic but the monitor interface does not. Has anyone else come across this issue?
Would be useful if you'll provide your Host OS, and versions of OS, VMWare and Security Onion- to be clear from the start and helpful for any future requests.
Out of assumption that you are using MAC-I may say it may be a known issue, see:
https://docs.vmware.com/en/VMware-Fusion/12/rn/VMware-Fusion-12-Release-Notes.html#knownissues
-here is short excerpt from it:
"Users are unable to capture transfer packets in the same subnet of a virtual network inside a virtual machine.
Virtual machine's virtual interface doesn't report packet exchanges between other virtual machines in the same subnet on Big Sur hosts.
Workaround: Use the virtual interface on the host to capture traffic information in the subnet. For example, use the interface bridge100 on macOS host to capture the traffic in the subnet"
It was reported as a known issue in Fusion 12.0, but it isn't listed in the Resolved Issues for 12.1, so it so safe to assume that it is known pending issue by now.
Related
We are building a proof of concept piece that uses ONOS to update the flow tables on an OVS switch to either block or allow traffic connected to the OVS switch. We have got a piece working on a local machine using using virtual machines on virtual box. We're trying to see if we can get it working using virtual machines in Azure. Here's the setup:
I have three Linux virtual machines running in Azure.
One virtual machine has ONOS installed on it. Ley's call this ONOS-1.
The second virtual machine has OVS installed on it. Let's call this OVS-1.
And the third virtual machine is just a standard Linux virtual machine that is being used by a user. Let's call this HOST-1.
The OVS-1 has two network interface cards, one for management access and another used by OVS for bridging. In OVS there are multiple vPorts configured on the single NIC that is on the data network.
The idea is that ONOS-1 is connected to OVS-1, and the OVS-1 is connected to HOST-1via one of the OVS vPorts. ONOS-1 should be able to control OVS-1. Currently, ONOS-1 can see OVS-1, but any vPorts created on OVS-1 show as enabled=False in ONOS-1. What is the problem or what are we missing? Any help, guidance, or direction would be greatly appreciated.
Network diagram
We've tried adding additional NIC for each OVS vPort. This did not work either.
I have a windows PC installed VMware Workstation and Linux run on it. I want When windows communicate with Internet I can capture packets in Linux, how can I do that?
The vmware network is Bridge, and I set eth0 use command "ifconfig eth0 procmisc".
linux IP is 192.168.0.103, windows IP is 192.168.0.102
Run "tcpdump not host 192.168.0.103" with no result.
Thank you for you time and please help me
While I haven't used VMWare workstation before, I have used Oracle VirtualBox in a similar setup as you describe.
I suspect that the problem is that your network adaptor on the Linux VM is not actually accessing the physical network adaptor directly. You will be using one of the network mapping types described in http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006480 instead.
As such, you are not getting all the traffic that is going to your physical network adaptor. Instead you are getting the reduced set of traffic that VMWare is passing on to your guest.
The only way to get that is to do the snoop on your Windows host, using something like https://www.wireshark.org/
I am connected to a local network through a linux system (Ubuntu 14.04).
Is it possible to get the bandwidth usage of other systems connected to the same network? All other systems are also using Ubuntu, however the version are different on some.
Thanks
this would probably help you:
http://bandwidthd.sourceforge.net/
BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization.
What you can see on the network without having access to the machines depends on the network structure and where the monitoring system is placed.
I need help with this and hoping someone can answer with a valid suggestion.
Background: I live under potential threats from nefarious entities and need some help with security.
My setup is this (similar)
Internet dropping into a WinXP VM by NAT from the Win7 host (call the first VM "VM1"). Connecting within VM1 to a VPN. This TAP adapter internet connection is then shared with a local network of VMs (VM2 and VM3) connected by a network adapter #2 on a Lan Segment I created.
The other VMs are private. I work from them.
I connect another VPN from within them, tunneling through the VM1 effectively nesting them.
However-
Recently some reasons for concern. I am very concerned now that someone with ill intent could be accessing my VM1 through either the host system internet connection, or directly into it from the first VPN, and could be traversing my little Lan Segment network and accessing the data on the lan segment VM2 or VM3 directly. Copying data off potentially into VM1 for removal, -or other threats.
I recently have had my USB wifi adapter disconnect from the host and connect itself mysteriously directly to my deep VMs, 2 and 3. It's happened several times- I now removed USB controller from both of those internal VMs as a precaution. Apparently they wanted to bypass all of my security and just cause the internal deep VMs to connect directly to my wifi and report back the info..
So..
what I need help on, is how to keep the lan segment truly private, with ONLY the VPN internet traffic capable of going through the segment to my upper VM1.
For consideration:
Are there windows services that should be stopped or removed from within VM2 or 3 Which in particular pose threats?
RDP off in the registry for example?
how to disable all communication between the deep VMs and VM1 except for the passing through of the internet connection and nested VPN?
Would I start in the TCP/IP stack? removing some of it? Do I need PFSense or another firewall VM inbetween the lan segment and VM1?
Please help me secure my operating VMs from which I work. Let's call me a journalist under an oppresive regime hypothetically and I am very concerned for my safety, but cannot abandon my moral obligations and work.
great question albeit a bit lengthy and panicked sounding. I can't know your 'situation' but I'll try to help. First, relax. Second, put PFSense in between your deep VMs and where your internet drops into your machine. Keep your internet dropping into your VM if possible through the use of Xen and PCIe passthrough. Just pass the network card along into your first upper VM, so any attackers would have to escape that and into the host in order to infect it. Try and keep a clean host. Second, image your upper VM where the internet hits and reload it fresh every day. Just copy it over from a USB or such. Prevent persistant threats-
Next, keep an isolated network between your VM1 (upper) and a PFsense VM. Then connect another adapter to PFSense and an isolated network with your "deep VMs". Delete them regularly. Keeping things fresh is one of the keys to avoiding threats and malwares etc.
Hope this helps, and best of luck wherever you may be.
**Use encryption in everything.
I am new to embedded linux development.I have inherited a particular way of Embedded linux development from the previous developer.
I was just wondering if there is a more industry standard way of working.
This is how he was working,
There is an ARM embedded linux board which is not on the corporate network and has a fixed IP address of 192.168.0.52.I have a virtualbox based linux host which is connected directly to this linux board via an Ethernet cable.This host has an NFS shared with the target for running the cross compiled binaries.I have to set a fixed IP address for the host of 192.168.0.50.Then I can telnet with the target to run the compiled binaries on the NFS folder. Also as the VM host is not connected to the corporate network.I cannot use the company issued SVN for version control.So what I do is have a shared folder via virtual box between Windows and Linux host and I manually keep transferring the files which I have to commit/test.
What I would I ideally like, is both networks connected to the corporate network,so that I can update the OS,use version control.Is there way by which the VM on Windows access the corporate network and also be connected to the target.IT is not willing to give a static IP to the target.If we connect the target via DHCP what is the best way to discover it on the network.Also IT is concerned about the traffic it will generate.Can I use a switch to create a subnetwork,so that the target can have a fixed address?
Another question is they are open to a linux based host as well.Is a VM based linux any worse off than a Linux PC.The only problem I have been having are networking based issues,not really Virtualbox issues.But I am curious to know if there are any limitations at all.
In order to have the VM connected to the corporate network, you can setup the VM network adapter in bridge mode.
In order to discover the embedded device, you can use the arp command (for instance: arm -i eth0 -a).
If you have got two network interfaces you could also connect the remote device directly through this interface and setup a dhcp server in your VM.
Personally, I think that with the VM you can do everything that you need (cross-compiling the Kernel and bootloader and creating the remote File System). I have been using a VM for embedded linux development on a AT91SAM board without problems at all.