Newbie help?

[Prometheus8282]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

293G

Storage for /nsm

720G

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,
I'm trying to set up Security Onion for a small business, and trying to get 2 things out of it; traffic capture off of a SPAN port, and logs from a Cisco FTD firewall. This is my first real foray into this kind of thing, but a fair bit of experience in networks.

The SPAN port first; it works plugged into another device and wiresharked, so that part is fine. I have it bridged from a physical port to the SO VM in Proxmox, and the port exists in security onion and is part of bond0, I believe. I have not tried to give it an IP address. I rather assumed that traffic would just populate into security onion, but no dice there. Poking around has not come up with anything to allow/capture/view all that traffic pouring in. I even tried stopping firewalld and iptables, just for fun, but nothing there either. Ideas/help would be welcome.

Second, the Cisco device. There's an integration for it, but it appears to require an agent; I wouldn't even know how to install it on a Cisco FTD box, and probably wouldn't want to. I can set the SO box as a syslog server, but without an agent to finish the integration, it does not appear to even listen on the port that I specified. Am I barking up the wrong tree here?

Thank you very much for reading.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

For the proxmox you likely need some additional configuration of the bridge or pass-thru network interface https://docs.securityonion.net/en/2.4/proxmox.html#nic
While you're testing to see if the traffic is reaching your bond0 interface you can run tcpdump -i bond0 that will show you what traffic is getting to the bond0 (monitor) interface for Security Onion.

With the cisco device you can setup the integration and use the existing elastic agent on your standalone deployment and add your integration https://docs.securityonion.net/en/2.4/elastic-fleet.html#adding-an-integration

You can also setup your cisco device to send logs over syslog and point it at your Security Onion box. https://docs.securityonion.net/en/2.4/syslog.html#syslog

[Prometheus8282]

That got me a lot further. You, sir, are awesome.