Lab with Kali, CentOS, Windows, Security Onion

Hi Drizzit89,

Thank you again. What protocol could I use for the format of the snort rule? That's the part that I'm stuck on since Snort does not support the ARP protocol. Also, is there a setting for time when writing Snort rules?

Thank you and I value your help a lot.

Have a great day.
 


You can create rules around time. Take a look at this article as a starting point. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html
All SIEMs should have some means to do time based rules to detect multiple logins and DoS attacks. You just have to figure out how to structure the rule and not make it too strict or too lenient.
The main thing I think you are missing for your successful Snort rule is the logging source.
What popular networking tool would you use to monitor or view captured network traffic on your PC?
What corresponding tool is included in Security Onion that performs a similar function?
What changes need to be made in that tool to forward appropriate info to Snort to process?
Attempt to answer the above questions in order and I believe you will come to your answer for your rule.
 
Hi Drizzit89,

Thank you for your advice and guidance. I have tried using Snort through the command prompt in Security Onion. I will take a look at the rule and will let you know.

Thank you again and have a nice day,

Jacob
 
Hi Drizzit89,

After reading through the link that you shared, I included the time settings into the Snort rule and I am now seeing alerts (the command prompt in Security Onion). Thank you again so much for your help. Without your help and suggestions, I wouldn't have been able to figure out the issue and wouldn't have known where to start.

Thank you and have a great day!

Jacob
 
Hello,

I am working with a penetration testing lab environment that uses Kali Linux 2018 VM (as an attacker), CentOS 7 (as a target), Windows Server 2016 (as a target), and Security Onion 2019 (as the Intrusion Detection system). All VMs are in VirtualBox and are on the same local network (I've attached a screenshot of the network to this message).

I am looking to test out some footprinting commands like "whois", "nslookup", and "traceroute". For example, I am using Kali to issue a command like "nslookup www.google.com" and "traceroute www.google.com". My goal is to receive alerts in Security Onion tools (like Sguil, Squert, Kibana) to detect those footprinting commands from Kali. I am not sure why I am unable to do that. I believe it is because Security Onion cannot see the commands being issued because they are gathering information from websites.

In VirtualBox, I am using a NAT adapter for both Kali and Security Onion. I am able to successfully perform the attacks in Kali but cannot detect them in Security Onion (attacks like nslookup and traceroute, just to name a couple of them).

I would appreciate any suggestions/help with this problem. I am stuck as to how to solve it.

Thank you in advance!

Jacob
Hey man maybe might be able to help each other I'm trying to get parrot security on my Samsung s8 you know how I can do it?
 
Hi TheBigTank, I'd like to help but I'm not familiar with parrot security. What is it?
 
Hey TBT,
I'm not much of an Android fan but I would check out one of the many videos on Youtube. I saw many comprehensive videos on installing Parrot OS on Android phones without needing to root the phone.
 

Members online


Top