No data coming in.

[ToontjeM]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16

Storage for /

131Gb

Storage for /nsm

299Gb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Physical host.
2 NICs, one management, one capture. Connected to Netgear with port mirroring of all ports to the port with the capture interface.

No traffic coming in:

Inbound Monitor Traffic: 0.0 Mb/s
Dropped Monitor Traffic: 0.0 Mb/s
Inbound Mgmt Traffic: 0.0 Mb/s
Outbound Mgmt Traffic: 0.0 Mb/s

Everything i do on or with the onion host i see in the UI, however, i don't see any other traffic. For example, Host Overview and Connections seen by Zeek and Surikata dashboards are empty.

BTW, i do have traffic on this interface:

Output of sudo tcpdump -i enp0s20u2u3i5 -n: trace.log

No traffic on bond0 (might be expected, might not. Looking for feedback).

Tip

Output of ip link show:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 2c:60:0c:38:c8:a2 brd ff:ff:ff:ff:ff:ff
3: enp0s20u2u3i5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:e0:4c:68:e7:67 brd ff:ff:ff:ff:ff:ff
4: wlp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DORMANT group default qlen 1000
    link/ether 6a:31:8c:f9:95:b6 brd ff:ff:ff:ff:ff:ff permaddr d0:7e:35:9e:c0:c3
5: bond0: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 9000 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 26:c9:41:b4:fe:0e brd ff:ff:ff:ff:ff:ff
7: sobridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:8d:cd:4f:15 brd ff:ff:ff:ff:ff:ff
8: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:23:5d:ae:20 brd ff:ff:ff:ff:ff:ff

Output of cat /proc/net/bonding/bond0:

Ethernet Channel Bonding Driver: v5.15.0-302.167.6.1.el9uek.x86_64

Bonding Mode: load balancing (round-robin)
MII Status: down
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0

Output of sudo so-status

                       Security Onion Status                        
                         Container │ Status  │              Details 
───────────────────────────────────┼─────────┼──────────────────────
                 so-dockerregistry │ running │           Up 3 hours 
                     so-elastalert │ running │           Up 3 hours 
                  so-elastic-fleet │ running │           Up 3 hours 
 so-elastic-fleet-package-registry │ running │ Up 3 hours (healthy) 
                  so-elasticsearch │ running │           Up 3 hours 
                       so-idstools │ running │           Up 3 hours 
                       so-influxdb │ running │ Up 3 hours (healthy) 
                         so-kibana │ running │           Up 3 hours 
                         so-kratos │ running │           Up 3 hours 
                          so-nginx │ running │ Up 3 hours (healthy) 
                      so-sensoroni │ running │           Up 3 hours 
                            so-soc │ running │           Up 2 hours 
                so-strelka-backend │ running │           Up 3 hours 
            so-strelka-coordinator │ running │           Up 3 hours 
             so-strelka-filestream │ running │           Up 3 hours 
               so-strelka-frontend │ running │           Up 3 hours 
             so-strelka-gatekeeper │ running │           Up 3 hours 
                so-strelka-manager │ running │           Up 3 hours 
                       so-suricata │ running │           Up 3 hours 
                       so-telegraf │ running │           Up 3 hours 
                           so-zeek │ running │ Up 3 hours (healthy) 

 ✔ This onion is ready to make your adversaries cry!

Tip

Found this in the suricata stats:

capture.afpacket.polls                        | Total                     | 1202088
capture.afpacket.poll_signal                  | Total                     | 0
capture.afpacket.poll_timeout                 | Total                     | 1202088

Not sure what i forgot to configure. any ideas where to look?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

What does sudo nmcli con show return?

[ToontjeM]

NAME                       UUID                                  TYPE      DEVICE   
enp8s0                     6ae58f81-fb0c-44bd-b496-0bed65ca8b6a  ethernet  enp8s0   
bond0                      c68200a1-85f5-4c1b-a99e-69744658642c  bond      bond0    
docker0                    a4758b41-8c41-4441-91c7-cb83994eea94  bridge    docker0  
lo                         b71edcad-2f06-420a-9f98-9352d4dc54d2  loopback  lo       
sobridge                   b59be705-14a0-46cd-8201-4ee179b07be1  bridge    sobridge 
bond0-slave-enp0s20u2u3i5  e0ae1bcd-b0a0-4dd6-8f5f-9fd52a2d57fb  ethernet  --       
enp0s20u2u3i5              8e1caf07-0aba-4a94-9fd2-86c2f83807f2  ethernet  --       

[ToontjeM]

QQ: Why do i have a bond when i only have one slave?

[ToontjeM]

I think i found something here. When i look in the Administration/Configuration i see Strelka, Zeek and Suricata (and Stenographer) as Enabled: false. Defaults are also false. Is it supposed to be like that? Because https://onion/docs/architecture.html#architecture tells me that those components take care of the packet capture and decoding.

Maybe i have not gone through some post-installation configuration process?

[ToontjeM]

Went through sosetup.log and saw this as well:

│2024-11-26T14:00:50Z | INFO | Verifying setup                                                                                              │
│WARNING: Errors detected during setup.                                                                                                     │
│--------- ERRORS ---------                                                                                                                 │
│Error: Connection activation failed: Unknown error 

The journey continues.....

sudo journalctl -xe NM_CONNECTION=e0ae1bcd-b0a0-4dd6-8f5f-9fd52a2d57fb + NM_DEVICE=enp0s20u2u3i5

Nov 28 11:12:12 onion NetworkManager[826]: <info>  [1732792332.0242] device (enp0s20u2u3i5): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
Nov 28 11:12:12 onion NetworkManager[826]: <warn>  [1732792332.0261] device (enp0s20u2u3i5): mtu: failure to set MTU. Did you configure the MTU correctly?
Nov 28 11:12:12 onion NetworkManager[826]: <warn>  [1732792332.0261] device (enp0s20u2u3i5): Activation: connection 'bond0-slave-enp0s20u2u3i5' could not be attached as port
Nov 28 11:12:12 onion NetworkManager[826]: <warn>  [1732792332.0262] device (enp0s20u2u3i5): mtu: failure to set MTU. Did you configure the MTU correctly?

I start to think that, because enp0s20u2u3i5 is in monitor mode, it cannot be added to the bond. Am i wrong?
Two questions now:

• Does enp0s20u2u3i5 need to be in monitor mode?
• Do i need to mirror all my traffic to the probe port on my switch?

My thinking is that both answers needs to be a "yes", but i just want to be sure.

[ToontjeM]

SOLVED IT!!
(well, got it working)

bond0 was configured for an MTU of 9000 which my monitor interface cannot handle. Changed mtu=9000 to mtu=1500 in /etc/NetworkManager/system-connections/bond0.nmconnection, ran nmcli connection down bond0 and nmcli connection up bond0 and i see traffic in my dashboard now.