Help with Security Onion/Snorby

I have a small virtualized environment (about 10 servers) where I set up Security Onion. It's acting as a server and a sensor. This particular server has two NICs (one for management, one for monitoring). I went through the set up and installed all the updates. My event count in Snorby is sitting @ zero. Can someone help me unearth what is going on? I've been a windows guy for a long time and am just now stepping in to the ubuntu/linux world. I've been trying to use the online security onion guide but hasn't been too helpful.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
Are you listening (monitoring) to the outside (the internets) or the inside (your lan/network)? Listening on an external interface should reveal quite a bit of noise, on the inside you should see much less.
You typically want to listen on the inside, that way you can be sure the traffic you see is actually getting through and into your network.
I have a pcap you can use that contains nothing but traffic that should register as an alert. You can use tcpreplay or just snort's command line to read the pcap.
I've not setup the onion in a while, but does it come with any snort rules by default? If not download some from ET (emerging threats) and make sure you enable the rule sets in snort.conf. I prefer Suricata myself, but snort is still the old stand-by. Suricata is multi-threaded and can take on a larger load than Snort can with it's single thread,
./snort --pcap-single=emerging-threats-oct-15-2015
Pcap ->
nflynn85Author Commented:
I'm primarily using this to monitor the inside of a network, behind the firewall. I wanted to set this up for internal intrusion detection and network monitoring

It does come with rules and I ran the following to update the rules:

sudo -i

I figured I wouldn't be seeing many alerts but still should have been seeing SOME traffic/events (assuming I set up the monitoring interface correctly, but currently seeing zero).

I'm not sure how to use tcpreplay or snort's command line to read the pcap (i'm new to all these tools, and to linux)
Rich RumbleSecurity SamuraiCommented:
You won't see anything in snort unless it's an alert, or your running the verbose console on the cmdline. Snort will only log alerts, you can use tcpdump or wireshark to make sure you're getting data, but snort will only trigger if you've defined your HOME_NET (one of the 3 RFC-1918 ranges typically) and you have to get exploit's coming in :)
Copy the pcap to your linux machine, maybe using a USB, and you can invoke snort from the command line terminal. Change the path of the emerging-threats-oct-15-2015.pcap to your usb
./snort --pcap-single=/media/usb/emerging-threats-oct-15-2015.pcap or
./snort --pcap-single=/dev/sdb1/emerging-threats-oct-15-2015.pcap (whatever the path to the usb is)
That pcap should get you something. I've not used Snorby as a front end, so maybe it know how much traffic it see's with or without alerts, check using wireshark or tcpdump that you're seeing traffic that can generate an alert.
Are you sure your monitoring (span/mirror/tap) port's are working?
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

nflynn85Author Commented:
TCPdump shows a bunch of traffic so I would assume my monitoring interface is working correctly, and there are no events because nothing is being compromised

Thanks for the help, but I really need someone who has experience using SecurityOnion and knows their way around it. For now, i'll go back to reading and watching youtube videos and maybe someone will jump and assist. Thanks again!
Rich RumbleSecurity SamuraiCommented:
I know the onion, but I don't use Snorby as a front-end. Have you tried the pcap to see if Snort will log to the unified2 log or your mysql db? I know snort but I like Suricata better, I still know snort better (10 years of using it). Have you defined your home_net?
nflynn85Author Commented:
You're speaking another language to me lol - no idea what you mean by defining my home_net

The guy who made onion has videos on youtube that have been helpful and almost like a basic training - I've simulated traffic with some pcaps he has stock on the install
Rich RumbleSecurity SamuraiCommented:
Home_Net is typically an RFC-1918 subnet (10.x.x.x, 192.168.x.x, 172,16.x.x). Typically that is, not everyone uses those as their internal network, if yours is different then you might need to redefine the Home_Net variable in snort.conf. If your are comfortable with windows, I might suggest Suricata, or Snort on windows as opposed to using the Onion. There are binaries for both, and it's not too difficult to install WAMP or XAMPP and get the MySQL and front-end (snorby, squil, Aanval etc) setup.
nflynn85Author Commented:
Thanks for the info. We are using 192.168.x.x, so doesn't seem to require re-definition
Rich RumbleSecurity SamuraiCommented:
It should not :) Would you like to use Windows instead? It's not difficult, but there is no Onion for windows. It might be best to learn on win first.
nflynn85Author Commented:
I'm not opposed to learning how to use some windows tools in addition to onion. The onion seems to be working just fine, so I'd be interested to see what I can learn on the windows side of things to help improve the overall security posture behind the firewall
Rich RumbleSecurity SamuraiCommented: can help you with snort on windows, if you want Suricata have a look at the guides I've contributed to here:
The pdf allows you make Suricata from source if you want, or just DL the binary.

Back to the Onion... What other help can we provide? If the pcap was run, it should of logged some alerts, are you seeing alert's now? You can run SQLMap or Nmap and other tools against a host your monitoring and it should trigger as well, depends on your ruleset and or settings in the snort.conf.
nflynn85Author Commented:
Excellent. I'll take a look at it and let you know if I have any questions.

As far as the Onion goes, I was able to generate alerts via the tutorials provided on youtube.

There just isn't a TON of traffic flowing in and out of my environment, and none of it is being identified as malicious. I'm not seeing any events being generated for the traffic.

 My environment sits behind a firewall, and to access to the server from outside IPs has to be whitelisted/have a firewall rule to allow access.
nflynn85Author Commented:
I was able to find the answers to my own questions by going through the youtube training(s) that were available on the security onion website

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nflynn85Author Commented:
The technician that help didn't really provide the answer I was looking for and I was able to more or less figure it out myself with the help of youtube videos.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.