No alerts from agents - Fresh SO v2.4.140 install - No traffic on bond0 (realtek rtl8125)

[ll3N1GmAll]

Version

2.4.140

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

32GB

Storage for /

292.97GB

Storage for /nsm

1.52TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Fresh ISO install of SO v2.4.130, updated via soup to 2.4.140.

Agents installed successfully to linux and windows hosts; yet they result in no alerts coming in. Dashboard shows events for each endpoint. Enrollment of all endpoints is successful. Still no alerts populate. All systems show healthy in console.

sudo salt-call state.highstate results in no errors.

so-status shows everything is healthy and running.

bond0 (monitoring) interface is a 2.5Gb RTL8125 NIC. MTU is set ,by default, to 9000. I followed the answer in #13983 to set the MTU to 1500, then brought the interface down, then back up as per the answer. This had no effect. Also, the MTU still shows as 9000 when I run ifconfig. The config file /etc/NetworkManager/system-connections/bond0.nmconnection shows the MTU for bond0 is set to 1500. Not sure why ifconfig shows it set to 9000 even after changing it in /etc/NetworkManager/system-connections/bond0.nmconnection, then running nmcli connection down bond0 and nmcli connection up bond0.

Ran packet capture on SPAN port on firewall to confirm SPAN port is mirroring traffic as expected. This is working correctly. Yet, there is no traffic being seen on bond0 when running tcpdump on bond0 from SO machine.

With agents installed, I would expect to see alerts even if the monitoring interface was not working properly. We have used SO in the past on version 2.3 without the use of a monitoring interface connected to a SPAN or TAP and gotten alerts generated from the array of agents that were installed on the older 2.3 platform. We also had a SO 2.4 standalone setup in a VM with 2 NICs; but the 2nd NIC was not connected to the SPAN port, and we got alerts coming in from our endpoints without issue.

The only other anomally is the following elastic_agent message in the dashboard under events: DNS lookup failure "<hostname>": lookup <hostname> on 127.0.0.53:53: server misbehaving. Not sure if this is relevant at all; but didn't want to leave it out as it's the only other thing I've noticed that is out of sorts.

Thanks to anyone who can assist or point me in the right direction. I finally got the hardware to dedicate to a non-VM SO solution and I'm confused as to why it's misbehaving so..

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

For your endpoints you may need to enable different detections. Are you receiving endpoint logs you expect to trigger an alert?
From SOC -> Detections you can enable different SIGMA rules to search your endpoint logs and raise alerts. https://docs.securityonion.net/en/2.4/sigma.html#sigma

If you aren't receiving any traffic on bond0

• Does bond0 show as up? ip a bond0 & the interface name associated with your 2.5Gb NIC should show as UP with MTU of 9000
• How are you collecting traffic ? TAP ? SPAN? If SPAN what does the SPAN configuration look like? Does it support viewing what data is being sent out the SPAN? Is that SPAN connection UP?

[ll3N1GmAll]

These endpoints were sending logs to the previous VM SO deployment and triggered alerts properly. The setup process was the same for this bare metal and the VM deployment. I verified the new agents from this bare metal deployment were installed successfully according to the agent installer's output after running the agent. We maually uninstalled the agents from the VM SO deployment before installing the new agent from the bare metal deployment's downloads page.

I have enabled some more SIGMA detections to check for alerts (there were numerous already enabled). The only alert I have present (and the only one I saw previously) is a SOC Login Failure from mistyping the password when I tried to login to SO. I will report back once the SIGMA rules have been enabled for a while.

The bond0 interface does show as down. When I issued the ``sudo nmcli connection up bond0'' command, I received the following output:

Connection successfully activated (controller waiting for ports) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)

I assumed it worked as the output suggested. However, when I run ip a, I see the interface is still down. The MTU shows as 9000. Should I set the /etc/NetworkManager/system-connections/bond0.nmconnection config file back to a MTU setting of 9000 instead of the 1500 I changed it to as a result of the answer in #13983? Even though the MTU setting in that config file is set to 1500, it still shows as 9000 when I run ip a.

I am sending traffic to bond0 via SPAN which is setup on a pfsense router. The SPAN configuration appears to be functioning correctly and is definitely up. I ran a packet capture on the SPAN interface and I am seeing the same traffic on it as I see on the LAN interface it is mirroring.

Thank you for your reply!

Main questions:

1. Any idea why this bond0 interface is, seemingly, showing me that bringing it up was successful in the command output; but is not actually coming up as a result? I could not find any issues with the RTL8125 NIC and SO when I searched before posting this issue.

2. Any idea why alerts are not coming in as expected when detections are enabled and endpoints are enrolled and sending events into SO (other than login failures to SO itself)?

[ll3N1GmAll]

Correction, bond0 is UP. The interface is just in a down state in the ip a output because it is not recognizing anything plugged into it. When I run ifconfig I get the following output that shows the interface is UP:

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 9000
        ether <MAC ADDRESS>  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Also, I did test the ethernet cable and confirmed it is working on another machine as expected.

[ll3N1GmAll]

After allowing SO to run after enabling all of the SIGMA alerts, I am seeing one alert from only one endpoint coming into the Alerts console. This is Execution Of Non-Existing File. Nothing else is coming in and the bond0 interface still is not seeing any data coming in.