Integrating OPNsense Suricata into Security Onion 2.4.111 #14051
Unanswered
IllyaShoer
asked this question in
2.4
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Version
2.4.111
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
airgap
Hardware Specs
Exceeds minimum requirements
CPU
16
RAM
32
Storage for /
5Tb
Storage for /nsm
5Tb
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
Hello, when setting up integration with OPNSense version 24.7.11_2, there was a problem with loading rules from SO, namely the problem of connecting to SO. I am attaching the log file from opnsense.
2024-12-25T18:36:14 Error rule-updater.py download failed for https://secon.my.domain:7789//all.rules (HTTPSConnectionPool(host='secon.my.domain', port=7789): Max retries exceeded with url: /all.rules (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x161fefc5de90>, 'Connection to secon.my.domain timed out. (connect timeout=None)')))The configuration of the onion.xml file looks like this
<?xml version="1.0"?> <ruleset documentation_url="http://docs.opnsense.org/"> <location url="https://secon.my.domain:7789/" prefix="SecurityOnion"/> <files> <file description="SecurityOnion rules">all.rules</file> <file description="SecurityOnion" url="inline::all.rules">all.rules</file> </files> </ruleset>I configured Security onion according to the documentation, enabled nginx –> config –> external_suricata, added the OPNsense IP address to the firewall, but when loading rules on the SO manager in /var/log/messages I observe the following logs
Dec 25 17:27:09 secon kernel: IPTables-dropped: IN=ens33 OUT= MAC=00:50:54:33:8c:45:06:7b:d3:54:50:a5:07:04 SRC=opnsense.my.domain DST=secon.my.domain LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=15844 DPT=7789 WINDOW=65228 RES=0x00 SYN URGP=0The output of the
ss -tulpncommand shows that port 7789 is not listeningPlease help solve this problem
Thanks in advance
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions