0

Setting a Static IP Monitoring Interface in Security Onion

It is HIGHLY recommended to try to find a way to use Security Onion as intended, with a passive (non-IP assigned) port for monitoring in a TAP configuration.

Even so, sometimes a simple passive or tap port is just not going to cut it. One example of this is when running in a virtual environment where a TAP isn’t possible to get to the edge of the network for monitoring. In that case, it might be necessary to redirect traffic to an IP.

In this case you will need to reconfigure the monitoring interface of Security Onion to actually use an IP.

To do this simply navigate to your interfaces file in /etc/network and edit it using your favorite editor, gedit, nano, pico, vim, vi, etc… I’d recommend anything with maybe the exception of ed; man were those days painful.

Find your monitoring interface portion of the configuration. It should be the section that contains the promisc flags like those below.

auto eth0
iface eth0 inet manual
  up ifconfig $IFACE -arp up
  up ip link set $IFACE promisc on
  down ip link set $IFACE promisc off
  down ifconfig $IFACE down
  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done

Now, simply change the top few lines to the following

auto eth0
iface eth0 inet static
  address YOURIPHERE
  netmask YOURNETMASKHERE
  up ifconfig $IFACE -arp up
...

After this change, just to make sure everything is clean, I would do a reboot. Once back online you should now be able to point your logs and other activity at the IP you specified in the configuration above.

Happy monitoring!

Torry Crass

Leave a Comment