Hyper-V VM Sensor not sensing any traffic

[kspringer-maf]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

12

Storage for /

200

Storage for /nsm

500

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

We have a Manager VM and Search VM installed in Proxmox host server. We're attempting to install Forward Sensor VM in a Hyper-V host server. We've configured the Hyper-V virtual switches to mirror their traffic to the SO Sensor VM interface as the destination. Sensor VM is installed successfully and everything shows healthy in Manager Gui. Salt-call state.highstate shows all good with 0 errors. But there is no Zeek or Suricata traffic being sensed by the Sensor. We've tested the Hyper-V virtual switch configuration with a Wireshark VM and we can see the mirrored traffic, but when we duplicate it for the SO VM we see 0 traffic. We've even built a second SO Sensor VM and had the same problem. We have no problems with ESXi or Proxmox Sensor VM's, only Hyper-V. The SO documentation is mysteriously missing Hyper-V instructions. Has anyone got this working? Is there some magic sauce we're overlooking? A Nic driver issue perhaps between Redhat and Hyper-V? Is there some extra step after installation that we need to perform?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[kspringer-maf]

Additional info: tcpdump shows lots of traffic on the Sensor's OS interface (eth1), presumably proving that it's not a virtual switch issue in Hyper-V, and also on the bonded interface (bond0). docker0 interface shows no traffic at all. sobridge interface show lots of traffic. All the veth interfaces show traffic as well.

There's nothing being collected by Zeek or Suricata docker containers. The Influxdb graphs show traffic spikes on the Zeek and Suricata 'Monitor Interface Traffic - Inbound' graphs, but show 'No Results' on the 'Container Traffic - Inbound' graphs. How would I go about resolving this apparent container issue? I've already rebuilt, rebooted, updated.

[kspringer-maf]

running 'so-test' on the Sensor succeeds without errors, but nothing shows up in the Manager gui

[kspringer-maf]

Additional Sensors on other Hyper-V hosts are working fine in a different network environments. We still don't know why this is happening on the host in question, but we're leaning towards a network issue between the Sensor VM and the Manager VM, even though the Sensor can talk to the Manager, and the Manager can talk to the Sensor.

[kspringer-maf]

This issue is resolved. It turns out that the ports required for the data to transfer from the Sensor to the Manger were not opened. Per this How-To https://docs.securityonion.net/en/2.4/firewall.html#firewall we only opened 443, 5000, 8086, 4505, 4506 through to the Manager. That made everything show Healthy, but no logs were sent from Sensor to Manager. When we allowed the rest of the ports all the traffic came in as expected.

I suggest the docs be updated to reflect the accurate list of required ports in the 'All nodes to Manager' list.

[dougburks]

What exactly were the ports that were missing from your firewall? Was it the ports listed under the Elastic Agent section?

From https://docs.securityonion.net/en/2.4/firewall.html#node-communication:

Elastic Agent:

TCP/8220 (All nodes to Manager, Fleet nodes) - Elastic Agent management

TCP/8443 (All nodes to Manager) - Elastic Agent binary updates

TCP/5055 (All nodes to Manager, Fleet nodes, Receiver nodes) - Elastic Agent data