SOSetup Doesn't Support Unique Interface Names

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Edit /etc/udev/rules.d/70-persistent-net.rules to include interfaces with 
unique names. E.g. ethL1 or igb1
2. Reboot
3. Run sudo sosetup
4. Only interfaces in format ethXX are included in the /etc/network/interfaces 
set up.

What is the expected output? What do you see instead?
All interfaces should show up regardless of name.

Are you using the new Security Onion 12.04?
Yes. Currently on Ubuntu 12.04 x64 Server

Did you install from the ISO image or did you install your own version of
Ubuntu and then add our PPA and packages?
The latter method.

Please provide any additional information below.
It's often very helpful to rename interfaces with something more descriptive, 
especially when the sniffer/server boxes have a large number of interfaces.

DM

Original issue reported on code.google.com by dylan.me...@gmail.com on 11 Mar 2013 at 9:14

[GoogleCodeExporter]

Hi Dylan,

Would you like to work adding support for this?

Thanks,
Doug

Original comment by doug.bu...@gmail.com on 12 Mar 2013 at 10:42

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Doug,

I'd be willing to take a crack at it. What do I need to get started? A git 
clone, make the changes, test, and commit to test?

I've also discovered another issue with this. The script gets confused when 
writing bro configs if two interfaces have the same string in them. This is 
probably caused by regex that isn't specific enough, such as missing an end 
line $.

Example:
eth1
eth10
eth100
eth11

If eth10 and eth100 are choosen as sensors, the bro node.cfg ends up like this:

[snortdb-eth10]
type=worker
host=192.168.1.1
interface=eth10
eth100
lb_method=pf_ring
lb_procs=6

[snortdb-eth100]
type=worker
host=192.168.1.1
interface=eth100
lb_method=pf_ring
lb_procs=6

Bro then fails to start because of the single, "eth100\n" line and causes a lot 
of other issues.

Original comment by dylan.me...@gmail.com on 13 Mar 2013 at 8:21

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

We're not using git (yet), so you can just start with the latest updates from 
our standard repo.  Once you've have something that's working, you can just 
submit it to me via this page or email.  Thanks!

Original comment by doug.bu...@gmail.com on 13 Mar 2013 at 8:25

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Did this particular issue ever get resolved ? 

Original comment by jwelt...@gmail.com on 15 Sep 2013 at 4:20

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I haven't heard anything from Dylan.

Original comment by doug.bu...@gmail.com on 15 Sep 2013 at 5:05

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I'll take care of this if no one else is working on it. Is anyone trying?

Original comment by jonsch...@gmail.com on 15 Dec 2013 at 7:52

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I'm not aware of anyone working on this currently.

Go for it!

Original comment by doug.bu...@gmail.com on 16 Dec 2013 at 1:44

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I'm testing a change for this now. This corrected the issue of interfaces other 
than "eth|br|wan", etc and also should correct the regex for finding interfaces.

Changes will need to be made for two scripts: /usr/bin/sosetup and 
/usr/bin/sosetup-network.

Luckily the change is minor (3 places in both sosetup and sosetup-network).

===CHANGE===
/usr/bin/sosetup
Lines 43, 194, 471
#INTERFACES=`cat "/proc/net/dev" | egrep 
"(eth|bond|wlan|br|ath|bge|mon|fe|em)[0-9]+" | awk '{print $1}' | cut -d\: -f1 
|sort`

INTERFACES=`grep -vP '(Inter\-\||^ face)' /proc/net/dev | awk '{print $1}'|cut 
-d\: -f1|sort`

/usr/bin/sosetup-network
Line 76
#MGMT_INTERFACE=`cat "/proc/net/dev" | egrep 
"(eth|bond|wlan|br|ath|bge|mon|fe|em)[0-9]+" |
#       awk '{print $1}' | cut -d\: -f1 | sort `

MGMT_INTERFACE=`grep -vP '(Inter\-\||^ face)' /proc/net/dev | awk '{print 
$1}'|cut -d\: -f1|sort `


94
#INPUT=`cat "/proc/net/dev" | egrep 
"(eth|bond|wlan|br|ath|bge|mon|fe|em)[0-9]+" | awk '{print $1}' | cut -d\: -f1 
| sort | while read INT; do echo -n "FALSE $INT "; done`

INPUT=`grep -vP '(Inter\-\||^ face)' /proc/net/dev | awk '{print $1}'|cut -d\: 
-f1| sort | while read INT; do echo -n "FALSE $INT "; done`


210
#MON_INTERFACES=`cat "/proc/net/dev" | egrep 
"(eth|bond|wlan|br|ath|bge|mon|fe|em)[0-9]+" |
#    awk '{print $1}' | cut -d\: -f1 | sort |sed "s|$MGMT_INTERFACE||g"`

MON_INTERFACES=`grep -vP '(Inter\-\||^ face)' /proc/net/dev | awk '{print 
$1}'|cut -d\: -f1| sort |sed "s|$MGMT_INTERFACE||g"`

===/CHANGE===

Explanation: 
/usr/bin/sosetup
Change the command output assigned to the variable "INTERFACES" in sosetup. New 
command uses PCRE grep to exclude lines "Inter-|" and lines beginning with " 
face" (these are the first two lines of /proc/net/dev, hopefully this won't be 
problematic). The output is piped to awk where the first field is printed and 
finally 'cut' delimiting the output on ":" and only printing the first field.

/usr/bin/sosetup-network
Change the command output assigned to the variables "MGMT_INTERFACE", "INPUT", 
and "MON_INTERFACES" with the same code described above.

Tested on:
Ubuntu 12.04.5 LTS
PPA Packages

The interfaces were accurately displayed and provisioned during setup. Sguil 
also shows the interfaces (sniffing not testing). Hope this helps others.

- Tim Whisnant, @heywiz

Original comment by timothyw...@gmail.com on 11 Dec 2014 at 4:50

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Guess it would help if I actually included the files (sometimes the obvious 
escapes me). 

tim@server:~$ md5sum *
dbd9a6dae493e17980e5ddf1f2089b4a *sosetup-network.EDIT
5070b0f6b8d4bdb6da1e1b63ef95447c *sosetup-network.ORIG
2d5a479472109f92f601083b5b073b6c *sosetup.EDIT
ebf33b3fda8f4bef4a2eecc3c04d3e61 *sosetup.ORIG

tim@server:~$ sha1sum *
fb76cad20da9a3ea0b234745962f79c2c362462c *sosetup-network.EDIT
b21b69b38af7407f6b2f13cb40579efdaf952254 *sosetup-network.ORIG
61d8de2746da495f557bc2857a3aae2419caf7ad *sosetup.EDIT
29a619e4c96d45d5d0624651efedef1527f8f371 *sosetup.ORIG

Original comment by timothyw...@gmail.com on 12 Dec 2014 at 4:12

• Added labels: ****
• Removed labels: ****

Attachments:

• sosetup.ORIG
• sosetup.EDIT
• sosetup-network.ORIG
• sosetup-network.EDIT

[dougburks]

commit:
Security-Onion-Solutions/securityonion-setup@45a23cb

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/bN-9Pgb19w8/discussion

[dougburks]

published:
http://blog.securityonion.net/2016/07/securityonion-setup-20120912.html