Shulou(Shulou.com)06/01 Report--

Matters needing attention in setting the Network Card in OSSIM

The book "Unix/Linux Network Log Analysis and Traffic Monitoring" tells you how to modify it through Alienvault-center. In addition, there are three issues that you need to pay attention to when setting up the network card in OSSIM:

1) Why do I manually modify the OSSIM CVM address and start other services after the eth0 Nic IP?

When OSSIM Server is installed, it is wrong to modify commands through the command line or configuration file

Because only the IP address of the network card is modified, but other processes are still listening on the previous address, the system will report an error.

For example, when installing the server, IP is configured to 10.0.2.20. After installation, it is found that IP is not appropriate, and the eth0 ip address is manually modified with ipconfig, but it is found that error cannot to launch remote network scan: Can't connect with frameworkd (10.0.2.20 ipconfig 40003) reports an error, which belongs to this reason.

2)。 Do you need to set a static IP address for a network card in mixed mode?

First of all, you need to know what the network card in hybrid mode (Promiscuous Mode) means. Hybrid mode (Promiscuous Mode) means that a machine can receive all data streams passing through it, regardless of whether its destination address is it or not, but in the era of the switch, there are new problems. When you get a switch and plug into this port of the network cable, you can't collect all the data by default. At this point, even if the network card is set to promiscuous mode, it will not be able to listen to all packets (only IP data and broadcast data are received).

Then one of the ways to realize data monitoring in the switching network is to set the SPAN of the switch. Coming back to our question, setting IP for mixed-mode NICs is like icing on the cake.

Check to see if the Nic supports promisc mode

# ifconfig eth0

Set to support promisc

# ifconfig eth0 promisc

The normal working mode of a working Nic is MULTICAST, and the hybrid mode is PROMISC MULTICAST.

Cancel the mixed binding mode of network card

# ifconfig eth0-promisc

3)。 At least how many network cards are needed to complete the OSSIM system installation and deployment test?

For this question, we need to have the basis of the above answer. In the case of a network card and the traffic is small (less than 50% of the standard capacity), you can simulate all ossim experiments. This network card specifies IP to facilitate management and log collection, and is set to promiscuous mode to monitor network packet traffic. If conditions permit, it is suggested that the management port and the monitoring port should be served by different network cards respectively.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.