Network Configuration

Quick note, you will need a SPAN port or some sort of network tap in order to properly monitor your network which is a feature most managed switches will have. In my case I’m using a TL-SG108E switch which manages 3 separate VLANs; VLAN1 is for my network appliances, VLAN10 contains about 10 IoT devices and a WAP, VLAN20 is for my personal workstations. VLANs work nicely in the SOC as I can quickly identify assets by their subnet.

The Install

So this is a fairly straight-forward post about my experience installing Security Onion on a Dell Optiplex 960 and hunting down my very first false-positive! To start with, the Optiplex has fairly low specs; 2 cores and 8GBs RAM (maxed out). I installed a Gigabit PCIe Ethernet card, thankfully the PC already had one so I just needed one extra.

After I made a bootable USB via Etcher I just had to install it, which proved a little annoying as the anaconda installer froze twice and the first time the anaconda installer worked as intended it failed at the last step of installation after about 45 minutes. Probably has to do with the low specs.

The Hunt

Shortly after firing up Security Onion, running so-allow from the Security Onion console and adding my private IP to the analyst role I was able to browse the SOC from my workstation in a separate VLAN, cool! Except I was quickly greeted with this log entry which is a bit worrisome.

“???” is a seemingly random IP which resolves to somewhere in Romania…crap.

I quickly regained composure and figured it was some sort of relay my VPN uses, so let’s quickly verify this. First thing I want to do is resolve this IP, so I fire up nslookup, change my server to my Pi-Hole (192.168.1.2), and enter the IP address in question and get this result.

A quick Google search for dataclub.info is pretty reassuring, seems to be a hosting provider which backs up my initial hypothesis for this being related to my VPN. We can further prove this with tracert.

Sure enough, the first hop is in the same Class A private address space as my network adapter for my VPN. Mystery solved!