weslambert
commented
3 years ago Have you confirmed traffic is actually hitting port 8000 on the Security Onion box (using Powershell's Test-NetConnection, tcpdump, etc)?
Closed ColeVan closed 3 years ago
weslambert
commented
3 years ago Have you confirmed traffic is actually hitting port 8000 on the Security Onion box (using Powershell's Test-NetConnection, tcpdump, etc)?
ColeVan
commented
3 years ago Here is what I captured. It seems to go out and then dropped. Don't understand why though???
ColeVan
commented
3 years ago Update: Not sure but I think mylab boxes were not properly making it through my pfsense WAN on 192.168.1.154. I amended my SOv2 firewall rules to include a 192.168.0.0/16 which should cover my 192.168.1.154 WAN IP. This was for testing. IT worked. I should have known.
weslambert
commented
3 years ago My next question was going to be if there was any NATing, etc 😃 . Glad to hear it's working!
ColeVan
commented
3 years ago So how to you unquarantine hosts?
weslambert
commented
3 years ago You can re-run the quarantine artifact, checking the RemovePolicy option. In newer versions, there is a button in the GUI.
ColeVan
commented
3 years ago That worked! Would love to try out V 0.6.1 new features. Since your repo seems a bit customized how would we go about updating V 0.6.0 to 0.6.1 in Security Onion 2?
weslambert
commented
3 years ago I've updated the latest Docker image to v0.6.1.
If you would like to update, the following should work:
(As root):
so-velociraptor-stop
docker rmi wlambert/so-velociraptor
so-velociraptor-startLet me know if you have any issues. Thanks!
Any suggestions or ideas why velociraptor can't connect back to SOv2? Firewalls have been amended on both windows and SOv2 to allow connection.