Security Onion does not get traffic from pfSense SPAN port

irdrgz · November 23, 2023, 3:07pm

Hello everyone,

I’m making my first networking project. It is a network that simulates an enterprise network on an ESXi host. The topology is as follows:

Everything is set up and working correctly. The pfSense works as a gateway for the three subnets and one of the ports facing the Security Onion server is a SPAN that redirects traffic from the WAN, LAN and DMZ. What I want to do now is to see the traffic of the subnets in the form of logs in Security Onion, but for now I can only see the traffic generated by the tcpreplay. In the configuration I have, what traffic should I see? Is it possible?

LTS_Tom · November 24, 2023, 11:51am

I am not clear on the goal, you want to see the traffic between host on a given subnet?

irdrgz · November 30, 2023, 5:22pm

I want Security Onion to get all traffic and show alerts for any possible dangerous activity occurring in the DMZ or LAN. It doesn’t matter where the traffic is coming from or going to.

LTS_Tom · November 30, 2023, 7:20pm

You would need a SPAN port for each physical interface.