Hello,I am working with a penetration testing lab environment that uses Kali Linux 2018 VM (as an attacker), CentOS 7 (as a target), Windows Server 2016 (as a target), and Security Onion 2019 (as the Intrusion Detection system). All VMs are in VirtualBox and are on the same local network. I am looking to test out some footprinting commands like "whois", "nslookup", and "traceroute". For example, I am using Kali to issue a command like "nslookup www.google.com" and "traceroute www.google.com". My goal is to receive alerts in Security Onion tools (like Sguil, Squert, Kibana) to detect those footprinting commands from Kali. I am not sure why I am unable to do that. I believe it is because Security Onion cannot see the commands being issued because they are gathering information from websites. In VirtualBox, I am using a NAT adapter for both Kali and Security Onion. I am able to successfully perform the attacks in Kali but cannot detect them in Security Onion (attacks like nslookup and traceroute, just to name a couple of them).
Another lab I'm doing involves using hping3 to conduct IP spoofing. The attack is tracked using Wireshark. But I'm having trouble detecting it in Security Onion. I have tried loading a snort rule into the "downloaded.rules" file in Sec. Onion (ran "rule-update" to do that). But each time, I've tried I don't see any alerts in Security Onion tools like Sguil or Squert. I thought that since all VMs are on the local network (and the lab does not rely on Internet), it would be a greater chance to detect the IP spoofing (hping3) attack??
I would appreciate any suggestions/help with these problems. I am stuck as to how to solve them.Thank you in advance!Jacob
