Troubleshooting NSM Virtualization Problems with Linux and VirtualBox
I spent a chunk of the day troubleshooting a network security monitoring (NSM) problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach. It began with ja3 . You may know ja3 as a set of Zeek scripts developed by the Salesforce engineering team to profile client and server TLS parameters. I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of the same endpoint in both sensors. I noticed that the SO Zeek logs did not have ja3 hashes in the ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near the top of the software stack. I decided to start at the bottom, or close to the bottom. I ha