If you followed along with my previous exercise on creating a Snort IDS for your lab you will most likely love Security Onion as it takes far less effort to get things configured and setup. It’s an excellent Ubuntu based operating system designed solely for both Host Intrusion Detection (HID’s) and Network Intrusion Detection (NID’s) for your network environment and a great tool to use in a lab environment due to the lack of configuration and setup time involved compared to doing everything yourself manually. Why reinvent the wheel when someone has already invented it for you? (Well sometimes it’s needed to learn about something new)
There is a huge host of network related tools that are installed which includes Snort, Suricata, Bro, OSSEC (HID’s), Sguil, Squert, ELSA, Xplico, NetworkMiner, Tcpreplay, Wireshark, tcpdump and a lot more great tools too for analyzing your network traffic.
It’s very easy to configure and excellent for use in a Production or even lab environment for monitoring network traffic.
What you will need is the following:
1 – VirtualBox installed with guest additions downloaded
2 – Pfsense Configured
3 – The Security Onion ISO downloaded
4 – Snort subscription to the free account is perfectly fine (Oinkcode)
Once you have all of the above obtained you are ready to start the installation.
Let’s get to it!
Follow along with the Pfsense configuration guide from the initial lab setup and feel free to allocate more memory to the Security Onion setup, I find 4GB’s to be sufficient for memory allocation and a 30GB Hard Disk for this setup. Assign your NIC’s in a similar fashion except make NIC Adapter 1 & 2 internal and set the Promiscuous Mode option to “Allow VM’s” then make NIC Adapter 3 an internal adapter only so that you will have Internet access for updates, you will also use it as the management interface from within your lab environment. Optionally you could set NIC adapters 1 & 2 as internal with Promiscuous mode set for VM’s and NIC adapter 3 as NAT which will allow for Internet connectivity without having Pfsense setup and configured to allow Internet access. The choice is yours here and depends on what you want to do. For this guide though, we will use the following NIC configuration outlined below.
NIC Adapter 1:
NIC Adapter 2:
NIC Adapter 3:
Once you’re finished with the VirtualBox configuration settings make sure you have pfsense running if you’re using the internal adapters in this guide otherwise the NAT adapter will give internet connectivity if you chose not to configure Pfsense.
Power on your Virtual Security Onion system and follow along.
Select your language and select Continue
Select Download updates while installing and select Continue
Click Continue to erase the disk and install Security Onion
At the next prompt just hit continue to Format the disk and continue with the install
Select your country on the map and select Continue again
Select your keyboard layout and select Continue
Enter your name, computer name, username and a password and select Continue again and wait for a bit for it to install.
When finished click restart to continue
At the next prompt click Enter to continue with the reboot
Once the system has rebooted simply login with your username and password
Chances are there will be some further software updates once you login so select “Install Now” to proceed with the installation.
Once the update has completed select “Restart Now” to reboot the system again to complete the update process and then login again.
Now you will most likely want to have your system running in full screen to make playing with it easier so install VirtualBox Guest additions. You can follow along with the guide here at step 26 on how to do this as the process remains the same. After you have rebooted you should take a snapshot of the system so you can revert to this point and go back to a known good configuration if you break something while playing. It’s also handy for Malware analysis as you can revert back to the time before you were playing with it.
Now for the system configuration all you have to do is click on the Setup icon on the desktop, Enter your password and select “Yes, continue”
Next select “Yes, configure /etc/network/interfaces!”
Select eth2 as your management interface and select OK to continue
As this is in a Virtual environment with Pfsense providing DHCP already it’s fine to select DHCP to continue. Alternatively feel free to configure it manually as per your IP addressing scheme.
Select “Yes, configure monitor interfaces”
eth0 and eth1 should be already ticked to use as your monitoring interfaces so just click OK to continue
Yes you want to make your changes now so click on “Yes, make changes!”
Time to reboot again so select “Yes, reboot!” to continue
After the system has rebooted click on the setup icon on the desktop again and select “Yes, Continue” as you did before
This time though select “Yes, skip network configuration!” to continue
Select production mode to continue
Select Standalone as you are using the management and network sniffing interfaces on the same system
Select Best Practices to continue and select OK
Enter a username that you want to use for logging in to Squil, Squert and ELSA and select OK to continue
Next enter a password you would like to use for Squil, Squert and ELSA and confirm in the window that follows
Next select the Snort IDS and click OK to continue
Next select the option for Snort VRT ruleset and Emerging Threats NoGPL ruleset, this is why you obtained an Oink code from Snort.
Enter your Snort Oinkcode and click OK to continue
Keep the default PF_RING min_num_slots as 4096 and select OK to continue
eth0 and eth1 network interfaces should already be selected so just click on OK to continue
Congratulations you are nearly there just select “Yes, proceed with the changes!” to make the changes to your system permanent that you have just entered.
That’s it you’ve reached the end of the installation, just select OK for the next few windows and take note of any important directories like the ones shown in following screenshots in order to modify and make any changes to your configuration. Alternatively you can revert to your snapshot that you made earlier or just run the setup again from the desktop.
Sostat commands for checking detailed information about your service status, get a guided tour and share redacted network information with other sources.
Snort rule modification and sensor directories for making manual changes to these after you have things configured.
UFW Firewall rule modification if you need to change any of the firewall rules.
Take another snapshot of your system as you have everything configured now and you can revert back to it when needed.
That’s it for now, we will be using Security Onion in some upcoming tutorials so it will be handy to have it configured for when you are following along.