Estimated reading time: 2.5 minutesLoading and setting up SecurityOnion
This tutorial is intended mostly for beginners or anyone who wants to set up their first network monitoring device with some pre-configured tools to test out but anyone is free to use it.Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. As a part of this demonstration, we’re going to be turning it into an IDS sensor. Later, we’ll be gathering logs from a host using HIDs and OSSEC.First, we’re going to load the ISO into our VM emulator. I’m using VMware player and SecurityOnion for this demonstration as OSSEC is already installed. But you can really use any distro as long as you’re willing to install it from the website. After clicking on "create a new virtual machine," select "installer disk image" and browse to the location you saved your downloaded ISO to.Next, you’ll be prompted to configure the VM before creation is complete. We’re going to need to add another network adapter. SecurityOnion will use the first for management and the second for sniffing and capturing traffic in promiscuous mode. I recommend giving this machine a little more memory and CPU power for speed but that’s mostly preference.After this is done we can begin installation of security onion. Choose to install, your language and then allow SO to download the third party software so we can get the full usage out of our evaluation copy. Clear the disk with the first option. Don’t worry as this is, in fact, the virtual hard disk we created with the VM that will be erased not your personal hard drive!Once that’s complete you’ll be prompted to choose a location and keyboard layout. Select as applicable and afterward, you’ll generate an account. When that’s finished you can feel free to grab a snack and wait for the install. After you reboot select the first option and you’ll be met with a login terminal.Upon logging in you should see some icons on the desktop. Click on setup and select yes for the following prompts. This will automatically establish a few values for you making things a little bit easier in the long run.
Select DHCP for networking for now. Since we are only going to use SO in evaluation mode this isn’t a worry but normally you’d want to set this up with static IP settings. Afterward, you’ll be prompted to choose the interface you’ll be sniffing traffic on. Select eth1. Finally select evaluation mode and you’ll be prompted to set up more accounts. After that’s complete you’ll be asked to reboot and then we’re finished! The rest of the setup will give you information about how to check on running services (which can then be disabled or administered as you like.)If there is any interest in this topic I will go over specific tools I’ve used after completing the OSSEC tutorial next.Thanks for reading and feel free to leave comments and constructive criticism below.
You can download/install SecurityOnion from sourceforge.net
, or search for it somewhere else.