This post is going to be about setting up a complete installation and configuration of the Open-Source Security Onion Linux distribution. We’ll start with a simple lab containing SO, Kali virtual machines turning on VirtualBox, and our Host. So, let’s get started !!
What Is Security Onion: SO is a Linux distribution designed for intrusion detection, network security monitoring, and log management. Its original author is Doug Burks.
SO contains most of the security tools needed by security analysts (other roles too for that matter), including Elastic Stack, Snort/Suricata, Sguil, Elastalert, and many others. Despite being a full NSM collection, detection, and analysis suite, it features a very simplistic setup process, that makes its deployment phase less painful.
Hardware Configuration
SO has its own set of hardware requirements (more here). The amount of resources to allocate depends on the services you’ll be using. If you’re going to use Elast Stack (we’ll talk about it in a later post), give it at least 4 CPU cores and 8GB RAM. The table below gives the configuration used in our lab :
| VM | #cpu | ram | NIC adapter | NIC type |
|---|---|---|---|---|
| kali | 1 | 4Gb | eth0 | Host-Only Adapter |
| SO | 2 | 8Gb | eth0 OR enp0s3 | Host-Only Adapter (promiscuous mode set to “Allow All”) |
| eth1 OR enp0s8 | NAT - DHCP enabled |
Sniffing Traffic
For an intrusion detection mechanism to be able to do its job, it should have access to network data over all the interesting network segments. In reality, this is done through the use of either SPAN ports, or Network Taps. Some enterprise grade switches can mirror traffic from one or of all its ports to a specific SPAN port. A tap is a passive hardware device that mirrors traffic between two endpoints to another monitoring port.
Both images are taken from ANSMbook.
In our development environment, VirtualBox promiscuous mode enables us to mirror all traffic in a network to a specific network card. Setting eth0 (Network Adapter 1 in SO) in promiscuous mode will enable it to see all the traffic between virtual machines as well as the host.
We have chosen “Host-Only Adapter” mode to isolate the testing environment from the outside world as well as have access to the host. In the future, we’ll be working with “Internal Networking” mode once we start playing with real-world malware and attacks. If you find yourself struggling to understand the differences between networking types, read this article.
Setup
Let’s start the actual installation and configuration of Security Onion. Follow these steps :
- Create a new virtual machine with the specs from the table above. Then, download SO ISO, and boot the image. Make sure to verify the ISO signature.
- Click the “Install SO” icon on the desktop. Don’t choose the option to
encrypt home folder, neither the option toenable automatic update, and go through with the installation while choosing the defaults. - Even if you have just downloaded the ISO image, chances there are already updates for some SO packages.
sudo apt update && sudo apt dist-upgrade -y --force-yes -
Running NSM services setup
- Click the Setup icon on the desktop.
- Select eth1 (or enp0s8, the NATed one with IP address
10.0.3.15) to be the management interface : The interface you will use to access the system and all the services hosted on it. By default, ufw (the Uncomplicated Firewall) is configured to block all access to SO except 22/tcp. Run so-allow-view script to pick into UFW rules.
Default UFW Rules
To be able to reach services, kibana for example, some ports must be allowed. so-allow is a script that will guide you through allowing certain ports as needed. Run the command with root privileges, and choose the analysts group. Set the IP address to the host’s NAT ip 10.0.3.2.
UFW rules after modification
Since our management interface is behind a NAT, we must do port forwarding first on the NAT interface.
Example of port forwarding for Kibana.
Successfully loading kibana from localhost on the Host.
- eth0 (or enp0s3) will be used as the monitoring interface since all Host-Only Adapter network traffic go in its direction.
- Reboot.
- Click Setup icon again, and skip network interfaces configuration this time. Select the evaluation mode option. Set eth0 as the monitoring interface. This interface will be used by all the tools that need to sniff traffic (i.e Bro/Snort/Suricata …).
- Enter a username/password for use by various NSM services. I set it to an easy to remember combination
analyst/analyst. - Confirm the configuration changes.
- The location of several important log and configuration files will be displayed next. I recommend saving this information, as it will for sure come in handy in the near future.
Testing Security Onion Installation
To verify the success of SO configuration, we force Snort to generate an alert from one of its rules. But first, let’s update its ruleset. sudo rule-update is the command you want to execute. This command will launch the PulledPork utility, which is in my opinion a great addition to SO toolset as it, among other things, makes the ruleset up to date by periodically synchronizing it from Emerging Threats source, then restart Snort accordingly so that the new rules are taken into consideration.
Note: Be careful when you want to add/delete/modify an existing rule, as all your modifications will be overwritten the next time PulledPork is run. Instead, go through it to make any changes. Read more here.
Inside Security Onion, click the Sguil icon on the desktop, use analyst/analyst for credentials.
The scenario I’ve chosen to simulate an attack, is to scan for open ports on the host, using nmap. So, quickly fire up your Kali machine, and run this command in a terminal :
nmap -v -n -Pn -sV --reason --open --defeat-rst-ratelimit -T4 192.168.56.1 # IP address of the host in the Host-Only Network.
Then back in sguil, if you see some alerts surfaced, then you have successfully installed the great Security Onion Linux distribution. CONGRATS!!.
Nmap port scan detected by Snort and shown in Sguil.
Conclusion
To sum up with, Security Onion installation is a fairly simple task, one only need to pay attention to the configuration of network interfaces and their role assignments. Also, one should be careful when directly modifying Snort/Suricata rules as PulledPork will overwrite them. Finally, trying to access the different services from outside Security Onion must be first allowed through UFW using so-allow script.