How to Install Security Onion 14.04

Did you know Security Onion? It is a Linux distro specialized on network security monitoring and intrusion prevention, simplify the whole network management with a Ubuntu-based distro that you can start using with just few steps. It comes with many valuable security software to monitor your network in realtime or perform analysis on pcap files and/or system logs.

Today I will drive you through the installation proccess on a step-by-step basis. At the end of this article you have it installed on your machine and will be able to start to monitor your network traffic and host activity using its tools.

Here are tools you will find on Security Onion:

Reassembler tcpdump OSSEC hunt Squert
Xplico tshark Bro dsniff ELSA
tcpxtract ngrep Snort sslsniff Snorby
tcpstat Wireshark Suricata mergecap sguil
tcpslice ssldump barnyard2 driftnet p0f
tcpreplay NetworkMiner u2boat netsniff-ng Sniffit
scapy Argus u2spewfoo driftnet tcpick
chaosreader Daemonlogger netsed labrea hping

Download Security Onion

Download the Security Onion ISO from Github. In fact Security Onion can even be installed on distros based on Ubuntu, however this will not be covered here,  here is how to install Security Onion on Ubuntu.

Boot

As you start the system with the Security Onion media you will be presented with the following screen, just hit the install option.

Boot screen

Boot screen

Install Security Onion

Once you select the install option the system will start to boot and then show the setup screen.

Part I - Operating System

First thing to set is the Operating System language.

Select language

Select language

Now decide either to use or not 3rd party technology, such as Flash player or MP3 codecs.

Third party software

Third party software

Select how the system will be installed on your hard disk, the disk encryption and LVM setups dig not worked out of the box, so if you are no familiarized with it just click install and then continue when asked.

Setup HD install

Setup HD install

Now select the location, this will set the locale date/time options, click on your country then continue.

set location

set location

Select your keyboard layout, use the detection tool if in doubt.

Keyboard layout

Keyboard layout

Then set your credentials, you will have to answer the following:

  • Your name
  • Computer  name
  • Username
  • Password
  • Confirm password
  • Set it to ask for a password during system's startup
Your credentials

Your credentials

Note: Do not select the encrypt me home  folder option, despite I did not tried it myself but people complain about that on forums.

At the end of this process restart the system to boot from hard disk.

Part II - Network

Once system restarts you can run the setup script from the desktop, then give the password you set on the last step when asked. Then it asks if you want to set up your network interfaces, choose Yes to setup network.

Setup network interfaces

Setup network interfaces

Choose network configuration method to use, we are going to use static configuration.

Network configuration mode

Network configuration mode

Set the IP Address of this machine.

Set IP address

Set IP address

Set the network mask.

Set network mask

Set network mask

Set  IP of the gateway.

Set gateway

Set gateway

Set the DNS servers IP .

Set DNS servers

Set DNS servers

Set the local domain.

Set local domain

Set local domain

Set any special network settings if needed, then reboot the system again.

Reboot

Reboot

Part III - Sensors and servers

Run the setup script from the desktop again when system restarts and follow the next steps.

First you choose which mode of the install script to run, We are going to run the Production mode here to show you details.

Setup mode

Setup mode

Select which mode Sguil will be installed:

  • sensor - Install agents for monitoring.
  • server - Install service to manage the monitoring.
  • standalone - Install both, sensors and server, we are going to use this one.
Sguil mode

Sguil mode

Set a username for Sguil, ELSA and Squert interfaces.

Sguil username

Sguil username

Define a password and confirm.

Sguil password

Sguil password

Set how many days to keep the log.

Days to keep

Days to keep

Set the numbers of days to repair MySQL tables.

Days to repair

Days to repair

Select IDS engine to use, either Snort or Suricata.

Select IDS engine

Select IDS engine

Select the IDS ruleset to use.

Select IDS ruleset

Select IDS ruleset

Set the minimum number of PF_RING slots.

pfring slots

pfring slots

Enable the use of IDS engine.

Enable IDS engine

Enable IDS engine

Enable Bro network analysis framework.

Enable Bro

Enable Bro

Enable the executable file extraction feature of Bro. This feature helps a lot to identify malware.

Enable exe extraction

Enable exe extraction

Disable bro http_agent to save resources if your are goingto use ELSA.

Disable http_agent

Disable http_agent

Enable argus session management.

Enable Argus

Enable Argus

Disable  Prads asset management aas we are using Bro's conn.log

Disable Pradis

Disable Pradis

Enable full packet capture, this is strongly recommended unless denied by disk limitations.

Enable full packet capture

Enable full packet capture

Specify the maximum pcap file size in megabytes. This will dpend on  your needs and disk availability but something between 150 and 1500 should do the trick for most setups.

Set pcap file size

Set pcap file size

Enable mmap I/O for pcap files on netsniff-ng for best performance if you have a reasonable amount of memory.

Enable mmap on netsniff-ng

Enable mmap on netsniff-ng

Set the minimum space available on the disk to start purging  pcap files.

Disk free space

Disk free space

Disable Salt configuration management system unless you are going to run more nodes.

Disable Salt

Disable Salt

Enable ELSA log framework.

Enable ELSA

Enable ELSA

Conclusion

You are done, Security Onion must be working at this point. You can start using the tools to inspect your environment now. Here are some screenshots.

Sguil on alert generated by a request to testmyids.com and session detailed on Network Miner

Sguil and NetworkMiner

Sguil and NetworkMiner

Squert view on the same event.

Squert GPL attack

Squert GPL attack

ELSA search relative to the event.

ELSA GPL attack event

ELSA GPL attack event

The event above can be analyzed in many other ways on different Security Onion tools, we can go from a simple alert to the very instructions within some malware, it will depend on the incident. This is not the case here, maybe on posts to come we dig deeper on malware forensics or other uses for the security onion tools.

That's all for now, thanks for reading!

About Carlos Alberto

Carlos is a technology professional and enthusiast. In his spare time he likes skateboarding and play guitar.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.