Security Onion

I’ve been meaning to try this out for a while but I get carried away with Red Team fun that I neglect my Blue Team skills! I heard alot about about Security Onion so I  set about setting up a server.

To get full functionality out of it you will need to setup a mirrored port on your switch or router to ensure you are seeing all the network traffic, but that won’t be covered here. The Security Onion Machine needs 2 adapters, one for remote connection to administer it and also to enable you to download updates frommthe internet etc, and the second is the monitoring adapter which connects to your mirrored port.

Initially I wanted to run Security Onion in HyperV however after hours of banging my head against a brick wall I gave up and installed on a physical machine.

The main issue is the way that HyperV uses it’s virtual switches in 2008R2 it seems impossible to be able to run one in full promiscuous mode. I tried numerous powershell scripts but when checking Wireshark there was still traffic missing. Virtualbox allows a real bridged connection to a NIC and is simple to configure for network monitoring, the fact the fact you can’t do this in HyperV infuriates me! If anyone knows how to do it please let me know, but in the end I got bored fighting HyperV and installed on a physical machine.

The official guide is here:

I use Ubuntu quite a bit so wanted to install the Security Onion tools on one of my templated server images rather than download the ISO.

On an Ubuntu Server we Clear the apt repository, and then update:

sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update

Then we add the stable repos, (Also found here) and update again.

sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update

You then need to configure MySql to NOT prompt for root password.

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections

Now we can use apt to install the Security Onion Package.

sudo apt-get -y install securityonion-all syslog-ng-core

Before running setup we should have both network adapters connected.

Run setup for the first time

sudo sosetup

Follow the prompts and make sure you choose the correct interface when asked which one will be monitored.

Now restart

Before completing setup we need to check we are seeing all trafiic, fire up wireshark

sudo wireshark

Run a simple test like sending pings between machines on your network and make sure you acn see them in Wireshark, if all good then we can continue.

Now if you haven’t already got one go to snort.org and get an ‘oinkcode’

sudo sosetup

This time we can skip network configuration and select:

  1. Production Mode
  2. Standalone
  3. Custom
  4. Create a username and password
  5. Retain Logs ’30’
  6. Re-run database repair ‘7’
  7. IDS engine ‘Suricata’
  8. Select ‘Snort VRT Ruleset and Emerging Threats NoGPL Ruleset’ then paste in your oinkcode.
  9. PF_RING_slots ‘65534’
  10. Make sure the correct interface is selected for monitoring
  11. Enable the IDS engine ‘yes’
  12. If you are only monitoring one interface select ‘2’
  13. Add your internal network IP range/s
  14. Enable Bro ‘yes’
  15. Enable exe extraction ‘no’ (If you want to do this you can, I will test this further before implementing)
  16. Enable http_agent ‘no’ (As we will be using Bro’s http.log via ELSA)
  17. Disable Argus
  18. Disable Prads
  19. Enable full packet capture ‘yes’
  20. Pcap file size ‘150’
  21. PF_RING buffer size ‘512’
  22. The log purge threshold hold will purge your logs once this threshold is reached, so you need to choose this based on how long you want to retain logs for and how much storage you have available. I went with the default 90%.
  23. Enable ELSA ‘yes’
  24. ELSA storage, I left at default.
  25. Confirm your changes.

BOOM! after another restart you will be up and running, use the new shortcuts on the desktop to login to ELSA, Sqert, and sguil and be prepared to be scared shitless by what you find!

If you want to enable remote access you need to run

sudo so-allow

This will run a script to help you setup remote access to the Security Server if you so wish.

You can also download and install OSSEC if you wish from here:

Check out the installation requirements for system. In my case I needed to run:

apt-get install build-essential

Then download the latest tar from the ossec github

Then to extract the tar.gz

tar -zxvf ossec-hids-*.tar.gz

Then go to the directory you unzipped it to. Im my case

cd Downloads/ossec-hids-*.tar.gz

Then run the install

sudo ./install.sh

If you receive no errors then to start OSSEC run

sudo /var/ossec/bin/ossec-control start

Now start digging into all the flags on your network and look at how you can resolve them! I’ll be blogging my findings in the coming weeks. It’s scary shit if you have something important your trying to protect rather than just a witty Cyber-blog! Good luck, you’re gonna need it.