I’ve been meaning to try this out for a while but I get carried away with Red Team fun that I neglect my Blue Team skills! I heard alot about about Security Onion so I set about setting up a server.
To get full functionality out of it you will need to setup a mirrored port on your switch or router to ensure you are seeing all the network traffic, but that won’t be covered here. The Security Onion Machine needs 2 adapters, one for remote connection to administer it and also to enable you to download updates frommthe internet etc, and the second is the monitoring adapter which connects to your mirrored port.
Initially I wanted to run Security Onion in HyperV however after hours of banging my head against a brick wall I gave up and installed on a physical machine.
The main issue is the way that HyperV uses it’s virtual switches in 2008R2 it seems impossible to be able to run one in full promiscuous mode. I tried numerous powershell scripts but when checking Wireshark there was still traffic missing. Virtualbox allows a real bridged connection to a NIC and is simple to configure for network monitoring, the fact the fact you can’t do this in HyperV infuriates me! If anyone knows how to do it please let me know, but in the end I got bored fighting HyperV and installed on a physical machine.
I use Ubuntu quite a bit so wanted to install the Security Onion tools on one of my templated server images rather than download the ISO.
On an Ubuntu Server we Clear the apt repository, and then update:
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
Then we add the stable repos, (Also found here) and update again.
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
You then need to configure MySql to NOT prompt for root password.
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
Now we can use apt to install the Security Onion Package.
sudo apt-get -y install securityonion-all syslog-ng-core
Before running setup we should have both network adapters connected.
Run setup for the first time
Follow the prompts and make sure you choose the correct interface when asked which one will be monitored.
Before completing setup we need to check we are seeing all trafiic, fire up wireshark