Академический Документы
Профессиональный Документы
Культура Документы
Snorby
PostedInSecurityByAamirLakhanionSunday,October13th,2013WithNoComments
Security Onion is a Linux distribution for intrusion detection, network security monitoring, and log management. Its
basedonUbuntuandcontainsSnort,Suricata,Bro,Sguil,Squert,Snorby,ELSA,Xplico,NetworkMiner,andmanyother
securitytools.SecurityOnionisaplatformthatallowsyoutomonitoryournetworkforsecurityalerts.Itssimpleenough
toruninsmallenvironmentswithoutmanyissuesandallowsadvanceduserstodeploydistributedsystemsthatcanbe
usedinnetworkenterprisetypeenvironments.
Inthisguidewewillwalkyouthroughonhowtodownload,install,andconfigureSecurityOnion.WewillconfigureSnort
tomonitorournetworkanduseSquiltomanageandviewouralerts.InmylabIamusingaMacMini,andIamrunning
Security Onion in a virtual machine using VMWare Fusion. These instructions can be modified to work on similar
systems.Additionally,Ihavetwonetworkcards:oneformanagement,andoneformonitoring.Mymonitoringinterface
isconnectedtoaSPAN(networkmirroring)portonmyswitch.
PartI:InstallingSecurityOnion
1.DownloadSecurityOnionfromhttp://securityonion.blogspot.com/.IusedthedirectdownloadlinkfromSourceforge.
2. I used VMWare Fusion to install Security Onion. Security Onion is based on Ubuntu 64bit, so I chose this when
VMWareaskedwhattypeofOSyouareinstalling.Ensuringyouareselectinga64bitarchitectureisimportant.
3.Whenthesystembootsforthefirsttime,selectoption1forLiveSystem.Thiswaywecanplayaroundwiththesystem
first.Wecanalsoinstallitdirectlytoourharddrive(orvirtualharddrive)whenthesystemboots.
4.Whenyouarereadytoinstallthesystem,selecttheinstallscriptonthedesktop.Theinstallscriptwillwalkyouthrua
seriesofstepsoninstallingthesystempermanently.
5.Theinstallerwillpromptyouonhowyouwouldliketopartitiontheharddrive.Sincethisisavirtualmachine,Iwilllet
theinstallerformatmyvirtualdiskanduseitinitsentirety.
6.Remembertheusernameyouchosewheninstallingthesystem.Thesystemdoesnotcacheyourusernameonreboots.
Ialsoselectedtheoptiontoencryptmyhomefolder(itsasecurityplatform).Ireceivedsomefeedbackthattheinstaller
wouldnotcompleteifthisoptionwasselected.Icouldnotrecreatethisissue,butyoumaywanttokeepthisinmind.
7.SecurityOnionwillattempttoputanetworkinterfaceinmonitoringmodesoitcanmonitorsecurityevents.Insome
cases,youmaybepromptedbyyournativeOStoauthenticatethisprocess.
8.Whentheinstallationiscompleteyouwillbepromptedtorebootyoursystem.
PartII:UpdatingtheSecurityOnion
Whentheinstallationiscompleteandthesystemreboots,youwillneedtoupdatetheUbuntuOScomponentsaswellas
theSecurityOnioncomponents.
1.Onthemenubar,selectCheckforupdates.Whentheprocessiscomplete,gobacktothemenubar,andselectInstall
allupdates
It is not uncommon that you may need to perform this step several times before all updates are downloaded and
installed.
Whenallupdateshavefinishedinstalling,restartthesystem.
PartIII:InstallingVMWareTools(Optional)
IpersonallyprefertoinstallVMWaretoolsonmysystem.InstallingVMWaretoolsonSecurityOnionisnodifferentthan
installingVMWaretoolsonanyotherLinuxguestOS.Detailedinstructionscanbefound
here:http://www.vmware.com/support/ws5/doc/ws_newguest_tools_linux.html
YoumayneedtorebootyoursystemafteryouinstallVMWareTools.
NOTE:Iusedthesudoicommandtogainrootprivilegestosystem.Youwillneedtoensureyouarerootwhenfrom
thispointforward.
PartIV:UpdatingSecurityOnion
1.NowwewillupdatetheSecurityOnioncomponents.Thiswillupdatethelatestscriptsandsecuritytoolsusedinsidethe
SecurityOnionplatform.
SinceallofpackagesareinastandardUbuntuLaunchpadPPA,youcanusestandardUbuntupackagemanagementtools
toupdateALLpackages(UbuntuandSecurityOnion).However,therearesomecaveatstobeawareof:
MySQLifyouvealreadyrunSetup,pleaseseetherecommendedprocedureforupdatingtheMySQLpackages.
PF_RINGandnewkernelpackages
YoumaybepromptedtoupdateyourkernelpackagesandPF_RINGatthesametime.Ifyoudoso,thePF_RINGkernel
modulewillgetbuiltforyourcurrentkernelandnotforthenewlyinstalledkernelanduponrebootserviceswillfail.To
avoid this, you should install just the PF_RING kernel module by itself and then install the kernel and any other
remainingpackageupdates.Heresaonelinerthatwilldothat:
sudoaptgetupdate;sudoaptgetinstallsecurityonionpfringmodule;sudoaptgetdistupgrade
IfyouaccidentallyinstallboththekernelandPF_RINGpackagesatthesametimeandthenrebootandfindoutthat
PF_RINGservices(SnortandSuricata)arefailing,youcanreinstallthesecurityonionpfringmodulepackage:
sudoaptgetinstallreinstallsecurityonionpfringmodule
NOTE:Iusedthesudo icommandtogainrootprivilegestosystem.Youwillneedtoensureyouarerootwhenfrom
thispointforward.
Theupdateprocedurewilltakeafewminutes.
PartV:SettingupSecurityOnion
1.Doubleclickontheinstallscriptonthedesktop.
2.Enteryourrootpassword.
3.Youwillpromptedtoconfigurenetworkinterfaces.Selectyes.
4.Youwillbeaskedtochoseyourmanagementinterface.ThisistheinterfacethatwillhaveanIPaddressandbeusedto
managethesystem.
5.YouwillbeaskedtoconfiguretheinterfaceforstaticIPsettingsorDHCP.Inmostcasesyouwillwanttoconfigure
staticIPaddresses.However,inmylabenvironmentIconfiguredDHCP.
6.Youwillbeaskedtoconfigureamonitoringinterface.Thisistheinterfacethesecuritytoolswillusetomonitor
networktraffic.
7.Thesystemwillpromptyoutorebootwhencomplete.
8.Whenthesystemreboots,clickonthesetupicononthedesktopagain.
9.YoumaySkipthenetworksetupsinceitisalreadycompleted.
10.YouwillneedtoselecttoinstallSecurityOnionasadistributedsystemorchosetheQuickSetupoption.Wewillselect
theQuickSetupoption.
11.Youwillbeaskedtoselectwhichinterfaceisthemonitored(nonmanagement)interface.Selecttheappropriate
interface.
12.YouwillneedtocreateausernamethatwillbeusedtologintoandusetheSequill,Squert,andELSAtools.
13.Youwillbeaskedforanemailaddress.ThisistheusernameyouwillusetologintoSnorby.Snorbyisgoingtoonethe
primaryinterfaceswewillusetomonitorSnort.
14.Youwillbeaskedtocreateapassword.Thesystemonlyacceptsalphanumericpasswords,soyoucannotusespecial
characters.
15.EnableELSA
16.ThesystemwillfinishconfiguringSecurityOniontools
Notthelocationofthelocalrules,wewillshowyouhowtotunetherulesinafuturearticle.
Althoughtheruleswillupdateautomatically,itisagoodideatoupdatethemmanuallyafterinstallation.Wewill
updatetherulesmanuallylaterinthisarticle.
CongratulationsyouhaveinstalledSecurityOnion
PartVI:UsingSecurityOnion
ThefirstthingwewillwanttodoisupdatetheSnortrulesinSecurityOnion.Openupaterminalwindowandenureyou
haverootprivileges.Weusedthesudoicommandtochangeovertoroot.
Thecommand/usr/bin/ruleupdatewillupdatetherules.
Next,wewilllaunchSnorby.YoucansimplydoubleclickontheSnorbyicononthedesktop.Youwillusetheemail
addressandpasswordyoucreatedduringthesetupscriptinPartVtologin.
Youmaynothavemanyalertsatthispoint,however,ifyounavigatetotheEventsmenubar,youshouldstartseeing
sometraffic(assumingyourmonitoringinterfaceissetupcorrectly).
ThealertsarebasedonSnortrules.Therulescanbemodifiedordisabled.Securityincidentscanbecreatedbasedon
rules(ormultipleevents).InthisscenarioyoucanseewehaveDropboxandBitTorrenttraffic.Insomecaseswemay
wanttodisablearule,orchangethealertthreshold.
Congratulations,youhavesuccessfullysetupSecurityOnion,configuredSnorttomonitoryourdata,andareusing
Snorbytoviewalerts.
Inthefuture,IwillwriteadetailedguideonhowtotuneSnortinSecurityOnionandhowtousesomeoftheothertools
withintheplatform.
LearnhowtofinetunerulesinSecurityOnionusingSnort.Checkoutourguide.ClickheretoreadFinetuningSnort
rulesinSecurityOnion
AamirLakhani
@aamirlakhani
DoctorChaosSecurityBlog
Tags: Security Onion, Snort