UltimateGuidetoInstallingSecurityOnionwithSnortand

Snorby
PostedInSecurityByAamirLakhanionSunday,October13th,2013WithNoComments

Security Onion is a Linux distribution for intrusion detection, network security monitoring, and log management. Its
basedonUbuntuandcontainsSnort,Suricata,Bro,Sguil,Squert,Snorby,ELSA,Xplico,NetworkMiner,andmanyother
securitytools.SecurityOnionisaplatformthatallowsyoutomonitoryournetworkforsecurityalerts.Itssimpleenough
toruninsmallenvironmentswithoutmanyissuesandallowsadvanceduserstodeploydistributedsystemsthatcanbe
usedinnetworkenterprisetypeenvironments.
Inthisguidewewillwalkyouthroughonhowtodownload,install,andconfigureSecurityOnion.WewillconfigureSnort
tomonitorournetworkanduseSquiltomanageandviewouralerts.InmylabIamusingaMacMini,andIamrunning
Security Onion in a virtual machine using VMWare Fusion. These instructions can be modified to work on similar
systems.Additionally,Ihavetwonetworkcards:oneformanagement,andoneformonitoring.Mymonitoringinterface
isconnectedtoaSPAN(networkmirroring)portonmyswitch.
PartI:InstallingSecurityOnion
1.DownloadSecurityOnionfromhttp://securityonion.blogspot.com/.IusedthedirectdownloadlinkfromSourceforge.

2. I used VMWare Fusion to install Security Onion. Security Onion is based on Ubuntu 64bit, so I chose this when
VMWareaskedwhattypeofOSyouareinstalling.Ensuringyouareselectinga64bitarchitectureisimportant.

3.Whenthesystembootsforthefirsttime,selectoption1forLiveSystem.Thiswaywecanplayaroundwiththesystem
first.Wecanalsoinstallitdirectlytoourharddrive(orvirtualharddrive)whenthesystemboots.

4.Whenyouarereadytoinstallthesystem,selecttheinstallscriptonthedesktop.Theinstallscriptwillwalkyouthrua
seriesofstepsoninstallingthesystempermanently.

5.Theinstallerwillpromptyouonhowyouwouldliketopartitiontheharddrive.Sincethisisavirtualmachine,Iwilllet
theinstallerformatmyvirtualdiskanduseitinitsentirety.

6.Remembertheusernameyouchosewheninstallingthesystem.Thesystemdoesnotcacheyourusernameonreboots.
Ialsoselectedtheoptiontoencryptmyhomefolder(itsasecurityplatform).Ireceivedsomefeedbackthattheinstaller

wouldnotcompleteifthisoptionwasselected.Icouldnotrecreatethisissue,butyoumaywanttokeepthisinmind.

7.SecurityOnionwillattempttoputanetworkinterfaceinmonitoringmodesoitcanmonitorsecurityevents.Insome
cases,youmaybepromptedbyyournativeOStoauthenticatethisprocess.

8.Whentheinstallationiscompleteyouwillbepromptedtorebootyoursystem.

PartII:UpdatingtheSecurityOnion
Whentheinstallationiscompleteandthesystemreboots,youwillneedtoupdatetheUbuntuOScomponentsaswellas

theSecurityOnioncomponents.
1.Onthemenubar,selectCheckforupdates.Whentheprocessiscomplete,gobacktothemenubar,andselectInstall
allupdates
It is not uncommon that you may need to perform this step several times before all updates are downloaded and
installed.
Whenallupdateshavefinishedinstalling,restartthesystem.

PartIII:InstallingVMWareTools(Optional)
IpersonallyprefertoinstallVMWaretoolsonmysystem.InstallingVMWaretoolsonSecurityOnionisnodifferentthan
installingVMWaretoolsonanyotherLinuxguestOS.Detailedinstructionscanbefound
here:http://www.vmware.com/support/ws5/doc/ws_newguest_tools_linux.html
YoumayneedtorebootyoursystemafteryouinstallVMWareTools.
NOTE:Iusedthesudoicommandtogainrootprivilegestosystem.Youwillneedtoensureyouarerootwhenfrom
thispointforward.
PartIV:UpdatingSecurityOnion
1.NowwewillupdatetheSecurityOnioncomponents.Thiswillupdatethelatestscriptsandsecuritytoolsusedinsidethe
SecurityOnionplatform.
SinceallofpackagesareinastandardUbuntuLaunchpadPPA,youcanusestandardUbuntupackagemanagementtools
toupdateALLpackages(UbuntuandSecurityOnion).However,therearesomecaveatstobeawareof:
MySQLifyouvealreadyrunSetup,pleaseseetherecommendedprocedureforupdatingtheMySQLpackages.

PF_RINGandnewkernelpackages
YoumaybepromptedtoupdateyourkernelpackagesandPF_RINGatthesametime.Ifyoudoso,thePF_RINGkernel
modulewillgetbuiltforyourcurrentkernelandnotforthenewlyinstalledkernelanduponrebootserviceswillfail.To
avoid this, you should install just the PF_RING kernel module by itself and then install the kernel and any other
remainingpackageupdates.Heresaonelinerthatwilldothat:
sudoaptgetupdate;sudoaptgetinstallsecurityonionpfringmodule;sudoaptgetdistupgrade
IfyouaccidentallyinstallboththekernelandPF_RINGpackagesatthesametimeandthenrebootandfindoutthat
PF_RINGservices(SnortandSuricata)arefailing,youcanreinstallthesecurityonionpfringmodulepackage:
sudoaptgetinstallreinstallsecurityonionpfringmodule
NOTE:Iusedthesudo icommandtogainrootprivilegestosystem.Youwillneedtoensureyouarerootwhenfrom
thispointforward.

Theupdateprocedurewilltakeafewminutes.
PartV:SettingupSecurityOnion
1.Doubleclickontheinstallscriptonthedesktop.

2.Enteryourrootpassword.
3.Youwillpromptedtoconfigurenetworkinterfaces.Selectyes.

4.Youwillbeaskedtochoseyourmanagementinterface.ThisistheinterfacethatwillhaveanIPaddressandbeusedto
managethesystem.

5.YouwillbeaskedtoconfiguretheinterfaceforstaticIPsettingsorDHCP.Inmostcasesyouwillwanttoconfigure
staticIPaddresses.However,inmylabenvironmentIconfiguredDHCP.

6.Youwillbeaskedtoconfigureamonitoringinterface.Thisistheinterfacethesecuritytoolswillusetomonitor
networktraffic.

7.Thesystemwillpromptyoutorebootwhencomplete.

8.Whenthesystemreboots,clickonthesetupicononthedesktopagain.
9.YoumaySkipthenetworksetupsinceitisalreadycompleted.

10.YouwillneedtoselecttoinstallSecurityOnionasadistributedsystemorchosetheQuickSetupoption.Wewillselect

theQuickSetupoption.

11.Youwillbeaskedtoselectwhichinterfaceisthemonitored(nonmanagement)interface.Selecttheappropriate
interface.

12.YouwillneedtocreateausernamethatwillbeusedtologintoandusetheSequill,Squert,andELSAtools.

13.Youwillbeaskedforanemailaddress.ThisistheusernameyouwillusetologintoSnorby.Snorbyisgoingtoonethe
primaryinterfaceswewillusetomonitorSnort.

14.Youwillbeaskedtocreateapassword.Thesystemonlyacceptsalphanumericpasswords,soyoucannotusespecial
characters.

15.EnableELSA
16.ThesystemwillfinishconfiguringSecurityOniontools

Notthelocationofthelocalrules,wewillshowyouhowtotunetherulesinafuturearticle.
Althoughtheruleswillupdateautomatically,itisagoodideatoupdatethemmanuallyafterinstallation.Wewill
updatetherulesmanuallylaterinthisarticle.

CongratulationsyouhaveinstalledSecurityOnion
PartVI:UsingSecurityOnion
ThefirstthingwewillwanttodoisupdatetheSnortrulesinSecurityOnion.Openupaterminalwindowandenureyou
haverootprivileges.Weusedthesudoicommandtochangeovertoroot.
Thecommand/usr/bin/ruleupdatewillupdatetherules.

Next,wewilllaunchSnorby.YoucansimplydoubleclickontheSnorbyicononthedesktop.Youwillusetheemail
addressandpasswordyoucreatedduringthesetupscriptinPartVtologin.

Youmaynothavemanyalertsatthispoint,however,ifyounavigatetotheEventsmenubar,youshouldstartseeing
sometraffic(assumingyourmonitoringinterfaceissetupcorrectly).

ThealertsarebasedonSnortrules.Therulescanbemodifiedordisabled.Securityincidentscanbecreatedbasedon
rules(ormultipleevents).InthisscenarioyoucanseewehaveDropboxandBitTorrenttraffic.Insomecaseswemay
wanttodisablearule,orchangethealertthreshold.
Congratulations,youhavesuccessfullysetupSecurityOnion,configuredSnorttomonitoryourdata,andareusing
Snorbytoviewalerts.
Inthefuture,IwillwriteadetailedguideonhowtotuneSnortinSecurityOnionandhowtousesomeoftheothertools
withintheplatform.
LearnhowtofinetunerulesinSecurityOnionusingSnort.Checkoutourguide.ClickheretoreadFinetuningSnort
rulesinSecurityOnion
AamirLakhani
@aamirlakhani
DoctorChaosSecurityBlog
Tags: Security Onion, Snort