Security Onion — (Part 1) Installation on VMware
securityonionsolutions.com describes Security Onion as, “Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Security Onion includes a native web interface with built-in tools analysts use to respond to alerts, hunt for evil, catalog evidence into cases, monitor grid performance, and much more. Additionally, third-party tools, such as Elasticsearch, Logstash, Kibana, Suricata, Zeek (formerly known as Bro), Wazuh, Stenographer, CyberChef, NetworkMiner, and many more are included.”
As of this writing, I have installed the latest version Security Onion (2.3.260) and VMware Workstation Player (17.0.2).
Security Onion Use Cases
NIDS (Network Based Intrusion Detection System)
Collect network events from Zeek, Suricata, and other tools for complete coverage of your network. Cast a wide net to catch the bad guys quickly and easily.
HIDS (Host-Based Intrusion Deteciton System)
Security Onion supports several host-based event collection agents including Wazuh, Beats, and osquery.
Static Analysis
Packet capture files can be imported for a quick static analysis and case studies. Includes support for Windows Event logs.
SOC Workstation
A workstation install option is also available for SOC analysts to use local Linux tools to perform analysis of network and host events. No need to install extra tools, we bundle all the apps you might need.
Virtual Lab Environment
- 32 GB RAM
- 1 TB HDD
- Intel Core i7 @ 2.90GHz
- Virtualization Enabled
- 2 Network Interface Cards
Note: Installation of Security Onion can be performed on 16 GB RAM on your Virtual Lab Environment, and this is assuming that no other VMs will be running. This tutorial will be assuming that you already have installed VMware.
Download Security Onion Installation ISO File
Navigate to the downloads page and grab the current release version, (2.3.160–20230620 as of this writing), of Security Onion installation ISO file.
The ISO file is about 7.3 GB.
You can download ISO by using wget command or though the web browser:
$ wget -c https://download.securityonion.net/file/securityonion/securityonion-2.3.260-20230620.isoConfiguring VMware Player
Select Player from the menu bar, hover over to File, and click New Virtual Machine.
At the “Install from:” select the “Installer disc image file (iso)” option and located the securityonion-2.3.260–20230620.iso file and press Next button.
On the Guest operating system, select the Linux option. On Version, select CentOS 7 64-bit from the drop down list.
Name the Virtual machine to “Security Onion”. If you have a different Location, go ahead and change it. If not, you can leave the default location and press Next button.
Set the Maximum disk space to 200GB and press Next button.
Before clicking Finish button, we need to customize our VM. Click on Customize Hardware button.
Now we need to update the amount if memory. Select Memory from the Device list. Depending on your system, if you can 12GB of RAM, use it. If 8GB is not an option, then you can use 4GB of RAM. Beware, 4GB of RAM will make your installation time much longer.
Now we need to update the number of processor core. Select Processors from the Device list. On Processors, select 4 from the drop down list.
Select the Bridged option from the Network connection. Now we need to add another Network Adapter, and this can be done by clicking on the “Add…” button.
Select “Network Adapter” from the Hardware types and click on Finish button.
Select “NAT” option from the Network connection and then, click the Close button.
Review the Virtual Machine settings and click the Finish button to go back the main screen. Click the Start button to power on the Virtual Machine.
so-setup-network install
I have CentOS 7 pre-installed on Virtual Machine, I am going to be using the GItHub repo instead. The installation process is similar, but it skips the networking wizard since I already have networking configure.
On the install type, choose EVAL. The difference between EVAL and STANDALONE are:
EVAL
- Evaluation Mode is recommended for first-time users or standalone VMs.
- Ideal for quickly evaluating Security Onion
- Will automatically configure most details of your system
- Configures Snort and Bro to monitor one network interface
- NOT intended for a production deployment
STANDALONE
- Production Mode is recommended for production deployments as it gives you more control over the details of your system and allows you to build a distributed deployment.
- Build a new master server or connect to an existing master server
- Enable or disable network sensor services
- Store logs locally or forward to master server
Type agree to install to proceed.
Select Yes. If you have more than 12 GB, you will not see this warning message.
Enter a hostname. You can choose any hostname, but I left it as securityonion.
Since this VM only two NICs and one of the NICs is going to be used to access the web interface. It will only allow to select the remaining unused NIC. Press space bar to select the NIC. Note: eth0 is the name of my NIC and yours may differ.
Select Automatic.
If you have a different CIDR, go ahead and add it. My network is 192.168.0.0/24.
These are optional services, but I select these options enable. These services will run with 4 GB RAM, but the system will take longer to load.
Select Yes.
Enter an email address. This is allow you will login to the web interface.
Choose a password and you need to enter it twice to confirm it.
Choose IP from the option list. IP option works well if you set Virtual Machine IP Address Static instead of DHCP. If the IP Address always changes, you will need to run so-allow on the CLI to update the web interface.
Select Yes.
For our lab environment, enter the CIDR notation (for example: 192.168.0.0/24). If you prefer IP address, enter the IP Address of your remote machine where is going be accessed.
Review the information and if everything is correct, select Yes. Installation process will now start. Depend on your Hardware and RAM configuration, the installation can take about an hour or a few hours.
Post Install
After the installation is finished, reboot the Virtual Machine and once it reboot, go ahead and login.
If the web interface is not working, you may need to run the following command.
$ sudo so-allow
Choose the following role: [a] — Analyst — 80/tcp, 443/tcp.
In the single ip address or range, type your home network subnet. (ex: 192.168.0.0/24 which is my network).
To the check the status for all services, run the following command:
$ sudo so-status
Depending the on your system, some of the service might be still waiting to start.
Type the web interface IP Address (ex: https://192.168.0.254/) and use the email address and password you have chosen during the installation process.
In part 2, I will go over the features and how to on Security Onion.
Challenges:
- Installing Security Onion on a VM with 4 GB RAM can be done, but the installation will take hours to finish. I fully recommend using at least 12 GB RAM.
- At the verification stage during the installation wizard, the setup generates an error message, but the Security Onion will start with no errors after rebooting the virtual machine.