But, before we get into the details of installation and configuration, let's take a time to recognize the importance of Security Onion. This sophisticated platform is more than simply another cyber security tool; it is a game changer. Security Onion's arsenal of integrated tools and comprehensive capabilities enables enterprises to detect, evaluate, and respond to security threats with unparalleled precision and agility. From network traffic analysis to host-level monitoring, Security Onion provides a comprehensive set of capabilities to strengthen your defenses and improve your security posture. So, buckle up as we embark on this exciting trip toward a more robust and secure digital landscape.
What
is Security Onion?
Security Onion acts as a virtual watchdog for your computer network. It's a free and open-source software program that can help you detect suspicious behavior on your network. It's a Linux distribution meant to give you visibility into the security of your network infrastructure and applications.
What Does It Do?
It monitors network traffic to detect potential cyber threats or attacks. It can identify illegal access, malware, or strange behavior that may suggest a security risk.
It’s Use in an Industry or Home Lab
In an industrial setting, Security Onion is critical for improving cyber security. It aids in the detection and response to possible threats, hence preventing data breaches. It's an excellent tool for home labs to learn about cyber security and safeguard their equipment from online threats. Furthermore, it is free and can be utilized by both experts and enthusiasts.
Requirements
Step-by-Step
Guide
Begin the installation procedure by installing VirtualBox. After successfully installing VirtualBox, proceed to install Security Onion using the procedures below:
Launch VirtualBox and build a new virtual machine by clicking 'New' or using Ctrl+N.
In the dialog box that appears, name the virtual machine'secOnion'.
Find the downloaded Security Onion ISO file and import it into the ISO image area of the virtual machine settings.
To go to the next step, click the 'Next' button.
Next, start the setup process by creating a username and password and entering your domain name.
Proceed with the configuration by inputting the username and password for the domain "cyberhorror.com," which was previously configured in my Active Directory home lab. If you haven't already, have a look at the setup to get a better understanding.
Now, let's look at the important features of memory and CPU allocation for our Security Onion setup:
Security Onion's RAM and CPU needs are determined by your individual use case, the volume of network traffic for analysis, and the characteristics of your host machine.
As a general rule, designate at least 12GB of RAM for a Security Onion installation. Given that my host system only has 16GB of RAM, allocating half of that (8GB) to the Security Onion virtual machine strikes a decent balance.
When it comes to CPU allocation, Security Onion performs better with several cores, especially when dealing with large amounts of network traffic. With my Intel Core i5 processor, which normally has four cores (and up to eight threads with Hyper-Threading), I recommend allocating a significant portion of the available cores – two CPU cores — to the Security Onion virtual machine.
A good starting point is to allocate 2 to 4 CPU cores to the Security Onion VM. This allocation enables Security Onion to efficiently process and analyze network traffic, resulting in optimal performance.
Note: To minimize performance deterioration, ensure that the total number of CPU cores allocated across all your virtual machines does not exceed the physical core count of your host processor.
After completing the previous steps, click "Next" to allocate a virtual hard disk. Given the nature of the data and traffic involved, I recommend allocating at least 200GB of virtual hard drive space. Click "Next" to continue with the allocation.
Once you've finished all of the steps, click the "Finish" button. You will be returned to the main page of Oracle VM Virtual.
Now, as you prepare to launch your VM, let's make some final tweaks to the parameters.
Remember that in the beginning, we weren't allowed to define the type of operating system or version, which were set to Linux and Red Hat (64-bit) by default. To enhance compatibility, go to the VM settings and make the following changes:
If CentOS isn't on the list, select "Other Linux (64-bit)" as an option. This guarantees that your VM is properly configured. Go to the "Settings" menu, specifically the "General" section, and change the OS type to "CentOS 7 (64-bit)" or "Other Linux (64-bit)."
Next, go to the "Network" section of your settings and turn on the second and third adapters. Connect it to the internal network and give it a name like "LAN" or something else you can remember.
Click "OK" to begin the machine startup process.
Press "Enter" at the first prompt to begin the installation process.
At the next box, type "yes" and then press "Enter". Then, create an administrative login and password.
Following this step, a warning will popup advising that the initial configuration requires at least four cores. Despite this, you decided to proceed with only two cores by choosing "Yes."
In addition, a warning notice will display regarding the allocated RAM, suggesting a minimum requirement of 12GB, but you choose to go with 8GB by selecting "Yes."
The hostname should be "seconion," and the description should be "Security Onion Virtual Machine."
To set the first interface as your management NIC, highlight it using the space bar and then press "Enter" to confirm your selection.
Despite the DHCP warning, go ahead and click "OK" to start networking.
To ensure best functioning, make sure your Security Onion has internet access.
I opted for a direct internet connection.
Choose the monitor interface to configure.
Set the OS Patch schedule to automatic.
Proceed to the default setting and click "OK."
Note: Utilizing Additional Services Will Raise the RAM Requirements.
Set a password and enter the email address for your internet connection (you can use an invalid address, such as pep@cyberhorror.com).
Prefer to browse the web using IP address. Enter your confirmation by pressing "Enter."
Select "Yes" to configure the NTP servers and use the default parameters.
Avoid running'so-allow'; it will be configured later on the command prompt.
Examine all of the set options. To proceed with the installation, press the "Tab" key and select "Yes".
After a few minutes, the Security Onion installation is complete. Click "OK" to start the reboot.
Security Onion Management
After installing Security Onion, access to the web interface is established from an external Ubuntu Desktop, imitating a SOC/Security Analyst accessing a SIEM or any other application from their device.
To enable this, you must configure an Ubuntu Desktop. Please note that the Ubuntu installation process is a prerequisite and won’t be covered in this guide, assuming it’s already completed.
Install Ubuntu Desktop and then log in.
The "net-tools" package contains a collection of command-line utilities for network-related operations on Linux systems. These programs support basic network diagnosis, configuration, and monitoring. Now that we have installed "net-tools", we can run the command "ifconfig" to check our MAC and IP address.
We will use the highlighted IP address soon in our security onion.
Now navigate to your Security onion and log in with the credentials you created.
We'll use the Command 'sudo so-allow' to set a firewall rule on Security Onion that allows connections from our Ubuntu machine. Enter our password and type "a" to associate your Ubuntu IP with the analyst role. In your situation, the IP address is 192.168.1.9.
I set up a NAT network by going to File > Tools > Network Manager, which allows you to resolve IP address problems among your NAT-enabled Virtual Machines.
Return to Ubuntu's Firefox browser and try to reach the Security Onion using its current IP address, "10.0.2.15".
Note: Since "10.0.2.15" is a private IP address, consider unplugging your host machine from the internet to verify adequate access to Security Onion before reconnecting.
Once logged in, you may access your alerts through the Security Onion interface.
PCAP (Packet Capture) is essential for recording network traffic. It enables intrusion detection, incident investigation, and forensic analysis by capturing and storing comprehensive network packets from a variety of sources, including network interfaces. PCAP files are used by analysts to discover threats, conduct proactive hunting, and understand the whole context of network activities. The incorporation of tools such as Suricata, Snort, and Wireshark improves the platform's capabilities for effective security monitoring.
The user section displays all of the accessible users, which in my situation is simply one user.
Kibana is a web interface for seeing and studying data stored in ElasticSearch. It supports real-time monitoring, custom dashboard building, and search/query capabilities, allowing for efficient analysis of network events and security-related data.
Thank you again for joining me on this step-by-step journey. May your cyber security efforts be successful, and may the insights obtained from this handbook serve as a light of empowerment in your pursuit of digital resilience.
Stay Informed, Stay Safe!
