The objective of Security Onion is to provide a comprehensive, open-source Linux distribution for network security monitoring (NSM), intrusion detection, and log management. It integrates various security tools, such as Suricata, Zeek, and the Elastic Stack, to help organizations detect, analyze, and respond to cybersecurity threats. Security Onion aims to offer a unified platform for threat hunting, incident response, and security monitoring, making it easier for security teams to identify and mitigate potential risks in real-time.
- Network Traffic Analysis: Monitoring and analyzing network traffic using tools like Zeek and Suricata.
- Intrusion Detection: Setting up and configuring intrusion detection systems (IDS) to identify security threats.
- Log Management: Collecting, parsing, and managing logs for effective threat hunting and incident response.
- Security Incident Response: Investigating and responding to security incidents using Security Onion's dashboards and tools.
- Data Correlation: Correlating data from multiple sources (network, host, and logs) for comprehensive threat analysis.
- Threat Hunting: Using Elastic Stack for searching and identifying anomalies or malicious activity.
- Alert Tuning: Customizing and fine-tuning alerts to reduce false positives and enhance detection accuracy.
- Elastic Stack Management: Working with Elasticsearch, Kibana, and Logstash for data visualization and analysis.
First, I had to navigate to Security Onion's website to find the documentation to get the ISO file. For this setup, I will be installing it as a standalone ISO. However, you could install it in Amazon Cloud, Azure, etc.. just refer to the documentation.
Next, I went ahead and downloaded the ISO.
Next, I validated the hash that is on the site with what I have downloaded.
Here is the hash of the file path.
The hash from Security Onion is B087A0D12FC2CA3CCD02BD52E52421F4F60DC09BF826337A057E05A04D114CCE , so I went ahead and created a script to compare the hashes to make sure they add up. From the scripts results they match.
Now that the hashes have been verified, I know this ISO's integrity has not been tampered with. I will continue with the installation now by turning this ISO into a bootable drive using Balena Etcher.
From here, you just select the ISO and then put it on a USB and flash it. However, once after this step it would be hard to take screenshots, so I will put this on a VM to continue the screenshots, but the process would be the same when in front of the computer.
I just pre-loaded all the requirements needed into VMware and now am ready to go. Please watch the reference video if you need to see the small steps taken.
When you start, you will be prompted with this UI
Everything is getting set up and will look like this, so just give it some time. Get some water and hydrate!
Once everything is complete, you should see this screen now. We will go ahead and type in yes to proceed.
You will now create an admin account to be able to access the system. Make sure you keep track of this password. Put it in your password manager like Keeper or 1Password.
Once you have entered your admin account, the download will take place. This process takes a few minutes as well, so get some more water while you wait.
While we wait for this to download, we can multitask and work on the next step by making sure our network switch is properly configured to send traffic to the TAP port.
Now, you do need a switch that does support many to one port mirroring (SPAN). I have the Unifi Pro 48 switch in my lab, so I will be using this. If you would like another recommendation, I suggest the Dell PowerConnect 7048P (https://hardwarestorm.com/dell-powerconnect-7048p-network-switch.html)
Unifi only has 1-1 SPAN ports on their UI. In order to bypass this, we need to ssh into the switch and make the config on the backend to allow multiple SPAN ports. First, I use PuTTY to remote into the switch.
Next, I do the command "telnet localhost"
Next, I type "en" then "config"
Next, I type the command "show monitor session all". Mine is already setup, but yours would be blank like the rest of the sessions.
From here, all we need to do is type the command to have the switch know which ports are the source ports and which one is the TAP port. A good reference video I like to credit is https://www.youtube.com/watch?v=VwVyM_wZTps
Since mine is already configured, I will not replicate this command all the way, however, I will tell you the commands to type. Before you proceed, please note that this command is temporary. If your switch reboots for updates or whatever, the command gets erased and you have to do this all over again to config the switch. Moving on, you also need to decide which session you want to configure. It does not matter if you pick any of them since typically these will be disabled and hidden to most who don’t know how to get here. So for this example, well just stick with session 1. Also you have to pick which port you want to have TAP enabled on so make sure you have Security Onion TAP port connected to the right port. I will use port 42, however, you can use whichever port you want. So type in the CLI "monitor session 1 destination interface 0/42". This will have the UNIFI switch make that specific port the TAP port. Next, we need to target the source ports. Type in "monitor session 1 source interface 0/2" Again, this is just an example port. You just need to replicate that command per port you want to monitor. Lastly, just type the command "monitor session 1 mode" to enable the session and that is it. Security onion will now start monitoring the ports specified.
Here is a view of my switch. I have all ports on the bottom row activated with my different network devices. Port 42 is the TAP port and the others are the source ports that I point to the TAP port.
Now that the switch has been configured, lets head back over to security onion.
It looks like the download is done and I need to reboot, so let me go ahead and do that.
The server has rebooted and now its time to login and configure the server.
I click on Yes to proceed to the next step and click on Install
Next, we are going to select the eval node as this is just an example setup, however, for my home lab, I have the standalone version installed.
I type in AGREE to proceed.
Then I select Standard. Note that you could have this in an Airgap setup if you don’t want Security Onion to communicate with the internet.
Then you can rename the server what ever you would like to call it, however, for this example we will just keep the default name.
Next, we need to choose the NIC card that will be the one to access the website. We will leave this as default as well.
You can pick DHCP or Static for the IP. In this example, we will use DHCP.
Next, we select the monitoring NIC. There is only going to be one option, so just select the remaining NIC.
Next, we need to create a email to login to the web interface. This can be a fake email, does not need to be real at all. So we will just use a simple one.
Then we need to enter a password.
Next, you will be prompted to select how you would like to access the interface. I will select the IP option
Select yes for this step.
Now we need to enter the subnet into the firewall so we can access it. If you do this step incorrectly, you will not be able to connect to the security onion server.
I select No for this step, but feel free to select yes if you would like.
Final check that Security Onion gives you to review all the edits you added. If everything looks good, then go ahead and select yes.
Now security onion will apply those changes and update the server with the config. This will take a couple of minutes, so grab a bite to eat if you want.
Okay the setting have been configured and this is the screen you should now see.
Lets navigate to the web interface with the listed IP shown.
Here you can see, we can successfully reach the web interface of Security Onion.
We have logged in and are now met with the overview page of Security Onion.
Now, going right to the alerts, it looks like we already have one alert that triggered from our host machine.
Lets test the TAP NIC to make sure it can receive more alerts. Simply navigate to "Grid" then scroll down and click on the 2nd icon
Now give it about 5 minutes to actually send the alerts.
After waiting, we navigate to the Alerts section and click on refresh and you can see we can receive more traffic and different alerts which is exactly what we want.
Now from here, the rest of this setup is just waiting for alerts and fine tuning them to mitigate as many false positives as possible.
For example, lets say we want to exclude my host VM from triggering this "ET INFO Spotify P2P Client" alert. We need to click on the alert and select "Tune Detection".
Now something I think is cool that Security onion does is tell you more information about the alert and what it really means. You just simply navigate to the overview tab to see more information on the alert.
If you think this alert is just completely useless, just simply turn the rule off entirely then like I just did.
Now, lets say you wanted this rule enabled, but just wanted a certain group or individual devices from alerting due to the activity being for legit purposes.
Well lets navigate to the tuning tab
Click the plus icon
Next we want to do Suppress, by src IP then the actual IP itself.
Once the information has been plugged in, click on "create" at the bottom.
After a few seconds you will see the rule has been applied
To get the alerts out of your dashboard, first we need to acknowledge the alert and escalate it to a case.
Click on the Bell icon to acknowledge the case. That way it goes to you and saves your team from having to look at it and waste time.
After you click on the bell icon, navigate to the top of the page and click the drop-down arrow
From here, select the acknowledged slider
After you select that, all your acknowledgements will show up. Select the one you want to turn into a case by selecting the triangle icon.
Select "Escalate to new case"
Once you escalate the case, navigate to the cases tab on the left.
Once you are here, click on the binoculars icon
This is where you are able to add attachments, info from another case and etc..
From here, we just excluded our host machine from triggering this alert again, so we will just add a quick note. Also note to assign yourself the case.
Now that we added a note to the case and assigned it to us, lets close it out.
Simply go to the "Status" section under Summary over on the right side and set the case to close.
After you close the case, it will not be out of your dashboard and successfully reviewed by you.
There is much more you can do in this server such as add more IP's to the firewall, add more users with different roles, add elastic agents to log for Windows event logs and so much more. Play around with it and discover the amazing things this tool can do.
References
https://www.youtube.com/watch?v=Jb_sb_vLrB0&list=PLljFlTO9rB17E0hOetV_R4Lc0WbEy8q_Y&index=2 ------ Security Onion setup
https://www.youtube.com/watch?v=VwVyM_wZTps ------ Unifi Switch config