Saturday, January 21, 2012

Security Onion

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring).  It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools.  The main web site for the project is http://securityonion.blogspot.com/.

The screen captures below were taken from installing the distribution within a VMware Workstation environment.  After the initial installation has completed, access a terminal window and execute the following command as root to update the OS:

apt-get update; apt-get dist-upgrade

securityonion_1

This process may take some time to download.  Once completed, the components of the Security Onion will need to be updated.  On the web site, a link is present concerning updates.

securityonion_2

The page should have a command that you can copy and paste into a terminal window.

securityonion_3

securityonion_4

securityonion_5

Once all components are updated, a icon should be present on the desktop called Setup.  This should launch a configuration wizard.

securityonion_6

securityonion_7

An advanced or quick setup option should be available.

securityonion_8

Below are some of the screens of the setup wizard.

securityonion_9

securityonion_10

securityonion_11

securityonion_12

securityonion_13

securityonion_14

securityonion_15

A summary screen should eventually appear.

securityonion_16

securityonion_17

Back on the desktop, access the Snorby icon.

securityonion_18

Log into the web interface of the application.

securityonion_19

To view alerts, click on the Events menu option.

securityonion_20

In reviewing the details of an alert, a button is available to display the rule that generated the entry.

securityonion_21

securityonion_22

More options are available via the main menu.

securityonion_23

The /etc/snort/snort.conf file may need to be modified to include the IP range on the network in question.

securityonion_24

The FAQ section on the web site includes more configuration hints.

securityonion_25

No comments:

Post a Comment