My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
Installation  
Security Onion Installation Procedure
Updated May 21 (6 days ago) by doug.bu...@gmail.com

Please read the following before downloading!

What's the recommended procedure for installing Security Onion?

- If you just want to quickly evaluate Security Onion, the short answer is:

  1. Hardware requirements: you'll need at least 1GB RAM for each monitored network interface. Be aware that full packet capture may fill your disk quickly, so size your storage appropriately.
  2. Download the ISO image, verify its checksum, and boot from it.
  3. Run through the Xubuntu installer.
  4. Reboot into your new installation and double-click the Setup shortcut. Follow the prompts.
  5. Analyze alerts using Sguil, Squert, or Snorby.

- If you're going to be deploying Security Onion in production, the longer answer is as follows:
  1. Before you start, make sure your sensor(s) are capable. Check the Hardware page.
  2. Download the most recent Security Onion ISO image from here (you may have to scroll to the bottom of the page).
  3. Verify the MD5 and/or SHA1 checksums of the downloaded ISO image. There is an accompanying .md5 file or you can use the MD5/SHA1 checksums that Sourceforge displays when clicking the Information (view details) button to the right of the ISO image (it's a circle with an "i").
  4. (If deploying a master server and one or more slave sensors, you'll need to perform the remaining steps on the server and all sensors, but make sure you install/configure the master first.)
  5. Boot the ISO and select Install (either from the boot menu or from the Live desktop).
  6. Follow the prompts in the installer. When asked about partitioning, there are a few things to keep in mind:
    • If you have more than 2TB of disk space, you will probably want to create a dedicated /boot partition at the beginning of the disk to ensure that you don't have any Grub booting issues.
    • The Sguil database can grow fairly large (100GB or more for decent-size networks) and is stored at /var/lib/mysql/, so you may want to put /var on a dedicated partition/disk and assign a good amount of disk space to it. Also see the DAYSTOKEEP instructions near the end of this procedure.
    • Sensors store full packet captures at /nsm/sensor_data/, so you may want to put /nsm on a dedicated partition/disk and assign as much disk space as possible (1TB or more).
  7. Reboot into your new installation and login with the credentials you specified in the installer.
  8. Configure networking.
  9. If you're behind a proxy, configure your proxy settings.
  10. If your machine has more than 4GB of RAM, install the PAE kernel.
  11. Install Ubuntu updates using the Update Manager in the upper right corner and reboot if necessary. tcl/tk updates are on hold and you should NOT attempt to manually install any tcl/tk updates! You may want to configure Ubuntu to automatically install updates.
  12. Install Security Onion updates.
  13. Double-click the Setup shortcut on the Desktop and follow the prompts. If this is a sensor that will report to a master server, then Setup will prompt you for an SSH account on the master server that has sudo privileges. Consider creating a separate SSH account on the master server for each sensor so that if a sensor is ever compromised, its individual account can be disabled without affecting the other sensors.
  14. If you're monitoring IP address ranges other than the private RFC1918 address space (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12), you should update your sensor configuration with the correct IP ranges. Sensor configuration files can be found in /etc/nsm/HOSTNAME-INTERFACE/. Modify either snort.conf or suricata.yaml (depending on which IDS engine you chose during Setup) and update the HOME_NET variable. Also update sancp.conf and pads.conf. Then update Bro's network configuration in /usr/local/etc/networks.cfg. Finally, restart the sensor processes: 

    15. sudo nsm_sensor_ps-restart
  15. If you have Internet access, create an IDS alert by typing the following at a terminal:
    16. curl http://testmyids.com
  16. Full-time analysts should run Security Onion in a VM on their workstation, then launch the Sguil client and connect to the IP/hostname of their production Sguil sensor. This allows you to investigate pcaps without fear of impacting your production server/sensors. To change the resolution of your Security Onion VM, install the Virtual Tools for your virtualization solution or use xrandr. For a list of available screen resolutions, simply execute "xrandr". To set the screen resolution (replace W and H with the actual Width and Height desired): 
    17. xrandr -s WxH
  17. Login to Sguil, Squert (https://server/squert/), or Snorby (https://server:3000) and review your IDS alerts. Use the additional NSM data types in Sguil and Bro logs (/nsm/bro/logs/) for in-depth analysis.
  18. Run the following to see how your sensor is coping with the load. You should check this on a daily basis to make sure your sensor is not dropping packets. Consider adding it to a cronjob and having it emailed to you (see the "configure email" link below). 
    19. sudo sostat | less
  19. Please note that any IDS/NSM system needs to be tuned for the network it's monitoring. Please see ManagingAlerts. You should only run the signatures you really care about.
  20. Also note that you should be looking at and categorizing events every day with the goal being to categorize all events every day. Even if you don't use the Sguil console for your primary analysis, you need to log into into it periodically and F8 old events to keep the RealTime queue from getting too big. Neglecting to do so may result in database/Sguil issues as the number of uncategorized events continues to increase on a daily basis.
  21. On the server running the Sguil database, set the DAYSTOKEEP variable in /etc/nsm/securityonion.conf to however many days you want to keep in your archive. The default is 365, but you may need to adjust it based on your organization's detection/response policy and your available disk space.
  22. Optional: Exclude unnecessary traffic from your monitoring using BPF.
  23. Optional: add new Sguil user accounts with the following:
    24. sudo /usr/local/sbin/nsm_server_user-add
  24. Optional: configure email for alerting and reporting
  25. Optional: Need "remote desktop" access to your Security Onion sensor? Install FreeNX.
  26. Read more about the tools contained in Security Onion: Tools
Powered by Google Project Hosting