Deploying Security Onion
Building Up Our Home Lab
Table of Contents
Welcome!
I almost didn’t make it in time to write this week’s blog post, I seem to have caught the flu from hell (yes, yes I know flu season ended 2 months ago). I was totally out for the week, which was unfortunate, because I took this week off as a reset and was hoping to push out some good builds for this home lab build series. Alas, here we are. The next step in this series is going to be deploying Security Onion as a SIEM or a Security Information and Event Manager, pronounced “sim” (my friend the Doc would have called me out for not putting that one in there…lol). Fair warning, this is going to be a LONG ONE. Let’s strap in and go!
Why Security Onion?
Once again, I don’t believe in reinventing the wheel. CISA (The Cybersecurity & Infrastructure Security Agency) lists Security Onion on their site as:
Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise. Security Onion includes Elasticsearch, Logstash, Kibana, Suricata, Zeek (formerly known as Bro), Wazuh, Stenographer, CyberChef, NetworkMiner, and many other security tools.
The big key here is the fact that Security Onion is FOSS (Free and Open Source Software) and that is going to give you as a “home labber” and possibly a new user the opportunity to practice with tools that aren’t going to break the bank, yet still emulate what you are going to find in the industry. On top of all that, telling an employer you build stuff like this in your free time always looks great.
Prerequisites/Assumptions
Security Onion has some hardware recommendations for you depending on the type of install. Mind you, there are bare minimums, I am basing this lab on the “standalone” option here.
Our Minimums:
- 6 CPU Cores
- 16 GB RAM
- 300 GB Hard Drive
- Security Onion ISO
I am setting this up on the home lab that I have been building up throughout my blog. If you need any references to that here are the links:
Let’s Get It Installed!
- I am using Proxmox for this installation, so I went ahead and uploaded the ISO to my server (you can also use VMWare, the setting should generally be the same, I just have Proxmox screenshots)
- I created a new VM in Proxmox and just set my name to “SO”
3. Set my ISO to the Security Onion ISO downloaded in the prerequisites.
4. I opted for a Disk Size of 300 GB
5. I set CPU settings to 6 cores and I changed the type to “host” by recommendation of Security Onion here. The VMWare considerations can be found here (spoiler alert: it gives an abbreviated setup for VMware).
6. I set my RAM to 16384, which is 16 GB
7. I am currently just giving it one NIC (network interface card) for setup purposes.
8. This is the summary page for my VM settings: After I clicked finish I went over to my hardware and added another NIC. We are going to be using one for our management and one for our monitoring on security onion. In my case, my internal NIC or network is going to be using “NAT”, just for now. Once we start doing anything sketchy I will
9. Go ahead and start your VM and select “Install Security Onion x.x.xx Desktop”
10. It asks you to type “yes” to ensure you understand you are wiping the entire disk you are using. Then it will go on to ask you to set a username and password to use the server.
11. Finally, watch some text go up the screen while the installation continues, now is a good time to grab a cup of coffee or tea while we wait. I am currently coming off non-stop tea from being sick, but had a good cup of this single origin mexican coffee from costco. Highly recommend!
12. I had enough time to get a cup of iced coffee, back to work! While I was gone, I came back to this glorious screen! Go ahead and press Enter.
13. You should boot up into the following page:
14. Go ahead and set a hostname, then go ahead and use anyway
15. In case you missed it, during step 8 above I talked about setting up another NIC. One for management and the other for monitoring. Here I am going to select the NIC connected to my local domain for management, this will allow me to access the web interface from my computer.
16. This is the first Security Onion server on this network, so I am clicking “No” here and setting the graphical interface to load at boot.
17. Now go ahead and reboot. You can just type “reboot” and Enter
18. Now at the graphical login screen go ahead and select your account and login
19. I was having some issues getting the setup to continue, so if you are in the same boat go ahead and head up to Applications on the top right corner, then open Terminal. In terminal type:
sudo SecurityOnion/setup/so-setup iso
20. Go ahead and select “Yes” to continue setup and then “Install”, then type “agree” if you agree with the Elastic license
21. I selected “standard” for my type of node. I am not going to reconfigure my management interface, and I am going to connect direct to the internet.
22. I am keeping the default docker IP range and I am selecting my available NIC as my monitor interface
23. Now, I am selecting my available interface as my monitoring interface, this is going to pull logs for us. Then is is going to ask for an email address and password, this is how we are going to login to the interface for SO.
24. I am going to set the web interface so I can access it from an IP. I am NOT going to allow setup to be available over the web interface and I am going to allow telemetry to be sent.
25. Finally, we should be done with our install. You are getting a review of your installation here, then you just need to wait for the system to setup your containers are you are good to go.
26. Now you have a Security Onion instance running on your home lab! Although, at this point I ran into an issue. You need to jump into your box and on the top left corner click “Applications” and then under “Internet” open “Chromium” and head over to:
https://127.0.0.1
27. Go ahead and login using the creds you created during setup, they should have been listed on the screen pictured in the screenshot above for your account. Then scroll down to “Administration” and click “Configuration”. Scroll down to firewall > hostgroups > analyst and under current grid value you can either put the IP address of a workstation or like me put a range of addresses.
Now you should be able to access it from another machine on the same network with the IP address that was listed under “Management IP” in step 25. We will come back to set up log forwarding, traffic capture and other great things soon. Thanks for reading this far!
