Blog


The Deep Impact Blog: Random news related to Information Assurance, Security and Technology, Penetration Testing, and more!

splunk and free open-source threat intelligence feeds

posted Jul 17, 2014, 4:41 PM by Adrian Daucourt   [ updated Sep 14, 2016, 6:55 AM ]

Splunk and Free Open-Source Threat Intelligence Feeds

This is a write-up for integrating some readily available free and open-source threat intelligence feeds and block lists into Splunk.

Threat Feeds

The following threat feeds/block lists can be used for many other use cases/applications which I have included below for convenience:

Emerging Threats
AlienVault - Appears to require a login now to visit this page but the script still works fine
SSLBL
ZeuS Tracker
Palevo Tracker
SpyEye Tracker
Malc0de

Creating A Script

After my initial idea to integrate some threat feeds into Splunk, I began to do some research and luckily ran into someone that was thinking along the same lines I was. His name is Keith and his blog can be found here. I used Keith's experience as a starting point to create a small bash script which grabs the threat feeds/block lists and parses them in order to prepare some Splunk-ready input files.

I am by no means an expert nor do I possess much programming experience which was the greatest motivation to continue using bash. This video by Lee Baird at Hack3rcon 3 on Adrian's website Irongeek was very helpful. Lee also has some BackTrack and Kali Linux scripts which automate various tasks with bash scripts here with a related SkyDogCon 2 video here if you are interested.

I have included my script below and I welcome any input or suggestions for improving it. Feel free to modify it for your particular use case or application as needed. You can also download it from here. Please keep in mind if you copy and paste from the blog entry it will not have the correct line endings/wrapping. I should also mention that that I utilized prips which prints IP addresses on a given range in the script. Since some of the feeds provide CIDR notation addresses it was necessary to convert them for my particular use case. So if you plan on using the script make sure you install prips with the following command:

sudo apt-get install prips

I like to place the scripts I use for Splunk in the directory: /opt/splunk/bin/scripts

Updated script to include SSLBL from abuse.ch 07/17/14
Updated script to include Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed  Binary Defense Systems
02/10/15

#!/bin/bash 
#Script that downloads the Emerging Threats - Shadowserver C&C List, #Spamhaus 
#DROP Nets, Dshield Top Attackers, Known RBN Nets #and IPs, Compromised IP List, 
#RBN Malvertisers IP List;  AlienVault - IP Reputation Database; ZeuS Tracker - 
#IP Block List; SpyEye Tracker - IP Block List; Palevo Tracker - IP Block List; 
#SSLBL - SSL Blacklist; Malc0de Blacklist; Binary Defense Systems Artillery 
#Threat Intelligence Feed and Banlist Feedand then strips any junk/formatting 
#that can't be used and creates Splunk-ready inputs.    
#   
#Feel free to use and modify as needed   
#   
#Author: Adrian Daucourt based on work from Keith
#(http://#sysadminnygoodness.blogspot.com)   
#
#==============================================================================
#Fix error when calling script from Splunk
#==============================================================================

unset LD_LIBRARY_PATH

#==============================================================================
#Emerging Threats - Shadowserver C&C List, Spamhaus DROP Nets, Dshield Top
#Attackers
#==============================================================================

wget http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt -O 
/tmp/emerging-Block-IPs.txt --no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/emerging_threats_shadowserver_ips.txt

cat /tmp/emerging-Block-IPs.txt | sed -e '1,/# \Shadowserver C&C List/d' -e '/#/,$d' | 
sed -n '/^[0-9]/p' | sed 's/$/ Shadowserver IP/' >> 
/home/ubuntu/downloads/emerging_threats_shadowserver_ips.txt

echo "# Generated: `date`" > /home/ubuntu/downloads/emerging_threats_spamhaus_drop_ips.txt

cat /tmp/emerging-Block-IPs.txt | sed -e '1,/#Spamhaus DROP Nets/d' -e '/#/,$d' | xargs 
-n 1 prips | sed -n '/^[0-9]/p' | sed 's/$/ Spamhaus IP/' >> 
/home/ubuntu/downloads/emerging_threats_spamhaus_drop_ips.txt

echo "# Generated: `date`" > /home/ubuntu/downloads/emerging_threats_dshield_ips.txt

cat /tmp/emerging-Block-IPs.txt | sed -e '1,/#Dshield Top Attackers/d' -e '/#/,$d' | 
xargs -n 1 prips | sed -n '/^[0-9]/p' | sed 's/$/ Dshield IP/' >> 
/home/ubuntu/downloads/emerging_threats_dshield_ips.txt

rm /tmp/emerging-Block-IPs.txt

#==============================================================================
#Emerging Threats - Compromised IP List
#==============================================================================

wget http://rules.emergingthreats.net/blockrules/compromised-ips.txt -O 
/tmp/compromised-ips.txt --no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/emerging_threats_compromised_ips.txt

cat /tmp/compromised-ips.txt | sed -n '/^[0-9]/p' | sed 's/$/ Compromised IP/' >> 
/home/ubuntu/downloads/emerging_threats_compromised_ips.txt

rm /tmp/compromised-ips.txt

#==============================================================================
#Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed
#==============================================================================

wget http://www.binarydefense.com/banlist.txt -O /tmp/binary_defense_ips.txt 
--no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/binary_defense_ban_list.txt

cat /tmp/binary_defense_ips.txt | sed -n '/^[0-9]/p' | sed 's/$/ Binary Defense IP/' >> 
/home/ubuntu/downloads/binary_defense_ban_list.txt

rm /tmp/binary_defense_ips.txt

#==============================================================================
#AlienVault - IP Reputation Database
#==============================================================================

wget https://reputation.alienvault.com/reputation.snort.gz -P /tmp --no-check-certificate 
-N

gzip -d /tmp/reputation.snort.gz

echo "# Generated: `date`" > /home/ubuntu/downloads/av_ip_rep_list.txt

cat /tmp/reputation.snort | sed -n '/^[0-9]/p' | sed "s/# //">> 
/home/ubuntu/downloads/av_ip_rep_list.txt

rm /tmp/reputation.snort

#==============================================================================
#SSLBL - SSL Blacklist
#==============================================================================

wget https://sslbl.abuse.ch/blacklist/sslipblacklist.csv -O /tmp/sslipblacklist.csv 
--no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/sslipblacklist.txt

cat /tmp/sslipblacklist.csv | sed -n '/^[0-9]/p' | cut -d',' -f1,3 | sed "s/,/ /" | sed 
's/$/ SSLBL IP/' >> /home/ubuntu/downloads/sslipblacklist.txt

rm /tmp/sslipblacklist.csv

#==============================================================================
#ZeuS Tracker - IP Block List
#==============================================================================

wget https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist -O 
/tmp/zeustracker.txt --no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/zeus_ip_block_list.txt

cat /tmp/zeustracker.txt | sed -n '/^[0-9]/p' | sed 's/$/ Zeus IP/' >> 
/home/ubuntu/downloads/zeus_ip_block_list.txt

rm /tmp/zeustracker.txt

#==============================================================================
#SpyEye Tracker - IP Block List
#==============================================================================

wget https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist -O 
/tmp/spyeyetracker.txt --no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/spyeye_ip_block_list.txt

cat /tmp/spyeyetracker.txt | sed -n '/^[0-9]/p' | sed 's/$/ Spyeye IP/' >> 
/home/ubuntu/downloads/spyeye_ip_block_list.txt

rm /tmp/spyeyetracker.txt

#==============================================================================
#Palevo Tracker - IP Block List
#==============================================================================

wget https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist -O 
/tmp/palevotracker.txt --no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/palevo_ip_block_list.txt

cat /tmp/palevotracker.txt | sed -n '/^[0-9]/p' | sed 's/$/ Palevo IP/' >> 
/home/ubuntu/downloads/palevo_ip_block_list.txt

rm /tmp/palevotracker.txt

#==============================================================================
#Malc0de - Malc0de Blacklist
#==============================================================================

wget http://malc0de.com/bl/IP_Blacklist.txt -O /tmp/IP_Blacklist.txt 
--no-check-certificate -N

echo "# Generated: `date`" > /home/ubuntu/downloads/malc0de_black_list.txt

cat /tmp/IP_Blacklist.txt | sed -n '/^[0-9]/p' | sed 's/$/ Malc0de IP/' >> 
/home/ubuntu/downloads/malc0de_black_list.txt

rm /tmp/IP_Blacklist.txt

Creating Indexes

In Splunk we started by creating an index that I named "threat". If you are not familiar with creating Splunk indexes more information can be found here

http://www.deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds/index.png?attredirects=0

Scripted Inputs

I then proceeded to create a Splunk scripted input to run the script every four hours or 14400 seconds and set the destination index for this source to "threat", and I also set the sourcetype to "threat" as well. Keep in mind some of these threat feeds or block lists are updated every time you query the list, some every few hours, and some are updated daily or possibly even longer, so don't be abusive in your queries. More information on Splunk scripted inputs can be found here and here.


File Monitoring

You would then be required to tell Splunk to continuously collect data from the files which will be created using our script and index the data as it comes in. Information for File and Directory inputs can be found here. Remember you would have to do this for all the files created by the script:

/home/ubuntu/downloads/av_ip_rep_list.txt
/home/ubuntu/downloads/binary_defense_ban_list.txt    
/home/ubuntu/downloads/emerging_threats_compromised_ips.txt 
/home/ubuntu/downloads/emerging_threats_dshield_ips.txt  
/home/ubuntu/downloads/emerging_threats_rbn_ips.txt    
/home/ubuntu/downloads/emerging_threats_rbn_malvertisers_ips.txt    
/home/ubuntu/downloads/emerging_threats_shadowserver_ips.txt    
/home/ubuntu/downloads/emerging_threats_spamhaus_drop_ips.txt
/home/ubuntu/downloads/palevo_ip_block_list.txt    
/home/ubuntu/downloads/spyeye_ip_block_list.txt    
/home/ubuntu/downloads/zeus_ip_block_list.txt
/home/ubuntu/downloads/malc0de_black_list.txt



After you complete the configuration above you should begin to see data in the Splunk Summary Dashboard when the script runs and begins to create the input files.


Searching and Visualizations

I also use Splunk to gather Intrusion Prevention and Detection System (IPS/IDS) logs. This is where the really interesting part starts. I can now use this new threat feed information and begin to correlate attacks on my IPS/IDS with known threat sources. I can use some readily available free apps for Splunk like the Google Maps for Splunk app and start plotting geolocation information from attacking IPs on a map using the sample search below:

your search here | join type=inner max=0 src [search index=threat] | stats count as _geo_count by src | geoip src | search _geo=* | stats sum(_geo_count) as _geo_count by _geo

You can then get some really cool map visualizations like this:



Answering Questions

You can start answering all kinds of questions about your infrastructure using this simple method:
  • What countries/cities are accessing my web server or a specific directory on that server the most?
  • What country/city has the most dropped/blocked traffic on my firewall or IPS?
  • What country/city is bruteforcing SSH on my Wordpress site?
  • What country/city is attempting SQL injection (SQLi) on my web app?
You can create some dashboard panels like the one below that answers questions like:
  • What are the top 20 known threat source IPs and their threat type and how many occurences were there in the last 30 days?



You are only limited by your creativity! If you have any questions, improvements, or ideas please feel free to comment.

I would like to thank @EmergingThreats, @abuse_ch, @alienvault, @Shadowserver, @malc0de, @binary_defense and all the volunteers who provide us with these great feeds and of course @splunk for making it all possible.


Happy Splunking!

creating splunk app for enterprise security technology add-ons

posted Feb 25, 2014, 6:38 PM by Adrian Daucourt   [ updated Jul 18, 2014, 8:44 PM ]

Creating Splunk App for Enterprise Security Technology Add-Ons

This is a write-up for creating Technology Add-ons for the Splunk App For Enterprise Security.

This idea and blog post was spawned out of the necessity to populate Splunk dashboards in the Splunk App for Enterprise Security with data from the Web Application Firewall solution named AppWall and the DDoS Protection and Attack Mitigation solution named DefensePro offered by Radware.

Several methods exist for sending security events from the Radware platforms but in this example I chose to utilize syslog via UDP for ease of demonstration.

Creating Indexes

First I created an index for Radware events in Splunk. To keep things simple I chose "radware" for the index name. More information for creating indexes can be found here on the Splunk website.

Creating Network Inputs

I created the inputs UDP 514 for DefensePro and UDP 614 for AppWall. For the DefensePro I created radware_dp sourcetype to easily filter searches later. I did the same for AppWall using the radware_aw sourcetype. More information for creating inputs from network ports can be found here on the Splunk website.

Activate Syslog on Radware Devices

I activated the DefensePro and Appwall to send security events via syslog as their respective user guides indicate. They can be downloaded from Radware's website. I used this guide from Radware to identify the fields needed to extract the data via regular expressions for the DefensePro. Similar regular expression were used for AppWall.

Creating Splunk Add-Ons

To create a Splunk Technology Add-on for Splunk I chose to create a barebones app from the Splunk App builder. It is important you use the prefix TA for your app name. This is an example: TA-YourAppNameHere. Believe me... It will require less modification to Splunk if you follow this naming convention. More information on the Splunk App builder can be found here.

I created TA-radware_dp and TA-radware_aw which gives you a basic framework to place you configuration files. The two Technology Add-ons that I created are very basic and contain an eventtypes.conf, inputs.conf, props.conf, and a tags.conf file located in $SPLUNK_HOME/etc/apps/TA-radware_dp/local path. I have included the file contents of each below as well as a link to download the complete Technology Add-ons here. When creating Technology Add-ons make sure to normalize your data using the Common Information Model.
TA-radware_dp
eventtypes.conf
[radware_dp]
search = sourcetype=radware_dp
tags = network communicate ids

[radware_dp_attack]
search = sourcetype=radware_dp
tags = attack

inputs.conf
[udp://514]
connection_host = ip
index = radware
sourcetype = radware_dp

props.conf
[radware_dp]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S
pulldown_type = 1
EVAL-ids_type = "network"
EVAL-vendor = "Radware"
EVAL-product = "DefensePro"

[radware_dp]
EXTRACT-attack_dst_ip = (?i)^(?:[^\.]*\.){6}\d+\s+\d+\s+(?P<dest>[^ ]+)
EXTRACT-attack_source_ip = (?i)^(?:[^"]*"){2}\s+\w+\s+(?P<src>[^ ]+)
EXTRACT-action = (?i)^(?:[^/]*/){2}\w+\s+\w+\s+(?P<action>[^ ]+)
EXTRACT-attack_dst_pt = (?i)^(?:[^\.]*\.){9}\d+\s+(?P<dest_port>[^ ]+)
EXTRACT-attack_name = (?i)^[^"]*"(?P<signature>[^"]+)
EXTRACT-attack_src_pt = (?i)^(?:[^\.]*\.){6}\d+\s+(?P<src_port>[^ ]+)
EXTRACT-attack_status = (?i)^(?:[^"]*"){4}\s+(?P<attack_status>[^ ]+)
EXTRACT-context = (?i)^(?:[^\.]*\.){9}\d+\s+\d+\s+\d+\s+(?P<context>[^ ]+)
EXTRACT-phys_pt = (?i)^(?:[^\.]*\.){9}\d+\s+\d+\s+(?P<phys_pt>[^ ]+)
EXTRACT-policy_name = (?i) Regular "(?P<policy_name>[^"]+)
EXTRACT-protocol = (?i) .*?" (?P<protocol>\w+)(?= )
EXTRACT-radware_id = (?i) WARNING (?P<signature_id>[^ ]+)
EXTRACT-unique_id = (?i) drop (?P<unique_id>.+)
EXTRACT-bandwidth = (?i)^(?:[^"]*"){4}\s+\w+\s+\d+\s+(?P<bandwidth>[^ ]+)
EXTRACT-category = (?i) WARNING \d+\s(?P<category>[a-zA-Z_-]+)
EXTRACT-packet_count = (?i) ongoing (?P<packet_count>[^ ]+)
SEDCMD-radware_dp_risk = s/info/informational/g
EXTRACT-severity = \s(?<severity>high|medium|informational|low)\s

[radware_dp]
pulldown_type = 1
EVAL-ids_type = "network"

[radware_dp]
pulldown_type = 1
EVAL-vendor = "Radware"

[radware_dp]
pulldown_type = 1
EVAL-product = "DefensePro"


tags.conf
[eventtype=radware_dp]
network = enabled
communicate = enabled
ids = enabled

[eventtype=radware_dp_attack]
attack = enabled

TA-radware_aw
eventtypes.conf
[radware_aw]
search = sourcetype=radware_aw NOT Resource=Sub-System NOT Resource=Tunnel
tags = application ids

[radware_aw_attack]
search = sourcetype=radware_aw IsPassive=False NOT Resource=Sub-System NOT Resource=Tunnel
tags = attack

inputs.conf
[udp://614]
connection_host = ip
index = radware
sourcetype = radware_aw

props.conf
[radware_aw]
FIELDALIAS-radware_aw = Object AS category Priority AS severity SourceIP AS src Title AS signature WebUser AS user SourcePort AS src_port
SEDCMD-radware_aw_risk = s/High/high/g s/Medium/medium/g s/Low/low/g
pulldown_type = 1
EVAL-vendor = "Radware"
EVAL-product = "AppWall"
EVAL-ids_type = "application"
EXTRACT-dest = (?i)^[^\!]*\!\s+\w+\s+\w+\s+\[(?P<dest>[^,]+)
EXTRACT-dest_port = (?i)^[^\!]*\!\s+\w+\s+\w+\s+\[\d+\.\d+\.\d+\.\d+,(?P<dest_port>[^\]]+)


tags.conf
[eventtype=radware_aw]
application = enabled
ids = enabled

[eventtype=radware_aw_attack]
attack = enabled

The End Results

If everything goes as planned after installing the TAs your Intrusion Center dashboard should look something like this:



Happy Splunking!

installing securityonion on virtualbox

posted Oct 12, 2013, 3:47 PM by Adrian Daucourt   [ updated Jul 18, 2014, 8:44 PM ]

Installing SecurityOnion on VirtualBox

This is a write-up for installing SecurityOnion on VirtualBox for a lab/test environment.

Download and check the ISO

Download the SecurityOnion ISO image from Sourceforge and verify the checksum using the checksums on the Sourceforge page.

To verify the checksum previously suggested you can run the following command from within the download directory where you saved the ISO image:



md5sum should then print out a single line after calculating the hash which you can compare to the hash provided on the Sourceforge page:



Create VM on VirtualBox

To install SecurityOnion on VirtualBox first we must create a new virtual machine by selecting the highlighted blue icon that says "New" which is highlighted by the mouse pointer.


After selecting "New" in the previous step we will be required to name our virtual machine (VM). For easy identification I use the distribution name, in this case "SecurityOnion". We will also need to specify the "Type" and "Version" which would be "Linux" and "Ubuntu (64bit)" respectively. We then proceed to click the "Next" button.


The hardware requirements listed on the SecurityOnion site for a lab environment are the following:

"...at least 1GB RAM for each monitored network interface and a minimum of 2GB RAM total, 4GB RAM recommended. Be aware that full packet capture may fill your disk quickly, so size your storage appropriately."

If you have more than 4GB of RAM to allocate go ahead and add all you can spare. I usually allocate 8GB (8192MB), 4 Processors, and 250GB of hard disk space. This is usually overkill for lab/testing but if you wanted a better feel of what a production box would feel like it isn't a bad idea.


Then you need to "Create a virtual hard drive now" by selecting the radio button on the Hard drive page.


You must then select the Hard drive file type. I suggest you keep the default setting "VDI (VirtualBox Disk Image)".


You can select either "Dynamically allocated" or "Fixed size" on the Storage on physical hard drive page.


Then adjust the File location and size to your requirements by using the slider or simply typing in the size of your hard drive in GB.


Adjust Network Adapter Settings

An important thing to remember on VirtualBox is to manually adjust your network adapter settings to "Promiscuous Mode" on the interface you will monitoring/sniffing traffic from the SPAN/Port Mirroring interface on your tap/switch/router. This can be realized by selecting the "Settings" button from the main window illustrated below:


You would then need to navigate to the "Network" menu and select the interface you will use for packet capture in my particular case it is eth0. Click on the small blue drop-down arrow labeled "Advanced" and set "Promiscuous Mode" to "Allow All". In most cases I choose to operate in Bridged Adapter mode, I would recommend you also do the same. I have provided the following illustration for convenience. Remember the packet capture interface should be a physical Ethernet port and another interface is required for management of SecurityOnion.


Then you can finally start your new VM by pressing the Start button illustrated below:


On the first run you need to indicate where the SecurityOnion ISO is located to start the boot process. This can be done selecting the following "Choose a virtual optical disk file..." icon and indicating the path to the ISO you previously downloaded.


You will be greeted with the following screen if you have done things correctly. You can either allow the clock to run down and automatially boot into live mode "live - boot the Live System" or select "install - start the installer directly". In this case I have chosen "install - start the installer directly". In all reality I believe both of the previously mentioned options give you the same result.


Installing SecurityOnion

You will then need to double-click the "Install SecurityOnion 12.04" icon on the desktop to start the installer.


The instructions on the SecurityOnion web site indicate to:

 "Follow the prompts in the Xubuntu installer. If prompted with an "encrypt home folder" option, DO NOT enable this feature. If asked about automatic updates, DO NOT enable automatic updates. Reboot into your new installation. Login using the username/password you specified during installation."

I will walk you through those steps. The first prompt is for selecting the language of the Xubuntu install and I will choose "English" and then press "Continue".



On the next step "Preparing to install SecurityOnion", I leave the default values and then press "Continue". Some people may suggest to select both checkboxes but I prefer to install what I need when I have finished the base install. Remember Doug's instructions also say:

"If asked about automatic updates, DO NOT enable automatic updates."


Choose your "Installation type" by selecting "Erase disk and install SecurityOnion" and then press "Continue".


Confirm your settings on the following page and and then press "Install Now".


You will then need to choose your timezone for the Xubuntu system although most of your tools will be adjusted later to reflect UTC time and then press "Continue".


Select your keyboard layout and then press "Continue".


You will then need to name the user for SecurityOnion and provide a name for your SecurityOnion computer and finally provide a password and then press "Continue".

Remember not to encrypt your home folder:

"If prompted with an "encrypt home folder" option, DO NOT enable this feature."


If everything works out how it should you should see one of these boxes when completed where you can now safely choose "Restart Now".



After the reboot you will be greeted by this screen where you can login and complete the SecurityOnion setup.


Xubuntu Updates

At this point it would be a good idea to update Xubuntu by running the following command before continuing with the SecurityOnion setup:



When you have finished applying the updates reboot your system by using your preferred method.


SecurityOnion Setup

Double-click the Setup icon on the desktop after logging in. As per Doug's instructions:

"The Setup wizard will walk you through configuring /etc/network/interfaces and will then reboot."

I will walk you through this process.



After clicking the Setup icon you will need to you will need to click "Yes, Continue".


Then select "Yes, configure /etc/network/interfaces!" in order to continue.


We then need to select the management interface that will be used to access, administer, and monitor your SecurityOnion platform. In our particular case we will use eth0 for our management interface since this is a wireless adapter and would not be ideal for monitoring/capture and then press "OK".



Select "static" and then press "OK" to easily connect to your SecurityOnion platform by IP after initial configuration has completed.



Assign and IP address and then press "OK". We used "10.0.0.254" just as an example.


Assign the subnet mask and then press "OK". We used "255.255.255.0" just as an example.


Assign the default gateway's IP and then press "OK". We used "10.0.0.1" just as an example.


Assign the DNS server(s) and then press "OK". We used "10.0.0.1" and "8.8.8.8" just as an example. Remember to separate DNS servers with a space between addresses.


Assign the domain and then press "OK". We used "local" just as an example.


 When prompted, please choose “Yes, make changes and reboot!



After rebooting, log back in and start the Setup wizard again. It will detect that you have already configured /etc/network/interfaces and will walk you through the rest of the configuration.



Since we previously configured the managment interface setup will detect this configuration. To move forward with the setup simply click "Yes, skip network configuration!" so we can setup the capture interface.


Once you have configured the management interface we will need to configure the capture/monitoring interface. To do this press "Yes, configure monitor interfaces".

   
You’ll then be prompted to select any additional interfaces that will be used for sniffing/monitoring network traffic. We will mark the checkbox eth1 and then press "OK".


We will then proceed with the Advanced Setup by selecting the "Advanced Setup" radio button and then by pressing "OK".


"Choose whether the host being configured will be Standalone, Server, or Sensor." In this example we will be configuring a Standalone which configures a Server and a Sensor on a single machine. Please select the "Standalone" radio button and press "OK".


"You will then be prompted for user account information for Sguil, Squert, ELSA and Snorby." We have utilized securityonion for our username and then pressed "OK" to continue.


You will be required to create a Snorby account by entering an email address of your choosing. We have used user@deepimpact.io and then selected "OK".


Create a password for Squil, Squert, Snorby, and ELSA and then press "OK" to move forward with the configuration.


Confirm your password and press "OK".


"You will be prompted to specify which IDS Engine (Snort or Suricata) you would like to use." We will choose the "Snort" radio button and then press "OK".


"You’ll be asked which IDS ruleset you would like to use." Since we will use a free version we are obligated to select the "Emerging Threats GPL", if you own a subscription this would be where you select one of the corresponding rulesets and then click "OK".


Select the interface(s) to be monitored. We have selected the "eth1" checkbox since it is a wired interface and then we pressed "OK" to continue.


We are then required to enable the Snort IDS we previously selected simply by pressing "Yes, enable the IDS Engine!".


If you have multiple CPU cores available, you will be prompted to designate how many IDS processes you would like to run. We will be using 2 cores in our example which you can observe since we selected the "2" radio button and then we will press "OK". This will run one IDS process per core.


In order to activate Bro we will need to select "Yes, enable Bro!" I highly recommend you activate Bro in order to have complete functionality.



You will be prompted to designate how many Bro processes you would like to run, similar to that of the IDS processes we selected in our previous steps. We will be using 2 cores in our example which you can observe since we selected the "2" radio button and then we will press "OK". This will run one Bro process per core.


In order to activate Argus we will need to select "Yes, enable Argus!" I highly recommend you activate Argus in order to have complete functionality.


In order to activate Prads we will need to select "Yes, enable Prads!" I highly recommend you activate Prads in order to have complete functionality.


This step is essential and we need to select "Yes, enable full packet capture!"


We will select the default value of 150MB for our pcap files. This will simply split the captures we are making into 150MB segments/files.


We will also select the default value of 90% to begin purging old logs from the system. This means when we reach 90% of disk capacity the oldest logs will be purged/deleted automatically from the system.


Since we are configuring on Standalone server it isn't necessary to enable Salt. When you utilize a Server and Sensor environment with multiple capture devices dispersed throughout your network, Salt facilitates the distribution of configurations easing the administration overhead. We selected "No, disable Salt" but you are free to enable it if you wish.



"You’ll be asked whether you want to enable ELSA." We did in fact select "Yes, enable ELSA!". ELSA is as close as you can get to an open source version of Splunk. It is a very powerful data analysis tool and most definitely should be enabled if you do not intend to utilize some other data analysis or SIEM platform.



"You’ll be prompted to proceed with making the changes to setup Security Onion." You will need to review the list to be sure it matches your requirements selected in the previous steps and then press "Yes, proceed with the changes!" We are almost finished with the initial setup.


Several screens will appear indicating the installation progress and when it is complete you will see the following notice. Press "OK" and you should have a fully functional SecurityOnion install in a Standalone environment.


Once you've completed the Setup wizard, use the Desktop icons to login to Sguil, Squert, Snorby, or ELSA with the username and password you created in the beginning of the setup process.


Additional Resources

I suggest you utilize the SecurityOnion Wiki for any information required in regards to the platform. You can also contact the creator of SecurityOnion, his name is Doug Burks and his Twitter handle is @dougburks, you can also follow @securityonion for the latest SecurityOnion announcements. Doug's YouTube channel has some great videos that walk you through some basic functions. If you are interested in Network Security Monitoring commonly known as NSM I highly recommend you read through Richard Bejtlich's latest book, The Practice Of Network Security Monitoring. Richard's previous books can be found here and his Twitter handle is @taosecurity. Later this year Applied Network Security Monitoring will be released which was written by Chris Sanders, his Twitter handle is @chrissanders88.


Happy Hunting!

1-3 of 3