Installing SecurityOnion on VirtualBox

This is a write-up for installing SecurityOnion on VirtualBox for a lab/test environment.

Download and check the ISO

Download the SecurityOnion ISO image from Sourceforge and verify the checksum using the checksums on the Sourceforge page.

To verify the checksum previously suggested you can run the following command from within the download directory where you saved the ISO image:



md5sum should then print out a single line after calculating the hash which you can compare to the hash provided on the Sourceforge page:



Create VM on VirtualBox

To install SecurityOnion on VirtualBox first we must create a new virtual machine by selecting the highlighted blue icon that says "New" which is highlighted by the mouse pointer.


After selecting "New" in the previous step we will be required to name our virtual machine (VM). For easy identification I use the distribution name, in this case "SecurityOnion". We will also need to specify the "Type" and "Version" which would be "Linux" and "Ubuntu (64bit)" respectively. We then proceed to click the "Next" button.


The hardware requirements listed on the SecurityOnion site for a lab environment are the following:

"...at least 1GB RAM for each monitored network interface and a minimum of 2GB RAM total, 4GB RAM recommended. Be aware that full packet capture may fill your disk quickly, so size your storage appropriately."

If you have more than 4GB of RAM to allocate go ahead and add all you can spare. I usually allocate 8GB (8192MB), 4 Processors, and 250GB of hard disk space. This is usually overkill for lab/testing but if you wanted a better feel of what a production box would feel like it isn't a bad idea.


Then you need to "Create a virtual hard drive now" by selecting the radio button on the Hard drive page.


You must then select the Hard drive file type. I suggest you keep the default setting "VDI (VirtualBox Disk Image)".


You can select either "Dynamically allocated" or "Fixed size" on the Storage on physical hard drive page.


Then adjust the File location and size to your requirements by using the slider or simply typing in the size of your hard drive in GB.


Adjust Network Adapter Settings

An important thing to remember on VirtualBox is to manually adjust your network adapter settings to "Promiscuous Mode" on the interface you will monitoring/sniffing traffic from the SPAN/Port Mirroring interface on your tap/switch/router. This can be realized by selecting the "Settings" button from the main window illustrated below:


You would then need to navigate to the "Network" menu and select the interface you will use for packet capture in my particular case it is eth0. Click on the small blue drop-down arrow labeled "Advanced" and set "Promiscuous Mode" to "Allow All". In most cases I choose to operate in Bridged Adapter mode, I would recommend you also do the same. I have provided the following illustration for convenience. Remember the packet capture interface should be a physical Ethernet port and another interface is required for management of SecurityOnion.


Then you can finally start your new VM by pressing the Start button illustrated below:


On the first run you need to indicate where the SecurityOnion ISO is located to start the boot process. This can be done selecting the following "Choose a virtual optical disk file..." icon and indicating the path to the ISO you previously downloaded.


You will be greeted with the following screen if you have done things correctly. You can either allow the clock to run down and automatially boot into live mode "live - boot the Live System" or select "install - start the installer directly". In this case I have chosen "install - start the installer directly". In all reality I believe both of the previously mentioned options give you the same result.


Installing SecurityOnion

You will then need to double-click the "Install SecurityOnion 12.04" icon on the desktop to start the installer.


The instructions on the SecurityOnion web site indicate to:

 "Follow the prompts in the Xubuntu installer. If prompted with an "encrypt home folder" option, DO NOT enable this feature. If asked about automatic updates, DO NOT enable automatic updates. Reboot into your new installation. Login using the username/password you specified during installation."

I will walk you through those steps. The first prompt is for selecting the language of the Xubuntu install and I will choose "English" and then press "Continue".



On the next step "Preparing to install SecurityOnion", I leave the default values and then press "Continue". Some people may suggest to select both checkboxes but I prefer to install what I need when I have finished the base install. Remember Doug's instructions also say:

"If asked about automatic updates, DO NOT enable automatic updates."


Choose your "Installation type" by selecting "Erase disk and install SecurityOnion" and then press "Continue".


Confirm your settings on the following page and and then press "Install Now".


You will then need to choose your timezone for the Xubuntu system although most of your tools will be adjusted later to reflect UTC time and then press "Continue".


Select your keyboard layout and then press "Continue".


You will then need to name the user for SecurityOnion and provide a name for your SecurityOnion computer and finally provide a password and then press "Continue".

Remember not to encrypt your home folder:

"If prompted with an "encrypt home folder" option, DO NOT enable this feature."


If everything works out how it should you should see one of these boxes when completed where you can now safely choose "Restart Now".



After the reboot you will be greeted by this screen where you can login and complete the SecurityOnion setup.


Xubuntu Updates

At this point it would be a good idea to update Xubuntu by running the following command before continuing with the SecurityOnion setup:



When you have finished applying the updates reboot your system by using your preferred method.


SecurityOnion Setup

Double-click the Setup icon on the desktop after logging in. As per Doug's instructions:

"The Setup wizard will walk you through configuring /etc/network/interfaces and will then reboot."

I will walk you through this process.



After clicking the Setup icon you will need to you will need to click "Yes, Continue".


Then select "Yes, configure /etc/network/interfaces!" in order to continue.


We then need to select the management interface that will be used to access, administer, and monitor your SecurityOnion platform. In our particular case we will use eth0 for our management interface since this is a wireless adapter and would not be ideal for monitoring/capture and then press "OK".



Select "static" and then press "OK" to easily connect to your SecurityOnion platform by IP after initial configuration has completed.



Assign and IP address and then press "OK". We used "10.0.0.254" just as an example.


Assign the subnet mask and then press "OK". We used "255.255.255.0" just as an example.


Assign the default gateway's IP and then press "OK". We used "10.0.0.1" just as an example.


Assign the DNS server(s) and then press "OK". We used "10.0.0.1" and "8.8.8.8" just as an example. Remember to separate DNS servers with a space between addresses.


Assign the domain and then press "OK". We used "local" just as an example.


 When prompted, please choose “Yes, make changes and reboot!



After rebooting, log back in and start the Setup wizard again. It will detect that you have already configured /etc/network/interfaces and will walk you through the rest of the configuration.



Since we previously configured the managment interface setup will detect this configuration. To move forward with the setup simply click "Yes, skip network configuration!" so we can setup the capture interface.


Once you have configured the management interface we will need to configure the capture/monitoring interface. To do this press "Yes, configure monitor interfaces".

   
You’ll then be prompted to select any additional interfaces that will be used for sniffing/monitoring network traffic. We will mark the checkbox eth1 and then press "OK".


We will then proceed with the Advanced Setup by selecting the "Advanced Setup" radio button and then by pressing "OK".


"Choose whether the host being configured will be Standalone, Server, or Sensor." In this example we will be configuring a Standalone which configures a Server and a Sensor on a single machine. Please select the "Standalone" radio button and press "OK".


"You will then be prompted for user account information for Sguil, Squert, ELSA and Snorby." We have utilized securityonion for our username and then pressed "OK" to continue.


You will be required to create a Snorby account by entering an email address of your choosing. We have used user@deepimpact.io and then selected "OK".


Create a password for Squil, Squert, Snorby, and ELSA and then press "OK" to move forward with the configuration.


Confirm your password and press "OK".


"You will be prompted to specify which IDS Engine (Snort or Suricata) you would like to use." We will choose the "Snort" radio button and then press "OK".


"You’ll be asked which IDS ruleset you would like to use." Since we will use a free version we are obligated to select the "Emerging Threats GPL", if you own a subscription this would be where you select one of the corresponding rulesets and then click "OK".


Select the interface(s) to be monitored. We have selected the "eth1" checkbox since it is a wired interface and then we pressed "OK" to continue.


We are then required to enable the Snort IDS we previously selected simply by pressing "Yes, enable the IDS Engine!".


If you have multiple CPU cores available, you will be prompted to designate how many IDS processes you would like to run. We will be using 2 cores in our example which you can observe since we selected the "2" radio button and then we will press "OK". This will run one IDS process per core.


In order to activate Bro we will need to select "Yes, enable Bro!" I highly recommend you activate Bro in order to have complete functionality.



You will be prompted to designate how many Bro processes you would like to run, similar to that of the IDS processes we selected in our previous steps. We will be using 2 cores in our example which you can observe since we selected the "2" radio button and then we will press "OK". This will run one Bro process per core.


In order to activate Argus we will need to select "Yes, enable Argus!" I highly recommend you activate Argus in order to have complete functionality.


In order to activate Prads we will need to select "Yes, enable Prads!" I highly recommend you activate Prads in order to have complete functionality.


This step is essential and we need to select "Yes, enable full packet capture!"


We will select the default value of 150MB for our pcap files. This will simply split the captures we are making into 150MB segments/files.


We will also select the default value of 90% to begin purging old logs from the system. This means when we reach 90% of disk capacity the oldest logs will be purged/deleted automatically from the system.


Since we are configuring on Standalone server it isn't necessary to enable Salt. When you utilize a Server and Sensor environment with multiple capture devices dispersed throughout your network, Salt facilitates the distribution of configurations easing the administration overhead. We selected "No, disable Salt" but you are free to enable it if you wish.



"You’ll be asked whether you want to enable ELSA." We did in fact select "Yes, enable ELSA!". ELSA is as close as you can get to an open source version of Splunk. It is a very powerful data analysis tool and most definitely should be enabled if you do not intend to utilize some other data analysis or SIEM platform.



"You’ll be prompted to proceed with making the changes to setup Security Onion." You will need to review the list to be sure it matches your requirements selected in the previous steps and then press "Yes, proceed with the changes!" We are almost finished with the initial setup.


Several screens will appear indicating the installation progress and when it is complete you will see the following notice. Press "OK" and you should have a fully functional SecurityOnion install in a Standalone environment.


Once you've completed the Setup wizard, use the Desktop icons to login to Sguil, Squert, Snorby, or ELSA with the username and password you created in the beginning of the setup process.


Additional Resources

I suggest you utilize the SecurityOnion Wiki for any information required in regards to the platform. You can also contact the creator of SecurityOnion, his name is Doug Burks and his Twitter handle is @dougburks, you can also follow @securityonion for the latest SecurityOnion announcements. Doug's YouTube channel has some great videos that walk you through some basic functions. If you are interested in Network Security Monitoring commonly known as NSM I highly recommend you read through Richard Bejtlich's latest book, The Practice Of Network Security Monitoring. Richard's previous books can be found here and his Twitter handle is @taosecurity. Later this year Applied Network Security Monitoring will be released which was written by Chris Sanders, his Twitter handle is @chrissanders88.


Happy Hunting!