Security Onion Lab Setup with VirtualBox

This lab will show you how to set up and configure security on you using VirtualBox. First off, I'll briefly explain. Security Onion. Security. Onion is the leading open source operating system for network security monitoring, intrusion detection, log management and threat hunting. Some of the most important tools that we'll be using throughout these lectures are snort IDs and the useful visualization tool Squirt, which will show you all of the snort alerts that are triggered as a result of specific network traffic. For more information about security, onion search for security Onion on the Web. As there is an abundance of public information related to the project. Please note that the version of security Onion utilized in this course is the most recent one available as of November 2018. That being said, security onion is continuously evolving. Some of the commands or underlying technology may be slightly different than what is shown here. However, I update these courses as needed if sizable changes occur. If you're having issues with security. Onion, please feel free to reach out to me directly via messaging or the Q&A system. The first step is to download and install virtual box. Instructions to do this won't be included due to its simplicity. You can download the most recent version from virtualbox.org. After you have downloaded and installed VirtualBox download security onion from security onion net. Click the download link. Click to download the ISO image. Once the download of the security onion ISO is complete open virtual box manager. We're going to be installing security onion now. Click new. Name your VM. I'm naming mine Security Onion 2018. Change the type to Linux. Keep the version as ubuntu 64 bit. Click next. I'm going to be raising my Ram to about 16 gigs. If you don't have that much ram, raise it as high as you can because security onion is a bit resource intensive. Click next. Create virtual hard disk. Now click create. Keep it as VDI VirtualBox disk image. Click next. Keep it as dynamically allocated storage that will only fill up the hard disk as needed, which is more efficient. Click next. Going to raise to about 20 gigs for storage. Click create. Now let's make sure that we have a host only network set up because this will be important for the lab work. Host only is a form of networking that is completely isolated within the host computer, having no internet connectivity. We need this so that our VMs can communicate with one another. Click file. Click. Host. Network Manager. As you see here, one is already set up, but if you do not have one, you'll have to create one, which is pretty simple. To do this, you can click create. Make sure to enable the Dhcp server. Click properties. Configure adapter automatically. Go to the Dhcp server tab. Everything is okay. The server is enabled. Click apply. Now we're going to change some of the settings for the security Onion VM. Right click. The Security Onion VM. Click settings. Firstly under the general tab click advanced. For shared clipboard change it to bidirectional. This is going to enable shared clipboard for convenient copying and pasting of commands. Next, we'll go to the system tab. He processor tab. I'm going to increase the number of processors to four for increased performance. Next is the storage tab. Click the empty disk under controller ID. Now we're going to select the ISO that we downloaded in the beginning. This should be in the downloads folder by default. To do this, click the disc icon here. I have mine already saved in memory. Next, go to the network tab. Click adapter to. Enable network adaptor. Attached to host only adapter. Make sure you have selected a name for your virtual host only Ethernet adapter. Click Advanced. Under promiscuous mode. Change it from deny to allow VMs. Now let's begin the installation. Please note that you will need Internet connectivity Highlights Security Onion 2018 and Click Start. Press enter or wait to boot security Onion. One security onion has booted double click install security onion. Now select a language. I'm going to leave it as English. Click. Continue. Do not select download updates while installing security onion. This may cause complications. There's a special command used to update security onion which I'll go over soon. Click. Continue. Erase disk and install security onion. Click. Continue. Enter your location for time zone. Click. Continue. Choose a keyboard layout. I'm leaving it as English. Choose a username and password. Click. Continue. Once the installation is complete, click restart now. It says to remove the installation medium, but this happens automatically, so just hit enter. When prompted, enter the username and password that you set during the installation and click log in. The first thing we'll want to do as a best practice when using VMs is to create a snapshot. This will allow us to revert our VM to this point in time if anything goes wrong with security Onion going forward. To do this click machine, take snapshot. I'm going to name it Fresh Installation. Click. Okay. Now for shared clipboard to work, we'll need to install guest additions. To do this, go to devices. Insert guest additions. CD image. Click. Run. Enter your password. Authenticate. Once the installation has run its course, press enter to close the window. Now we're going to reboot. So just right click the desktop open terminal, type in sudo reboot, enter your password. Now copy and paste should work bidirectionally to and from host and security onion. To test this you can copy any text from your host and paste it anywhere that accepts text in security onion. For example, I have test here in notepad on my host. I'm going to highlight that copy. Now on security Onion, I'm going to right click the desktop open terminal and paste it. Here we go. Now I know that copy and paste works and we can move on to set up. Double click set up on the desktop. Enter your password, click. Okay. Yes. Continue. Select yes configure network interfaces. This will allow security onion to automatically configure them. The management interface should be your native interface, which in this case will be EMP 0S3. Keep in mind that EMP 0S8 is the host only interface, which will be the interface security Onion will monitor with snort bro elk and full packet capture. This is also called a sniffing interface. The management interface will have internet connectivity. Click. Okay. Select Dhcp for simplicity due to this being an isolated lab environment. Click. Okay. Yes. Configure sniffing interfaces as this will be a standalone installation. As explained before, EP0S8 is the host only interface. Click. Okay. Yes. Make changes to go forward. Yes. Reboot. After rebooting double click set up again. Enter your password. Yes. Continue. Yes, Skip network configuration because we just did that. For our lab setup. We're going to choose evaluation mode. This will give us everything needed for completing the labs within this course, but use less computational resources. If you have a lot of Ram and processing power, you can also use production mode. But I recommend using evaluation mode if this is your first time using security onion. Click. Okay. Again, the network interface to be monitored should be ENP 0S8, which is the host only sniffing interface. Click. Okay. Now we're creating a user account that will allow us to authenticate into kibana squirt and squeal, which are the visualization tools used in security onion to view logs and alerts. I'm going to name mine. Jesse. Click. Okay. Now choose a password for the aforementioned account. Confirm. Yes. Proceed with the changes. I'm going to click through the dialog boxes, but I suggest you read through them thoroughly as there's some useful information. Now let's make terminal accessible from the desktop. Right click. Desktop Open Terminal. Type CD Desktop. Type in gedit. Terminal Desktop. Now I'm going to copy and paste it. This desktop entry, it's going to be named terminal. Here's the file path to the binary. This is just going to allow us to have a link to the terminal emulator. Save that. This code here is going to be included in a text file with this lecture. A close. Type in sudo c h mod plus x terminal desktop. Enter your password. Now you can double click to start terminal from the desktop going forward. Let's change the profile. To do this, click Edit Profile Preferences. I'm going to name mine. Jesse. Click custom font. I'm going to raise mine to 17. Click Select. Click close. Now let's update security onion. To do this type sudo soup. This will utilize a script that downloads only necessary packages for security onion and is the only way you should be updating it. Enter your password. Press enter. Please keep in mind that in this video we will be using all of the default configurations. So when prompted, just press enter. Once updates are complete, press enter to reboot. Now let's go over an extremely important command for troubleshooting which is sudo so stat. This script will perform service checks and display results to the terminal. If anything, within security Onion is not working, such as squirt, not showing alerts. This should be your first step to troubleshoot your issue. If any services show as failing, it can help you narrow down the problem at hand. For example, if you include a bad custom snort rule with incorrect syntax, the snort engine will fail. As always, if you have trouble with security, onion or anything else related to this course, please feel free to reach out to me with a detailed and specific problem, including any errors and all information possible. Now on to the command. Open a terminal type in sudo. So stat and I'm going to pipe it to less. This is just going to make it easier to view it. Enter in your password. Now, the most important thing to look at here is the service status section at the top. If any of these services are showing as fail, we need to run the restart command for our sensor, which I'll go over shortly. As you see here, all of the services are showing as. Okay. This is good. And it indicates that there are no problems with any of our services. So let's close out of less by typing on the keyboard. Let's go over the command to restart our sensor if we have any issues such as service failures. To do this type in sudo nsm underscore sensor underscore ps hyphen restart. This will restart all of the security onion services. Hit enter. Pay attention to the right. If it says okay, then your service has restarted successfully. If it says fail, then you have some problems. As you can see here, all of our services are okay. The most common issue I see my students run into is that squirt is not showing snort alerts. Again, Squirt is a visualization tool to show logs and snort alerts. The previous troubleshooting steps should always be run to ensure that services are running properly. If your issue persists, it is prudent to reboot security, onion and perform those troubleshooting steps again. The most common causes for squirt not showing snort alerts are bad custom rules the squeal service failing or the sniffing interface failing to process packets. Now let's run a quick function test to make sure that squirt will show snort alerts. We're going to replay a pcap with malicious traffic on it that comes with security onion using TCP replay. This will simply replay the packet as if it's occurring live over the wire. To locate the Pcap. We'll be using type in, locate Zeus and hit enter. Now type in sudo tcp replay hyphen l20. This will loop the command 20 times. Hyphen i e. NP0S8. That's the host only interface. Hyphen t for top speed. And finally, the full path for the pcap. Now press enter. Please disregard the error messages as the TCP replay command will still function properly. Now double click squirt on the desktop. Enter the username and password that you created during setup. Click log in. Now you should see alerts here indicating Zeus Trojan activity. If you are not seeing these alerts, something went wrong and troubleshooting is required at this point. If everything is good with the services and with squirt, the security onion setup is good to go and we can move on to the following labs. Again, please let me know if you run into any issues and I'll do my best to help.