Skip to content

BasicSecurityOnion.md

Latest commit

 

History

History
204 lines (128 loc) · 5.58 KB

BasicSecurityOnion.md

File metadata and controls

204 lines (128 loc) · 5.58 KB

Security Onion 2.4 - Single-Node Setup (Debian VM)

YouTube video

Documentation

Network Overview

Interface Function
eth0 Management (HTTPS) -> <SECURITY_ONION_IP>
eth1 Monitoring (SPAN/TAP) <- Mirrored traffic from switch/router

Requirements

  • Minimum: 8 CPU cores, 16 GB RAM, 200 GB disk
  • Two network interfaces:
    • eth0 - management
    • eth1 - monitoring (connected to SPAN/TAP mirror port)

If you do not yet have SPAN/TAP, you can temporarily feed logs via Syslog or NetFlow.

Installation

Step 1: Download the ISO

Go to Security Onion 2.4 Download page and download the latest ISO.

Step 2: Create a Virtual Machine

In your hypervisor (Proxmox, VirtualBox, or VMware), create a new VM with the following resources:

  • 8 CPU cores
  • 16 GB RAM
  • 200 GB disk (SSD recommended)
  • Two network interfaces:
    • eth0 - management (connected to your LAN)
    • eth1 - monitoring (connected to SPAN/TAP mirror port)

Attach the downloaded ISO as a virtual CD/DVD and boot the VM from it.

Step 3: Install Security Onion

  1. Choose Install Security Onion at the boot menu.
  2. Follow the guided installer to complete the base OS installation.
  3. After installation, reboot when requested.

Initial Setup

After reboot, log in and follow the configuration wizard.

Select the following options:

  • Action: Install
  • Node type: Standalone
  • Installation type: Standard
  • Hostname: <HOSTNAME>
  • Management interface: eth0
  • Management IP: DHCP or Static
  • Set all other points to your needs
  • Monitoring interface: eth1 (connected to SPAN/TAP mirror port for live traffic capture)
  • Admin credentials: set email and password

Accessing the Web Interface

Once setup completes, open https://<SECURITY_ONION_IP>

Login with the admin credentials created during setup.
You will see the Security Onion Console (SOC).
Zeek and Suricata will now analyze mirrored traffic from the monitoring port automatically.

Post-Installation Tasks

Once the setup is complete and you can access the Security Onion Console (SOC), perform these initial steps to validate and explore the environment.

1. Verify Services

Check the status of all Security Onion components:

Go to the Grid and expand your node.

All services under Container Status should show as running.

2. Generate Network Activity

Create a few types of traffic so you can see alerts appear in the SOC:

ping -c 4 8.8.8.8
curl http://example.com

Then, open SOC -> Alerts and SOC -> Hunt to review Zeek and Suricata events.

3. Explore Dashboards

In the Security Onion Console:

  • Alerts tab -> See triggered IDS/IPS events.
  • Hunt tab -> Search and filter network activity.
  • Grid tab -> Review node health.
  • PCAP tab -> Replay and inspect captured packets.

4. Understanding Alerts and Hunt

Alerts display events generated by Suricata (IDS/IPS) and Zeek (network metadata). Each alert corresponds to a signature or heuristic that detected suspicious or noteworthy network activity.

Examples of alerts you might see:

  • ET SCAN * - triggered when a network scan is detected.
  • ET INFO GNU/Linux APT User-Agent Outbound likely related to package management - APT related actions.

To trigger test alerts:

apt install curl nmap
nmap -Pn -F <IP>
curl testmynids.org/uid/index.html

Then open SOC -> Alerts, filter by your host IP, and click on each event to expand details such as source/destination IP, timestamp, and signature ID.

Analyzing alerts:

  • Use the Guided Analysis option to get some useful information about this alert.
  • Review the associated Zeek connection logs and Suricata metadata.
  • Apply filters like src.ip: or dest.port: to narrow down the scope.

5. The Hunt Tab

The Hunt tab lets you perform ad-hoc searches across network metadata.

You can combine multiple filters and time ranges to correlate events. Hunt is ideal for investigating:

  • Brute-force attempts.
  • Suspicious DNS queries.
  • Unusual HTTP requests.

After executing a search, you can:

  • Export results.
  • Perform actions; e.g., create a Case directly from Hunt for further investigation.

6. Cases and Dashboards

Cases

The Cases feature allows you to group related alerts, notes, and hunts into one investigation.

Example workflow:

  1. From an alert, click Add to Case.
  2. Name your case, e.g., SSH Brute Force Investigation.
  3. Add related Hunt queries and notes.
  4. Assign the case to yourself or a teammate.

This provides an audit trail and context for incident response.

Dashboards

The Dashboards section visualizes your data for quick situational awareness.
Common built-in dashboards:

  • Overview: General system health and alert summary.
  • Connections seen by Suricata and Zeek: Connection breakdown (src, dst, port).
  • Many more.

7. Example Workflow

  1. Trigger an alert (e.g., apt install).
  2. Open Alerts.
  3. Pivot to Hunt, search for correlated connections by IP.
  4. Identify related flows or anomalies.
  5. Create a Case, document findings.

This workflow gives you end-to-end visibility from detection -> investigation -> documentation directly within Security Onion.

Notes

  • Use the SOC dashboard for log correlation and search.
  • Enroll agents.
  • Configure email alerts.