What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network? And what if you want an easy setup that provides you with information that will help you – something with a GUI interface? Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you. While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).
The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out. While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards. One network card for management and one to sniff.
Here’s a simple setup I did at home to try out Security Onion. Using VMware’s Player (non-commercial use). If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.
Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.
While snort is running, Snorby will present a dashboard. You may be surprised to see no threats once you login. You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.
What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.” more information.
Once you run NMap, click on More Options in the right corner and update the Cache
Give Security Onion just a few seconds and refresh the screen. You’ll see the events logged. This will visually show you not only how many threats were ‘ seen’ on the network but will categorize and graph them.
Logging in to Squert allows you to see threats along with maps and information from threats.
ELSA – allows you to query and look for information.
What does NMap show when Security Onion is scanned?