Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort ( or Suricata ( The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff. Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here. Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements. menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished   Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url. While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats. What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information. 2 snorby Once you run NMap, click on More Options in the right corner and update the Cache 2a cache update Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them. 3 snorby 3 severity Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats. 4 nmap to test Logging in to Squert allows you to see threats along with maps and information from threats. 5 squert Squert map ELSA – allows you to query and look for information. 6 Elsa What does NMap show when Security Onion is scanned? 7 is it logging       Introduction to Security Onion Security Onion Blog

About TCAT Shelbyville IT Department

The Tennessee College of Applied Technology - is one of 46 institutions in the Tennessee Board of Regents System, the seventh largest system of higher education in the nation. This system comprises six universities, fourteen community colleges, and twenty-six Applied Technology Colleges.
This entry was posted in Business, Computer Security, Computers, Education, freeware, Hacking, Industry, Information Technology, Linux, Manufacturing, network, Networking, Software, Technology, Ubuntu, Windows and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s