I’ve been hearing great things about the Security Onion project. It bundles up a whole bunch of great tools that can be used for Network Security Monitoring (NSM) so I thought I would give it a try on my home network. After all, next time the fiancé gets malware, it could be helpful to know what happened…
16GB OS disk (ext4)
300GB data disk mounted to /nsm (ext4, noatime set). Size this disk according to the usage of your network and how long you want to keep data.
2 NIC – one for management on my standard home VLAN, the other on a specific monitoring VLAN built as specified below.
Network Configuration – DD-WRT port mirroring and ESXi config
The management interface for the VM is on my standard DHCP subnet that serves my house. It will be used for management and to access all the tools on it. Nothing special there.
The special configuration comes into play because we need a port mirror off the router to get a full packet capture of all traffic going through the WAN interface. Now, DD-WRT can’t do a true mirror. A true mirror is a physical port on a switch that is designated to receive a copy of all traffic and the receiver typically does not have an IP address. In DD-WRT, you can’t do that, but you can use some iptables trickery to copy all traffic to a particular IP address. That being said, strictly speaking I did not need a second NIC in the VM. I could have just used one and had iptables forward all traffic to my one IP address. But I chose to have the second NIC to keep the mirrored traffic off my main VLAN. Note that in a production environment where real forensics could be required, this fake mirror would probably not be sufficient and you should invest in a fancy switch.
So to accomplish this configuration, I installed a second NIC in my ESXi server, created another virtual switch, and added a NIC on that switch to my VM:
Next, let’s set up DD-WRT.
- Choose a port on your router to create a new VLAN. I chose port 4.
- In the Setup -> VLANs tab of your router, assign your chosen port to a different VLAN number than the others. The next available for me was 3. Do not assign the port to a bridge. Apply the settings.
- Under the Setup -> Networking tab find the Port Setup section and set vlan3 to Unbridged. Set Masquerade/NAT to Disabled (we’re not going to be sending any traffic out to the internet from that VLAN), and choose a subnet for your private monitoring LAN. I am going to go with 10.0.0.0/24 and give the router interface the IP 254. Apply the settings.
- Lastly, choose an IP on that subnet to assign your Security Onion monitoring interface. I’m going to go with 10.0.0.1. Under Administration -> Commands, paste these iptables commands, modified to specify the IP address you chose:
iptables -A PREROUTING -t mangle -j ROUTE –gw 10.0.0.1 –tee
iptables -A POSTROUTING -t mangle -j ROUTE –gw 10.0.0.1 –tee
- Click the Save Firewall button to apply the iptables rules. You might want to reboot the router for good measure.
Installing the Security Onion
Security Onion on Ubuntu 12.04 is just recently out! I largely followed their official install instructions located here: http://code.google.com/p/security-onion/wiki/Installation
- Download their ISO image which is based on Xubuntu Server 12.04 64bit and boot from it into Live Mode. When you get to the desktop, double click on the Install SecurityOnion 12.04 icon. You get pretty much the standard Ubuntu installer wizard. Walk through it, selecting Download Updates While Installing so you are fully up to date to start.
- When it comes to partitioning, do it manually and specify a 15GB ext4 root partition and a 1GB swap on the OS disk. On the data disk, create a new partition taking up the entire device and set its mount point to /nsm. /nsm is where the Security Onion will store all the data, so we should start with a big mount point before doing the software installation.
- Once the OS is installed, update it and install build-essential and linux-headers which will be needed to install VMware Tools:
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get install build-essential linux-headers-`uname -r` -y && sudo reboot
- Install VMware Tools. This is important, if for nothing else, the network card drivers. If you’re running ESXi 5, see my post here on how to successfully install tools on 12.04 if you get an error during compilation.
- If you are SSHed into the server, make sure your display is X-forwarded for the next setup steps. Or if not, you can still run the same command from a terminal. To start the setup wizard, run:
- Walk through the wizard. Allow it to configure /etc/network/interfaces for you. To determine which interface is management and which is for monitoring, run ifconfig and see which one has a DHCP address. That one will be your management interface. It was eth0 on my VM. Then select eth1 as the monitoring interface and let it do the install.
- After reboot, run setup again with sudo sosetup and skip network configuration.
- Choose Advanced.
- Choose Standalone.
- My preference is Snort – try Suricata if you’d like. Select eth1 as the interface to be monitored.
- Chose 2 CPUs and 2 Bro instances.
- I’m using the Emerging Threats GPL Snort list.
- Setup the usernames and password.
- I chose to enable ELSA. It is a fantastic tool! This will be the first time I’m monitoring Bro logs, so we’ll see what we get.
- Let it work its magic and then you’re installed. It make take a little bit for your VM to settle down and all the processes to initialize.
- Now since DD-WRT needs an IP address to mirror the traffic to we need to configure an IP address on the monitoring interface. Edit /etc/network/interfaces and change the line ‘iface eth1 inet manual’ to ‘iface eth1 inet static’ and add these lines immediately below:
Then comment all the other commands below that except for the last one which disables IPv6. It ends in ‘disable_ipv6’.
- Now reboot for good measure. Once you log back in, try pinging 10.0.0.254. If that works, run tcpdump on your monitoring interface and make sure you’re seeing a while bunch of packets that aren’t destinated for your IP. If you see them, you’re capturing!
Next, visit https://your_server_name and you’ll get the Onion’s splash page. It contains links to Squert, Snorby, or ELSA.
Happy network security monitoring!
Things from the post install dialog boxes for reference:
Security Onion Setup is now complete! Setup log can be found here: /var/log/nsm/sosetup.log You may view IDS alerts using Sguil, Squert, Snorby, or ELSA (if enabled). Bro logs can be found in ELSA (if enabled) and the following location: /nsm/bro/ Rules downloaded by Pulledpork are stored in: /etc/nsm/rules/downloaded.rules Local rules can be added to: /etc/nsm/rules/local.rules You can have PulledPork modify the downloaded rules by modifying the files in: /etc/nsm/pulledpork/ Rules will be updated every day at 7:01 AM UTC. You can manually update them by running: /usr/bin/rule-update Sensors can be tuned by modifying the files in: /etc/nsm/NAME-OF-SENSOR/