Security Onion

After reading some more sans security documents I was pointed toward Security Onion as my go-to for IDS/IPS. I had been using snorby TKL by smooth-sec (Bailey.st), but it wasn’t doing a great job and the documentation was lacking. Security onion is more of a resource hog but offers quite a few awesome tools. Here is my basic setup to get Security Onion working properly:

Download ISO, burn, Install on a server (Dell PE1850, 2x 2.8GHz Xeon, 16GB RAM, Mirror 300GB SCSI)

Added Root User – I still dislike all this “sudo this” and “sudo that”
sudo passwd root

Update Operating system
apt-get update
apt-get upgrade

Update Onion
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Turn off sensor for Eth1 (assuming Eth0 is mirror port and Eth1 is LAN)
nsm_sensor_ps-stop --sensor-name=YOURSERVERNAME-eth1
nano /etc/nsm/sensortab
Comment out the Interface to disable

Reboot
reboot

Remove SIDs/Block Addresses (*OLD*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/local/bin/pulledpork_update.sh
nsm_sensor_ps-stop
nsm_sensor_ps-start

Remove SIDs/Block Addresses (*NEW*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/nsm/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/bin/rule-update
nsm_sensor_ps-stop
nsm_sensor_ps-start

Blocking IPs will stop snort from worrying about certain hosts – by default ALL hosts are worried
nano /etc/nsm/YOURSERVERNAME-eth1/bpf.conf

Add the following template:

#Nothing from src host to dst port
!(src host xxx.xxx.xxx.xxx && dst port 161) &&
#Nothing from src host to dst host and dst port
!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&
#Nothing to or from:
!(host xxx.xxx.xxx.xxx) &&
#Last entry has no final &&
!(host xxx.xxx.xxx.xxx)

nsm_sensor_ps-restart

One thought on “Security Onion”

  1. Security onion 12:
    /etc/nsm/name-network/bpf.conf
    /etc/nsm/name-network/sensor.conf
    /opt/bro/etc/node.cfg
    /etc/nsm/pulledpork/disablesid.conf
    /opt/snorby/config/initializers/mail_config.rb
    nsm_sensor_ps-restart

Leave a Reply

Your email address will not be published. Required fields are marked *