Here’s part 2 of @webbreacher‘s post on setting up a home Internet security monitoring system. In this article he discusses setting up SecurityOnion and getting it on your network. You can find the original version that webbreacher is maintaining here.
If you’ve read my last post, then your home network is configured for monitoring.
CAVEAT – I’m not an expert in IDS alerts, SNORT/Suricata rule-writing, network traffic analysis, making waffles from scratch or SecurityOnion and the projects that are implemented within SecurityOnion. I’m just a guy that has put this up and home and found it to be very helpful.
Let’s start with the SecurityOnion project. I’ve been extremely impressed with how simple it was to install, configure and implement this system. There are AMPLE documentation, videos, screenshots and tutorials available on their site. I truly encourage you to visit and read further there. In general though, stuff, well, just worked!To put it simply, SecurityOnion is a a group of software pieces that all pertain to monitoring and analyzing traffic on a network, what is now referred to as Network Security Monitoring (NSM). What makes SecurityOnion a great tool is that it takes the pain out of installing each package separately and trying to get an entire system working. The installation and configuration of all these NSM pieces was simple. For details, you have to visit the official web site of the project here. For my installation, I visited the ISO page and followed the instructions there. The installer on the ISO walks you through what each of the pieces of the system are and asks for your input when appropriate (e.g., “Would you like to use Snort or Suricata?”). To be honest, I installed what I thought I needed. Then after using it for a bit decided I needed to start over and so I reran the setup script (located on the system’s desktop) and made my changes. The system reconfigured itself and everything again, just worked.
For my install, I chose Suricata for my IDS and opted for Full Packet Capture, Passive OS fingerprinting, BRO, Argus, PADS and more. I’ll show you some of the traffic from those products in later posts.
One thing to think about is how you’ll use the SecurityOnion system. I installed it onto an old laptop and it worked great. I plugged in the laptop’s Ethernet network port to the mirrored port on my switch and VOILA! I saw things! That would have been the end of it if I wanted to always monitor/manage the system from the laptop but I kinda just wanted to put the laptop in a closet and access it remotely. To do this, I needed another network interface. I chose this USB to Ethernet adapter. To my great relief, SecurityOnion found it and allowed me to configure the network adapter with no driver issues. I configured the built-in adapter to remain on the mirrored port and configured the USB to Ethernet adapter to have a static IP address on my internal home network. This gave me the capability to log into the SecurityOnion system via SSH or HTTPS to monitor and manage the system.One more piece of hardware you’ll want is a fan to blow across your system. My laptop didn’t have the best cooling system so I added a cheap fan to blow against the underside of the laptop. If you are using a better-cooled (more appropriate?) box, this may not be an issue.
So, before we dive into the NSM features of SecurityOnion, I’ll tell you another neat thing it does. It has a syslog server for collecting logs from other devices on your network. It will aggregate and alert on these logs if desired. FINALLY I can see my network attached storage (NAS/home file server) logs in the same place as my router logs. We’ll dive deeper into this later when we get to ELSA, but I really liked this feature!
HTTPS Front Page
As I mentioned above, you can access SecurityOnion from the device you install it on if that has a keyboard, mouse and monitor (or is a laptop in my case), via SSH or via HTTPS. I’m going to show you the HTTPS method and what the tools look like. I use the SSH method to connect to the system and modify rules and perform maintenance (such as installing operating system patches).
The main HTTPS web page looks like the above screenshot. It has a list of the other applications that you can visit on the web server. I’m going to cover the first three links: Squert, Snorby and ELSA.
Next blog post I’ll show off some of ELSA’s abilities. Stay tuned!
Special thanks to Webbreacher again for allowing us to repost!