Comprehensive Guide to Enterprise Security Monitoring Using Security Onion

1. Introduction to Security Onion

Security Onion is a comprehensive open-source platform for enterprise security monitoring. It is designed to facilitate network security by providing tools for intrusion detection, network monitoring, and log management. Security Onion integrates various tools to help enterprises effectively detect, analyze, and respond to security threats, ensuring robust enterprise security monitoring capabilities.

Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. Security Onion is an essential tool for network security monitoring and traffic analysts.

Community website: https://securityonion.net

Company website: https://securityonionsolutions.com;

GitHub website: https://github.com/Security-Onion-Solutions/

2. Installation Environment Requirements

1. Deployment Methods: Security Onion offers several deployment methods, including lab environment deployment (single machine), standalone production server deployment, and distributed production server deployment. This document primarily covers single-machine deployment using a virtual machine environment.

2. Hardware Requirements: Security Onion supports only x86-64 architecture (standard Intel/AMD 64-bit processors), with a recommended configuration of 8GB memory, 4-core CPU, and a hard drive over 100GB, preferably SSD.

3. Image Selection: There are two installation methods for Security Onion, either by directly installing the Security Onion 16.04 ISO image or by using an Ubuntu image with the HWE stack (like Ubuntu Server) and then adding the Security Onion PPA and packages. It is important to note that the PPA and packages are only compatible with Ubuntu 16.04.

Note: This document chooses the Security Onion 16.04 ISO image for installation.

Download link:

https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Note: The download speed of this image is extremely slow domestically; if necessary, you can request it from the IRT team.

3. Installation

1. Creating VM

Follow these steps to install the Security Onion ISO image in VMware:

1) In VMware, select File >> New Virtual Machine.

2) Select Typical Installation >> Click Next.

3) Installer disc image file >> SO ISO file path >> Click Next.

4) Select Linux, Ubuntu 64-bit, then click Next.

5) Specify the virtual machine name, then click Next.

6) Specify the disk size, store as a single file, click Next.

7) Customize Hardware:

8) Memory – 8GB or more

9) Processor – 4 or more CPU cores

10) Network Adapter (NAT) – Management Interface.

11) Add >> Network Adapter (Bridged) – Monitoring Interface.

12) Click Close.

13) Click Finish.

14) Power on the virtual machine, select the default boot menu option to start the system.

enterprise security monitoring >

2. Start Installing Security Onion

1) After the desktop appears, double-click the icon Install SecurityOnion.

enterprise security monitoring >

2) Follow the prompts in the installer. If the system prompts to encrypt the home folder or encrypt partition option, do not enable this feature. If asked for automatic updates, please do not enable automatic updates.

Select Chinese, click “Continue”

Initially do not select updates, click “Continue”

Erase disk and install Security Onion, click “Continue”

Create a username and password for system login

Start the installation, wait for it to complete

Installation complete, reboot

3) After the installation is complete, restart and log in with the username and password specified during installation.

Enter set account password to log in

4) Double-click the setup icon to start the installer. (Follow the images)

Select management interface

Configure monitoring interface

5) After reboot, double-click setup to start the installer.

Set username and password to log in to Security Onion

Installation complete, take a moment to note these paths.

4. Post-Installation Check and Update

1. Verify Installation Success

1) Verify that services are running:

sudo so-status

2) If no services are running, start them with the following command:

sudo so-start

2. Update rules

sudo apt-get update && sudo apt-get dist-upgrade