Security Onion is a free and open-source Linux distribution designed for threat hunting, enterprise security monitoring, and log management. It includes a setup wizard to help users configure and deploy the system efficiently.
An easy-to-use setup wizard allows you to establish a distributed sensor force for your enterprise within minutes. Security Onion includes a native web interface with built-in tools for analysts to respond to alerts, hunt for threats, compile evidence into cases, monitor grid performance, and more.
I. Prepare the Server Environment, Current Environment:
1. CentOS 7.9 32G 8C 300G with two network cards. 2. Prepare a Docker image acceleration tool. Executing the installation and pulling images without acceleration will fail. After enabling the acceleration tool, you need to exclude the hostname, 127.0.0.1, and localhost, otherwise, it will cause failure to write data to the ES container, leading to container startup failure.
II. Start Installation, First Configure the Accelerator
1. Enable the accelerator. I am using the following tool; others need to solve it themselves. Enter the accelerator directory, configure the config.json file, and start the Docker image accelerator.
2. Verify the accelerator port and configure the local acceleration environment variables using the setup wizard. Private network addresses and local hostnames do not require acceleration.
[root@220-220 v2ray]# netstat -lntup
tcp 00127.0.0.1:10808 0.0.0.0:* LISTEN 4426/
tcp 00127.0.0.1:10809 0.0.0.0:* LISTEN 4426/
[root@220-220 v2ray]# vim /etc/profile79no_proxy_192=$(echo192.168.220.{1..255}|sed's/ /,/g')# Addresses that do not need acceleration, must include local addresses, modify according to your requirements80exportno_proxy="220-220,${no_proxy_192}"# Effective non-acceleration, including the 220-220 hostname and the above private network addresses81exporthttps_proxy=127.0.0.1:10809 #https accelerated through local 1080982exporthttp_proxy=127.0.0.1:10809 #http accelerated through local 108093. Clone the project using the Git setup wizard
[root@220-220 ~]# git clone https://github.com/Security-Onion-Solutions/securityonion4. Install Security Onion
[root@220-220 v2ray]# cd /root/securityonion/[root@220-220 securityonion]# ./so-setup-network
Select YES
Select EVAL
Enter AGREE
Enter hostname
Select YES
Select Ok
Select the traffic mirroring interface network card, Ok
Select automatic updates
Enter the address
Select the plugins to install
Keep the Docker container IP default
Enter the administrator email address
Enter the administrator password twice
Use the IP to access the web page
Select YES
Enter the address to be accessed, 0.0.0.0/0 allows access from all addresses
Confirm the entered information
Wait for the installation
[root@220-220 ~]# tailf sosetup.log # View installation log
[root@220-220 ~]# while sleep 3; do docker images | grep ghcr.io | wc -l; done
5
# Check how many images have been pulled
[root@220-220 ~]# docker images | grep -v 220-220 | wc -l
# A total of 32 images need to be downloaded
32
[root@220-220 ~]# docker ps | grep -v ID | wc -l
# A total of 30 containers have been started
30
[root@220-224 ~]# so-allow # Open ports
Choose the role for the IP or Range you would like to allow
[a] - Analyst - 80/tcp, 443/tcp
[b] - Logstash Beat - 5044/tcp
[e] - Elasticsearch REST API - 9200/tcp
[f] - Strelka frontend - 57314/tcp
[o] - Osquery endpoint - 8090/tcp
[s] - Syslog device - 514/tcp/udp
[w] - Wazuh agent - 1514/tcp/udp
[p] - Wazuh API - 55000/tcp
[r] - Wazuh registration service - 1515/tcp
Please enter your selection: a # a 80/443 ports
Enter a single IP address or range to allow (ex: 10.10.10.10 or 10.10.0.0/16): 192.168.28.0/24 # Allowed access address
Adding 192.168.28.0/24 to the analyst role. This can take a few seconds...
[root@220-220 ~]# so-status # Check the status of each component
Checking Docker status
Docker ----------------------------------------------------------------------------------------------------------------- [ OK ]
Checking container statuses
so-aptcacherng --------------------------------------------------------------------------------------------------------- [ OK ]
so-curator ------------------------------------------------------------------------------------------------------------- [ OK ]
so-dockerregistry ------------------------------------------------------------------------------------------------------ [ OK ]
so-elastalert ---------------------------------------------------------------------------------------------------------- [ OK ]
so-elasticsearch ------------------------------------------------------------------------------------------------------- [ OK ]
so-filebeat ------------------------------------------------------------------------------------------------------------ [ OK ]
so-fleet --------------------------------------------------------------------------------------------------------------- [ OK ]
so-grafana ------------------------------------------------------------------------------------------------------------- [ OK ]
so-idstools ------------------------------------------------------------------------------------------------------------ [ OK ]
so-influxdb ------------------------------------------------------------------------------------------------------------ [ OK ]
so-kibana -------------------------------------------------------------------------------------------------------------- [ OK ]
so-kratos -------------------------------------------------------------------------------------------------------------- [ OK ]
so-mysql --------------------------------------------------------------------------------------------------------------- [ OK ]
so-nginx --------------------------------------------------------------------------------------------------------------- [ OK ]
so-playbook ------------------------------------------------------------------------------------------------------------ [ OK ]
so-redis --------------------------------------------------------------------------------------------------------------- [ OK ]
so-sensoroni ----------------------------------------------------------------------------------------------------------- [ OK ]
so-soc ----------------------------------------------------------------------------------------------------------------- [ OK ]
so-soctopus ------------------------------------------------------------------------------------------------------------ [ OK ]
so-steno --------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-backend ----------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-coordinator ------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-filestream -------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-frontend ---------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-gatekeeper -------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-manager ----------------------------------------------------------------------------------------------------- [ OK ]
so-suricata ------------------------------------------------------------------------------------------------------------ [ OK ]
so-telegraf ------------------------------------------------------------------------------------------------------------ [ OK ]
so-wazuh --------------------------------------------------------------------------------------------------------------- [ OK ]
so-zeek ---------------------------------------------------------------------------------------------------------------- [ OK ]5. Page Display
Login page
Issue Record: During the execution of the setup wizard, the installation process clears the contents of the registry-mirrors in the daemon.json configuration file. Security Onion needs to push images to the local private repository, and failing to find the private repository address will cause Docker to fail to restart
[root@120-221 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors":["https://:5000"],
"bip":"172.17.0.1/24",
"default-address-pools":[{"base":"172.17.0.0/24", "size":24}]
}
Solution: After starting the installation command, manually add the local IP address to the registry-mirrors: private repository address, as shown in the example below:
