logo

Security Onion

Comprehensive Network Security Monitoring and Intrusion Detection

🔍 Zeek Configuration 🛡️ Suricata

Update 2025: For my NALA project and to use in the homelab, we will use this NUC for installation, but I will continue sending logs to Security Onion on Proxmox that I already had configured.

NUC Device

Intel NUC - Network Security Monitoring Device

Peel Back the Layers of Your Network Security!

Security Onion is an open-source Linux distribution for network security monitoring, intrusion detection, and log management. It integrates a variety of free tools to provide a robust defense system, helping organizations detect and respond to cyber threats effectively.

Back in 2022 during the state competition in Chicago, I was in charge of the web server and the IDS security onion, I learned for the first time what it was and I began to create a script to speed up the installation throughout the CCDC network, it was a 2-day competition where the team red penetrated our machines intensely, now I have decided to implement it on my network.


  • 1

    Download the Iso in proxmox

                
wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS -O - | gpg --import -              	
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.90-20240729.iso
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.90-20240729.iso.sig

 
        
gpg --verbose --verify securityonion-2.4.90-20240729.iso.sig securityonion-2.4.90-20240729.iso
        
gpg: Signature made Thu 25 Jul 2024 01:51:11 PM HDT
gpg:                using RSA key C804A93D36BE0C733EA196447C1060B7FE507013
gpg: using pgp trust model
gpg: Good signature from "Security Onion Solutions, LLC " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
  • 2

    Passthrough Ethernet for mirror

                
ip link show

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp113s0:  mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether f4:6b:8c:c3:b4:6b brd ff:ff:ff:ff:ff:ff
3: eno1:  mtu 1500 qdisc pfifo_fast master vmbr0 state UP mode DEFAULT group default qlen 1000
    link/ether f4:6b:8c:c3:b4:6a brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6 
        
❯ ip link set enp113s0 down
        
❯ #I need to find the PCI bus-info (this is 71:00 )
❯ ethtool -i enp113s0

driver: igb
version: 6.8.8-3-pve
firmware-version: 3.25, 0x800005d0
expansion-rom-version: 
bus-info: 0000:71:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes
  • 3

    Create a VM with the PCI

  • 4

    Start the VM and install it. Just follow the installations steps

  • 5

    Configure Mirror mode on the switch

  • 6

    Access the web

  • 7

    Add management networks

    Firewall settings - Allow web browsers to login to Security Onion Console

  • 8

    Download the agents and allow them in the firewall

    TextDeLaImagen

  • 9

    Install the agents

                
❯ chmod +x so-elastic-agent_linux_amd64
❯ sudo ./so-elastic-agent_linux_amd64 
        
Installation initiated, view install log for further details.
        
❯ cat SO-Elastic-Agent_Installer.log

 "}\nSuccessfully enrolled the Elastic Agent.\nElastic Agent has been successfully installed.\n"
  11   │ timestamp=2024-07-31T14:43:50.229338557-10:00 level=info message="Installation Progress" Status="Elastic Agent installation
       │  completed"
  • 10

    Ready

    • Ready, enjoy.

    HOME