Setting up Security Onion at home

Using the web console associated with the switch, I’m able to set up Port 8 as my SPAN port.

Dedicated Computer Solution

For a dedicated computer solution you’re going to want to start with downloading the Security Onion ISO. Once this is complete we’re going to flash this data to our HHD/SSD. I used etcher to accomplish this.

Your device name will probably be different. Once everything is selected hit the Flash button

ESXI Server Solution

Like the dedicated computer solution, first we need to change what our computer boots into. We’re going to boot into ESXI which can be downloaded here. You’ll have to register for an account (it’s free) and then you can download an ISO. They’ll also give you a free license key! Though, there are some limitations, but they more than likely won’t effect you. Unlike our dedicated computer installation, the ISO you download will be an installer. I would use a USB for this process, especially if you only have one HDD/SSD installed on the designated computer.

Here is our virtual switch which allows for promiscuous mode. This enables us to create a SPAN port.
Our port is assigned to the SPAN vswitch and specifically allows for promiscuous mode.
My datastore for ISOs and VMs
These exact settings aren’t needed. Just ensure your SPAN and Datastore ISO are selected.

Setting up Security Onion

Now that we’ve got everything up to this point, the next step is to install the operating system. There should be an icon on the desktop that just needs to be double-clicked.

This interface will be used to hit the web console
Now we’re going to skip the network configuration
Feel free to create whatever username you wish
We give access running the so-allow command
At the end, we should have seen something like this.

But wait! There’s more!

We can take this a step further and forward our Windows event logs to our Security Onion machine automagically! This can be done with a combination of Sysmon and Winlogbeat. We’re going to install both Sysmon and Winlogbeat on any/all Windows machines on our network that we wish to monitor.

Sysmon all the things

For our Sysmon setup, we’re going to go with the setup done by InfoSec Taylor Swift via the resource setup on their Github. We just need to drop the sysmonconfig-export within our Sysmon folder like so. Here’s a great article on how to install Sysmon!

Here’s what your folder should look like

Winlogbeat for the win!

Now that we have Sysmon set up, we need to configure Winlogbeat to send our data off to our Security Onion. We can also add in different event logs to forward. Here is a sample of what the winlogbeat.yml should look like. You should be able to just copy and paste this over your existing file and be good to go. Here’s a great article on how to install Winlogbeat!

###################### Winlogbeat Configuration Example ########################### This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
#======================= Winlogbeat specific options ==========================# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
— name: Application
ignore_older: 72h
- name: Security- name: System- name: Windows PowerShell- name: Internet Explorer- name: OpenSSH/Operational- name: OpenSSH/Admin- name: Microsoft-Windows-Winlogon/Operational- name: Microsoft-Windows-Windows Defender/WHC- name: Microsoft-Windows-Windows Defender/Operational- name: Microsoft-Windows-PowerShell/Operational- name: Microsoft-Windows-PowerShell/Admin- name: Microsoft-Windows-LSA/Operational- name: AMSI/Operational- name: Microsoft-Windows-Sysmon/Operational
processors:
-script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
#==================== Elasticsearch template setting ==========================setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: [“service-X”, “web-tier”]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
#setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: “192.168.1.125:5601”
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
#============================= Elastic Cloud ==================================# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================# Configure what output to use when sending the data collected by the beat.# — — — — — — — — — — — — — Elasticsearch output — — — — — — — — — — — — — — —
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: [“localhost:9200”]
# Enabled ilm (beta) to use index lifecycle management instead daily indices.
#ilm.enabled: false
# Optional protocol and basic auth credentials.
#protocol: “https”
#username: “elastic”
#password: “changeme”
# — — — — — — — — — — — — — — — Logstash output — — — — — — — — — — — — — — — —
output.logstash:
# The Logstash hosts
hosts: [“192.168.1.125:5044”]
#loadbalance: true
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: [“/etc/pki/root/ca.pem”]
# Certificate for SSL client authentication
#ssl.certificate: “/etc/pki/client/cert.pem”
# Client Certificate Key
#ssl.key: “/etc/pki/client/cert.key”
#================================ Processors =====================================# Configure processors to enhance or manipulate events generated by the beat.processors:
— add_host_metadata: ~
— add_cloud_metadata: ~
#================================ Logging =====================================# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use [“*”]. Examples of other selectors are “beat”,
# “publish”, “service”.
#logging.selectors: [“*”]
#============================== Xpack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

Last step!

Now we just need to head back to our Security Onion and run the <so-allow> command again! But we’re going to select option <b> to allow Logstash Beat through the firewall. It should look something like this.

Allowing Logstash Beat

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store