Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!”

I virtualized this under my Xenserver all-in-one host.  This host has the resources to host a vm like this.  It also contains my virtual pfSense firewall performing inter-VLAN routing and numerous virtual machines, so the Open vSwitch bridge is seeing nearly all the packets bouncing around my home network.

I gave the vm 2 CPU’s, 8GB RAM, two NICS (attaching the first to VLAN1 and the second to VLAN100) and two disks (10GB boot and 40GB data). Using the bootable .iso I installed it to the 10GB disk. After boot I followed this wiki page using method 2 to add the data disk (after formatting it as ext4), and also moved the mySQL database to that drive.  In the future I might try to mount /nsm via NFS from my NAS.

With Security Onion now installed, I still need to configure the product. I did not select “download updates” during install, so first I dropped to the command like and ran “# sudo soup“, as they advise to NEVER use apt-get directly.  Using the sosetup installer via the GUI console, I selected “Evaluation Mode” for simplicity and told it to use eth0 for management and eth1 as the sensor.  I then followed this page to modify the HOME_NET and EXTERNAL_NET variables, allow syslog events from my various network devices via so-allow, and configure email alerts.

The final hurdle is to get the eth1 port to see ALL traffic, not just broadcast on the WAN. This magic has to happen on the Xenserver bridge like I posted here.  The trick is to find out which Xenserver vif matches the nic inside the vm.  I know the device number of my monitoring nic, I can retrieve the domid which changes each time the vm is started, and pass it to the ovs-vsctl command:

#!/bin/bash
ssh -i ~/.ssh/key root@xenserver <<-'ENDSSH'
VMNAME="ids"
DEVICE="1"
DOMID=$(xe vm-list name-label=$VMNAME params=dom-id | cut -d':' -f2 | grep [0-9] | cut -d' ' -f2)
BRIDGE="xapi1"
PORT="vif$DOMID.$DEVICE"
ovs-vsctl clear bridge $BRIDGE mirrors
ovs-vsctl \
-- --id=@p get port $PORT \
-- --id=@m create mirror name=mirror0 select-all=true output-port=@p \
-- set bridge $BRIDGE mirrors=@m
ENDSSH

Now I need to enable all this magic to happen automatically as the vm boots, so I add a cron job inside the vm. This script uses SSH to run the command on the Xenserver host.

@reboot /path/to/script.sh > /dev/null 2>&1

References:

https://securityonion.net/
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
http://opensecgeek.blogspot.com/2013/07/enterprise-logging-with-elsa.html