Search This Blog

Sunday 26 October 2014

Security Onion - Server + Sensor Setup 

This post follows from the context of "How I setup an IDS Lab"

In this article we’ll see how to create and test an IDS Sensor-Server setup using Security Onion and VMware Workstation. I have divided the setup into 6 steps:
1. Pre-installation
2. Installation
3. Cloning (optional)
4. Server Setup
5. Sensor Setup
6. Post-Setup

PRE-INSTALLATION


So let's get started! In the pre-installation there are 3 simple steps –

  1. Download the ISO from sourceforge.net,

  2. Configure the hardware details and the ISO to be used for your VM.

  3. Boot into the Live system first. From there we will install the OS to disk in the next step.


INSTALLATION


The installation is simply point-and-click. You need to double-click on the "Install Security Onion…" CD icon in the desktop and the OS installation gets started. If you have done a Windows installation then this is verisimilar to that – next, next and finish!

After you install Onion requests for a restart. Please do the restart and then setup the basic networking. Here I am using DHCP instead of static IP because I didn't want to go experimenting with gateways, DNS servers and domain names. In fact I don't even want this setup to connect to the internetJ.


CLONING


The pre-installation and installation steps take about an hour. And let's say if I botch up the configuration in any of the next steps I will have to restart from the beginning (yaawwwnn..). In order to avoid this I am taking a snapshot. I didn't want to mention this as a separate step so just added it under cloning J.

And, the rational for cloning goes like this - in this setup we are going to need a Server and a Sensor. The setup of the both these systems is the same till the above step. So I thought it would be easier to take a clone of the VM and use the clone as a Sensor. The cloning hardly takes a few minutes whereas installing the OS for the Sensor machine will take another 1 hour. Hmm… same logic again…

However, if you are using VMware Player and you don't have support for cloning then you can install the sensor again as a separate machine. In this case,  you don't have to change the hostname and delete the "server" user when setting up the Sensor machine.


SERVER SETUP


When the cloning completes we have two VMs. For now we will allow the cloned VM to rest and focus our attention on the original VM we created. In this step I am going to install the required software on the Server machine. I wish to keep this install as minimalistic as the installer allows. I say this because the installer doesn't ask me whether I want to disable Snorby. They are installed by default. So wherever I get a chance to disable something – like Salt and ELSA – I am going to do it.

After the setup is completed, I verify it using "sudo sostat | less". This is a very useful command to check the status of the services that you have installed in your machine. In case you want to restart the services you can run "sudo service nsm restart".

I then create a new user called "sensoragent". This user is required by the Sensor machine (which have not yet started to configure) to send data to the Server. And of course better user names can be chosenJ. The user must also be able to run commands using "sudo" and to enable this I use the visudo command. The command just opens up the GNU nano editor. Add a line for the sensoragent user in the file and save the file (Ctrl+o) and exit (Ctrl+x).




SENSOR SETUP


As you remember right, the Sensor machine was created as a clone of the Server machine. So the first thing I am going to do after logging into the Sensor machine is to change its name to from SERVER SO to SENSOR SO. For this I need to edit two files: /etc/hosts and /etc/hostname. After that I have to create a new user called "sensor" and add it to the sudoers group (using visudo).

I can then logout and then login as sensor user, delete the "server" user (to avoid confusion) and then continue the sensor setup. I guess the sensor setup should be fairly self-explanatory. If you did not understand earlier why I created the "sensoragent" user then you will likely understand it now.




POST-SETUP


Now you have the Server and the Sensor machines up and running successfully. It is time to test. At this point also you might want to take individual snapshots of the Server and the Sensor machines (who knows how the testing might turn out?)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)