Installing Security Onion w/ BRO


What is Security Onion?

Security Onion (SO) is a Linux distribution for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.

DefenseStorm encourages our customers to use Bro, one of the applications contained in the SO distribution for network monitoring, providing an additional layer of instrumentation and greatly enhancing the ability to detect malicious behavior.

Security Onion is a network monitoring platform that scans your network for security related events. Traffic seen by Security Onion is captured and stored for analysis.  Your entire network is scanned for possible threats. It also offers both network and host-based intrusion detection (NIDS/HIDS) to help analyze the traffic that has been captured and stored. In addition to NIDS/HIDS, Security Onion offers the following analysis tools Squil, Squert, and Enterprise log search and archive (ELSA). Click the link for additional information on Security Onion

What is Bro and why should I enable it with Security Onion?

Bro is an open-source network analyzer. It benefits your network security to have it enabled when installing Security Onion because it assists with analysis of the traffic captured from your network. Click the link for additional information on Bro.


Installing Security Onion

The following steps walk you through how to install Security Onion, enable Bro, and make sure syslog data is being sent to the DefenseStorm Virtual Machine.

  1. Obtain distribution for Security Onion, by downloading the .iso file  here
  2. Login to ESXi
    1. Go to Storage > datastore browser > upload > select ISO file > open
    2. After upload completes, close window.
  3. Select Virtual Machines from the Navigator pane.
  4. Create/Register VM
    1. Create New. Click Next. 
  5. Name and OS Window
    1. Name it - example, Security Onion
    2. Guest OS - Linux
    3.  Guest OS Version - Ubuntu Linux (64-bit). Click Next.
  6. Select Storage. Click Next. Keep Default.
  7. Customize Settings Window
    1. Memory - minimum is 8 gb
    2. CPU - minimum is 2
    3. cd/dvd drive 1 - datastore ISO file. Opens datastore browser.
      1. ISO > click select
    4. Click Next.
  8. Finish.
  9. Click the checkbox next to the name in the Virtual Machine list.
  10. Click Power On
  11. Click window to open console session
    1. Wait 10  seconds for Security Onion to boot. Text displays on the screen.
  12. Double-click install Security Onion version number
  13. For English, click Continue
  14. Check the checkbox for downloading updates while installing Security Onion.
  15. DO NOT check  install 3rd party software
    1. continue
  16. Installation type. Leave default settings. Click Continue.
  17. Write the changes to disks? Window, Click Continue.
  18. Chose timezone. Continue.
  19. Leave keyboard options default. Click Continue.
  20. Who are you?
    1.  Your name - Companyname
    2. Computer name - Companyname-SO
    3. Username - Companyname
    4. password - create secure password
    5. Continue. Installation completes. This may take a few minutes. 
  21.  Installation complete. Hit Restart Now. This may also take a few minutes. 
  22. Select the top line option, hit Enter
  23. Login with the username and password previously created.



The following steps walk you through the configuration settings that need to be made after SecurityOnion has been installed.

  1. Within your Security Onion VM, double click 'Setup'.
  2. Enter your password, click 'Ok'.
  3. Yes, Continue
  4. Yes, Configure network
    1. eth0 management interface
    2.  set to Static – Need to select an available IP address on the network
    3.  select default gateway to network 
    4.  select DNS 
    5.  select domain      
    6. eth1 sniffing interface
  5. Reboot
  6. Log back in to continue setup.
  7. Security Onion Setup Window. Click 'Yes, Continue!'
  8. Chose 'Production Mode'. Click 'Ok'.
    1. Check 'New', then hit 'Ok'
    2. Create a user account (can use the same credentials as before)
  9. Best Practices or custom?
    1. Chose 'Custom', then hit 'Ok'
    2. Days of data to keep? Keep default 30 days. 'Ok'.
    3. Days of data to repair? Keep default 7 days. 'Ok'.
  10. Enable Network Sensor Services. 'Ok'.
  11. PF_RING, leave default 4096.  'Ok'.
  12. Yes, enable IDS Engine.
  13. Configure Home Net
  14. Yes, Enable Bro
  15.  Yes, Enable File Extraction
  16. Yes, Enable full packet capture
  17. Leave 150 default pcap files. 'Ok'
  18. Yes, Enable mmap I/O
  19. Leave 64 default PCAP_RING buffer
  20. Leave 90 default disk usage
  21. No, disable Salt
  22. Yes, Enable the Elastic Stack
  23. Yes, Store logs locally
  24. Leave default size for elastic search to store logs
  25. Yes, Proceed with the changes. Wait, this may take a few minutes.

Post Setup

Post-Setup for Security Onion

To ensure that your box has the most up to date information, perform the following steps:

  1. To pull up the command line: Ctrl-Alt-T
  2. To install any updates: $ sudo soup 
  3. To shutdown the system after the installation of updated: $ sudo shutdown -h now 

For Security Onion 16.04 or Higher, use the following:

This version of Bro writes events in JSON format. DefenseStorm currently supports the older Bro format in TSV (tab separated variable format). To modify Bro to use TSV output type the following command line exactly, do not copy and paste.

Option 1
sudo sed -i ‘s|@load json-logs|#@load json-logs|g’ /opt/bro/share/bro/site/local.bro

Then restart Bro:
sudo so-bro-restart

Option 2 - Manually comment out JSON

sudo vi /opt/bro/share/bro/site/local.bro

Find @load Json-logs and comment-out with #

Then restart BRO:   
sudo so-bro-restart

Once you have completed either option 1 or option 2 from above, complete the following steps to point Security Onion to the DVM. Finalize the configuration to log to DVM as a syslog receiver. 

  1. Change directory to /etc/syslog-ng/
  2. Use an editor to modify the configuration file
    1. sudo vi /etc/syslog-ng/syslog-ng.conf
    2. Modify the configuration file as per this example:
      Below the Sources section of the file add this destination:
      destination d_dvm { network("DVM IP Address" transport (tcp) port(514) flags("syslog-protocol") ); };
      (Replace <DVM IP ADDRESS> with the IP address of the DVM and leave in the quotes):
    3. Under Log section of the file add the following line:
      log { destination(d_dvm); };
    4. Write your changes to the file
      $ sudo service syslog-ng restart

For Security Onion 14.04 or Lower, use the following:

Finalize the configuration to log to the DVM as a syslog receiver.

  1. Change directory to /etc/syslog-ng/
  2. Use an editor to modify the configuration file.
    1. sudo vi /etc/syslog-ng/syslog-ng.conf
  3. Modify the configuration file to comment out the configuration lines using the # sign for ELSA and remove the comment from the syslog configuration lines as per this example:
    1. Under Log section of the file comment out the following lines (4 total):
# rewrite(r_host);
# rewrite(r_from_pipes);
# rewrite(r_pipes);
# log { destination(d_elsa); };

3.2 In the same Log section. directly under the line you just commented, add the following line:

 log { destination(d_dvm); };

3.3 Under destinations section of file (right below the line that begins with destination d_elsa) (Replace <DVM IP ADDRESS> with the IP of the DVM and leave in the quotes):

destination d_dvm { network("<DVM IP ADDRESS>" transport (tcp) port(514) flags("syslog-protocol") ); };


destination d_dvm { network("" transport (tcp) port(514) flags("syslog-protocol") ); }; 

4. Write your changes to the file.

5. Then, run the following: 

$ sudo service syslog-ng restart



Verify that SecurityOnion is working on the Network

The followings steps are necessary to verify and test the Security Onion server on the customer network.

  1. Assign a static IP Address for Eth0 for management of SO server.
  2. Set up span/mirror ports on your switching infrastructure for Eth1 to perform its packet capture and analysis function. (Recommended no more than 600 Mbps sustained packet rate due to hardware limitations.)*
  3. Verify functionally of Bro packet capture and analysis engine:
    1. Change directory to   /nsm/bro/logs/current
    2. Run the following:   tail –f conn.log
  4. Result: Log data rolling through the conn.log