Installing Security Onion w/ BRO


What is Security Onion?

Security Onion (SO) is a Linux distrobution for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.

DefenseStorm encourages our customers to use Bro, one of the applications contained in the SO distribution for network monitoring, providing an additional layer of instrumentation and greatly enhancing the ability to detect malicious behavior.

Security Onion is a network monitoring platform that scans your network for security related events. Traffic seen by Security Onion is captured and stored for analysis.  Your entire network is scanned for possible threats. It also offers both network and host-based intrusion detection (NIDS/HIDS) to help analyze the traffic that has been captured and stored. In addition to NIDS/HIDS, Security Onion offers the following analysis tools Squil, Squert, and Enterprise log search and archive (ELSA). Click the link for additional information on Security Onion

What is Bro and why should I enable it with Security Onion?

Bro is an open-source network analyzer. It benefits your network security to have it enabled when installing Security Onion because it assists with analysis of the traffic captured from your network. Click the link for additional information on Bro.


Installing Security Onion

The following steps walk you through how to install Security Onion, enable Bro, and make sure syslog data is being sent to the DefenseStorm Virtual Machine.

  1. Obtain distribution for Security Onion, by following the steps outlined here
  2. Boot CD, select English
  3. Preparing to install Security Onion – Continue
  4. Select Download updates while installing
    1. DO NOT install 3rd party software
  5. Select Erase disk and install Security Onion
  6. Click - Install Now
  7. Timezone doesn’t matter - going to reset to UTC later
  8. Keyboard - use default
  9. Who are you?
    1. Your Name: 
    2. Your computer's name: defensestorm_onion
    3. Pick a username: 
    4. Pick a password: 
  10. Reboot
  11. Login



The following steps walk you through the configuration settings that need to be made after SecurityOnion has been installed.

  1. Configure network interfaces
  2. eth0 management interface
  3.  set to Static – Need to select an available IP address on the network
  4.  select default gateway to network 
  5.  select DNS 
  6.  select domain      
  7. eth1 sniffing interface
  8. Reboot
  9. Continue Setup
  10. Production Mode
  11. Standalone
  12. Custom
  13. Sguil username: DefenseStorm
  14. Sguil password: Same as System Username
  15. Days of data to keep: 30 (default)
  16. Days of data to repair: 7 (default)
  17. Select Snort
  18. Select "Emerging Threats GPL"
  19. PF_RING: 4096 (default)
  20. Interface to be monitored: eth1
  21. Yes, enable IDS engine
  22. IDS engine processes to run: 1
  23. Enable Bro: Yes – Select 3 cores for Bro
  24. Enable File Extraction: Yes
  25. Disable http_agent
  26. Disable Argus
  27. Disable Prads
  28. Enable full capture
  29. pcap file size: 150 (default)
  30. Enable mmap i/o: Yes
  31. PCAP ring buffer: 64 (default)
  32. Purge Logs: 90 (default)
  33. Enable Salt: No
  34. Enable ELSA: Yes
  35. Disk space for ELSA: 237 (default)
  36. Yes, make changes

Post Setup

Post-Setup for Security Onion

To ensure that your box has the most up to date information, perform the following steps:

  1. To pull up the command line: Ctrl-Alt-T
  2. To install any updates: $ sudo soup 
  3. To shutdown the system after the installation of updated: $ sudo shutdown -h now 

For Security Onion 16.04 or Higher, use the following:

This version of Bro writes events in JSON format. DefenseStorm currently supports the older Bro format in TSV (tab separated variable format). To modify Bro to use TSV output type the following command line exactly, do not copy and paste.

sudo sed -i ‘s|@load json-logs|#@load json-logs|g’ /opt/bro/share/bro/site/local.bro

Then restart Bro:
sudo so-bro-restart

Alternatively - Manually comment out JSON

sudo vi /opt/bro/share/bro/site/local.bro

Find @load Json-logs and comment-out with #

Then restart BRO:   
sudo so-bro-restart

Finalize the configuration to log to DVM as a syslog receiver. 

  1. Change directory to /etc/syslog-ng/
  2. Use an editor to modify the configuration file
    1. sudo vi /etc/syslog-ng/syslog-ng.conf
    2. Modify the configuration file as per this example:
      Below the Sources section of the file add this destination:
      destination d_dvm { network("DVM IP Address" transport (tcp) port(514) flags("syslog-protocol") ); };
      (Replace <DVM IP ADDRESS> with the IP address of the DVM and leave in the quotes):
    3. Under Log section of the file add the following line:
      log { destination(d_dvm); };
    4. Write your changes to the file
      $ sudo service syslog-ng restart

For Security Onion 14.04 or Lower, use the following:

Finalize the configuration to log to the DVM as a syslog receiver.

  1. Change directory to /etc/syslog-ng/
  2. Use an editor to modify the configuration file.
    1. sudo vi /etc/syslog-ng/syslog-ng.conf
  3. Modify the configuration file to comment out the configuration lines using the # sign for ELSA and remove the comment from the syslog configuration lines as per this example:
    1. Under Log section of the file comment out the following lines (4 total):
# rewrite(r_host);
# rewrite(r_from_pipes);
# rewrite(r_pipes);
# log { destination(d_elsa); };

3.2 In the same Log section. directly under the line you just commented, add the following line:

 log { destination(d_pvm); };


3.3 Under destinations section of file (right below the line that begins with destination d_elsa) (Replace <DVM IP ADDRESS> with the IP of the DVM and leave in the quotes):

destination d_dvm { network("<DVM IP ADDRESS>" transport (tcp) port(514) flags("syslog-protocol") ); };


destination d_dvm { network("" transport (tcp) port(514) flags("syslog-protocol") ); }; 

4. Write your changes to the file.

5. Then, run the following: 

$ sudo service syslog-ng restart



Verify that SecurityOnion is working on the Network

The followings steps are necessary to verify and test the Security Onion server on the customer network.

  1. Assign a static IP Address for Eth0 for management of SO server.
  2. Set up span/mirror ports on your switching infrastructure for Eth1 to perform its packet capture and analysis function. (Recommended no more than 600 Mbps sustained packet rate due to hardware limitations.)*
  3. Verify functionally of Bro packet capture and analysis engine:
    1. Change directory to   /nsm/bro/logs/current
    2. Run the following:   tail –f conn.log
  4. Result: Log data rolling through the conn.log