Installing Security Onion w/ BRO

What is Security Onion?

Security Onion (SO) is a Linux distrobution for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.

DefenseStorm encourages our customers to use Bro, one of the applications contained in the SO distribution for network monitoring, providing an additional layer of instrumentation and greatly enhancing the ability to detect malicious behavior.

Security Onion is a network monitoring platform that scans your network for security related events. Traffic seen by Security Onion is captured and stored for analysis.  Your entire network is scanned for possible threats. It also offers both network and host-based intrusion detection (NIDS/HIDS) to help analyze the traffic that has been captured and stored. In addition to NIDS/HIDS, Security Onion offers the following analysis tools Squil, Squert, and Enterprise log search and archive (ELSA). Click the link for additional information on Security Onion

What is Bro and why should I enable it with Security Onion?

Bro is an open-source network analyzer. It benefits your network security to have it enabled when installing Security Onion because it assists with analysis of the traffic captured from your network. Click the link for additional information on Bro.

Installing Security Onion

The following steps walk you through how to install Security Onion, enable Bro, and make sure syslog data is being sent to the DefenseStorm Virtual Machine. 

Install

  1. Obtain distribution for Security Onion, by following the steps outlined here

  2. Boot CD, select English

  3. Preparing to install Security Onion – Continue

  4. Select Download updates while installing

    1. DO NOT install 3rd party software

  5. Select Erase disk and install Security Onion

  6. Click - Install Now

  7. Timezone doesn’t matter - going to reset to UTC later

  8. Keyboard - use default

  9. Who are you?

    1. Your Name: 

    2. Your computer's name: defensestorm_onion

    3. Pick a username: 

    4. Pick a password: 

  10. Reboot

  11. Login


Setup

  1. Configure network interfaces

  2. eth0 management interface

    1.  set to Static – Need to select an available IP address on the network

    2.  select default gateway to network 

    3.  select DNS 

    4.  select domain      

  3. eth1 sniffing interface

  4. Reboot

  5. Continue Setup

  6. Production Mode

  7. Standalone

  8. Custom

  9. Sguil username: DefenseStorm

  10. Sguil password: Same as System Username

  11. Days of data to keep: 30 (default)

  12. Days of data to repair: 7 (default)

  13. Select Snort

  14. Select "Emerging Threats GPL"

  15. PF_RING: 4096 (default)

  16. Interface to be monitored: eth1

  17. Yes, enable IDS engine

  18. IDS engine processes to run: 1

  19. Enable Bro: Yes – Select 3 cores for Bro

  20. Enable File Extraction: Yes

  21. Disable http_agent

  22. Disable Argus

  23. Disable Prads

  24. Enable full capture

  25. pcap file size: 150 (default)

  26. Enable mmap i/o: Yes

  27. PCAP ring buffer: 64 (default)

  28. Purge Logs: 90 (default)

  29. Enable Salt: No

  30. Enable ELSA: Yes

  31. Disk space for ELSA: 237 (default)

  32. Yes, make changes


Post-Setup for Security Onion

To ensure that your box has the most up to date information, perform the following steps:

  1. To pull up the command line: Ctrl-Alt-T

  2. To install any updates: $ sudo soup 

  3. To shutdown the system after the installation of updated: $ sudo shutdown -h now 

For Security Onion 16.04 or Higher, use the following:

This version of Bro writes events in JSON format. DefenseStorm currently supports the older Bro format in TSV (tab separated variable format). To modify Bro to use TSV output run the following command line.

sudo sed -i ‘s|@load json-logs|#@load json-logs|g’ /opt/bro/share/bro/site/local.bro

Then restart Bro:
sudo so-bro-restart

Finalize the configuration to log to DVM as a syslog receiver. 

  1. Change directory to /etc/syslog-ng/
  2. Use an editor to modify the configuration file
    1. sudo vi /etc/syslog-ng/syslog-ng.conf
    2. Modify the configuration file as per this example:
      Below the Sources section of the file add this destination:
      destination d_dvm { network("DVM IP Address" transport (tcp) port(514) flags("syslog-protocol") ); };
      (Replace <DVM IP ADDRESS> with the IP address of the DVM and leave in the quotes):
    3. Under Log section of the file add the following line:
       log { destination(d_dvm); };
    4. Write your changes to the file
  3. $ sudo service syslog-ng restart


For Security Onion 14.04 or Lower, use the following:

Finalize the configuration to log to the DVM as a syslog receiver.

  1. Change directory to /etc/syslog-ng/

  2. Use an editor to modify the configuration file.

    1. sudo vi /etc/syslog-ng/syslog-ng.conf

    2. Modify the configuration file to comment out the configuration lines using the # sign for ELSA and remove the comment from the syslog configuration lines as per this example:

Under Log section of the file comment out the following lines (4 total):

# rewrite(r_host);
# rewrite(r_from_pipes);
# rewrite(r_pipes);
# log { destination(d_elsa); };

In the same Log section. directly under the line you just commented, add the following line:

 log { destination(d_pvm); };

 

Under destinations section of file (right below the line that begins with destination d_elsa) (Replace <DVM IP ADDRESS> with the IP of the DVM and leave in the quotes):

destination d_dvm { network("<DVM IP ADDRESS>" transport (tcp) port(514) flags("syslog-protocol") ); };

example:

destination d_dvm { network("172.16.10.119" transport (tcp) port(514) flags("syslog-protocol") ); }; 

Write your changes to the file.

 

Then:

$ sudo service syslog-ng restart

  

Verify that SecurityOnion is working on the Network

The followings steps are necessary to verify and test the Security Onion server on the customer network.

  1. Assign a static IP Address for Eth0 for management of SO server.

  2. Set up span/mirror ports on your switching infrastructure for Eth1 to perform its packet capture and analysis function. (Recommended no more than 600 Mbps sustained packet rate due to hardware limitations.)*

  3. Verify functionally of Bro packet capture and analysis engine:

    1. Change directory to /nsm/bro/logs/current

    2. tail –f conn.log

    3. Result: Log data rolling through the conn.log