Security Onion Set Up Part 3: Configuration of Version 14.04

Before we begin configuring Security Onion, it’s a good idea to get an Oinkcode from snort.org if you’re going to use Snort.

Snort can also use the Emerging Threat rulesets.

There are three options available to obtain an Oinkcode.

  1. Community Edition – the rules are updated every 30 days, no support – FREE
  2. Personal – the rules are released daily, can submit false positives, home network or educational environments only – $29.99 per year
  3. Business – the rules are updated daily, priority support for false positives and Talos (the parent company) will work directly with you, for use in businesses, colleges, government, etc. – $399 per sensor per year

Once you create an account and pay for a subscription or not, you can find the Oink code by clicking on the email address in the upper right-hand corner of the page then select Oinkcode.

Suricata, on the other hand, uses the Emerging Threats ruleset from Proof Point. A subscription isn’t needed unless you need the “Pro” ruleset which costs around $500.

The Pro ruleset features include:

  1. Emphasis on fingerprinting actual malware / C2 / exploit kits, and in the wild malicious activity missed by traditional prevention methods.
  2. Support for both SNORT and Suricata IDS/IPS formats.
  3. Over 37,000 rules in over 40 categories.
  4. 10 to 50+ new rules are released each day.
  5. Extensive signature descriptions, references, and documentation.
  6. Very low false positive rating through the use of state-of-the-art malware sandbox and global sensor network feedback loop.
  7. Includes ET Open. ET Pro allows you to benefit from the collective intelligence provided by one the largest and most active IDS/IPS rule writing communities.  Rule submissions are received from all over the world covering never seen before threats—all tested by the Proofpoint’s ET Labs research team to ensure optimum performance and accurate detection.

The first time you log in to Security Onion, the system software updater will notify you that updates are waiting.

Go ahead and install the updates then select Restart Now when the update is finished.

The software updater doesn’t update all of the software in Security Onion. Doug created a command called “soup,” which is short for Security Onion Update, to install updates for all Security Onion specific software such as Squil, Squert, Snort, Bro, Suricata, and the Docker images. Wait until after configuring the services to run the soup command.

Double click the “setup” icon on the desktop.
Enter your desktop login password.
Select “Yes, Continue!”
Select “Yes, configure /etc/network/interfaces!”
Select “eth0” as your management interface and click “OK.”
Select “static.” This IP address is where you will access ELSA, connect via SSH, and send system and host logs to.
Enter an available IP address.
This one is self-explanatory.
Also self-explanatory.
I have internal DNS servers but will be using my gateway as the DNS server for Security Onion.
Enter your network domain, but if you don’t have a domain leave this field empty.
Select “Yes, configure sniffing interfaces.”
Your remaining interfaces will be listed here. Since I had only two interfaces so “eth1” is listed. You would see “eth2, eth3, etc.” depending on your total number of interfaces.
Select “Yes, make changes!” after you have reviewed the settings for accuracy.
Just do it.

After reboot, you must run “Setup” again to configure the intrusion detection settings and other supporting services.

Select “Yes, Continue!”
Select “Yes, skip network configuration” since we did this in the previous steps.
Choose “Stable Setup.” Elastic Stack is going to be an alternative choice to ELSA, Bro, and Barnyard.
Although this tutorial is technically an evaluation circumstance, you’re settings up a production installation so choose “Production Mode.”
Most networks that don’t have VLANs or a DMZ will use a standalone server so choose “Standalone.” We also configured the installation with a sniffing and administrative interface; a server would have only an administrative interface while a sensor installation would have an administrative interface and sniffing interfaces but are not logged in to view data. The data would be pulled to the Server installation.
For networks that have less than 100 Mbps traffic volume, the best practice defaults will suffice.

The following three images are self-explanatory.

This choice is personal preference. My personal preference is Snort.
I chose the fourth option because it gives further options for Snort rule tuning out of the box. Emerging Threats combined with Snort tends to generate an overwhelming number of false positives. If you don’t want to bother with an Oinkcode, then pick one of the first two options.

The following image requires a lengthy explanation so you can make the correct decision for your environment.

Connectivity:

  • CVSS Score of 10 – highest severity rating
  • Vulnerability age is three years old and newer
  • No rule category’s

Balanced:

  • CVSS Score of 9 or higher
  • Vulnerability age is three years old and newer
  • The rule categories are Malware-Cnc, Blacklist, SQL injection, Exploit-kit, and rules from the connectivity ruleset

Security:

  • CVSS Score of 8 or higher
  • Vulnerability age is four years old and newer
  • The rule categories include Balanced and Connectivity with one additional category being App-detect
Regardless of your average throughput change the value to the maximum 65534

Enter the subnet with CIDR notation that Security Onion will be monitoring. You can leave the default entry to change it to your environment subnet.
Select “Yes, proceed with the changes” after reviewing your setting selection

The following images are post-configuration notifications.

 

The next article in this series will focus on tuning Security Onion services and setting up the firewall rules.

Leave a Reply