Security Onion Advanced Configuration

The architecture of security onion is designed to be deployed in different ways, its components master server, forward nodes and storage nodes, can be deployed in a distributed manner or in standalone mode. for this course, we will use the standalone mode that combines all the components in a box.

Advanced configuration Process:

Once the network configuration is finished we now start the configuration of Elastic capabilities which are the detection and monitoring tools included in Security Onion.

In the picture above we can see the different tools that are going to be installed in Onion, we press in “Yes, Continue”, After that we managed into Wizard setup that will request if we want to configure the network interfaces again, we click into “skip the network configuration” to avoid this process:

After we skip the network configuration, the setup will show a warning that says, the minimum requirements that are necessary for the correct performance of all the tools that are going to be installed.

We click in Continue and security onion will ask us which mode we want to use a platform to start the services, we select evaluation mode which is recommended for the first try of the software, as we have already commented, the evaluation mode allows to deploy in standalone mode. The production mode is for advanced and distributed configurations, where we can separate the master, forward and storage node into several hosts.

Security Onion can run either Snort or Suricata as its Network Intrusion Detection System (NIDS). When you run Setup and choose Evaluation Mode, it will automatically default to Snort. If you choose Production Mode, you will be asked to choose whether you want to run Snort or Suricata:

After this, we must select which interface will be monitored

Once we select the interfaces that will be monitored, we have to create the first username for the system, this process can be seen in the picture below:

We select a password for our new user:

After we complete this process, Security Onion will display the list of the changes that are going to be executed over the system, we click in continue and accept the changes.

After this, the process will be complete, Security Onion will display some more windows that provide information about technical aspect related to the installation.

Post-Configuration Information:

Now the NIDS stands for Network Intrusion Detection System, start a monitoring network traffic task, looking for specific activity, and generating alerts. The next step is to recreate some traffic using the .pcap files available in /opt/samples/bro directory.


This post was written by Ruben Dario Caravajal Herrera