Xplicotshark. Brodsniff. ELSAtcpxtractngrep. Snortsslsniff. Snorbytcpstat. Wireshark. Suricatamergecapsguiltcpslicessldumpbarnyard. Network. Mineru. 2boatnetsniff ng. Sniffitscapy. Argusu. Daemonloggernetsedlabreahping. Download Security Onion. Download the Security Onion ISO from Github. In fact Security Onion can even be installed on distros based on Ubuntu, however this will not be covered here, here is how to install Security Onion on Ubuntu. Boot. As you start the system with the Security Onion media you will be presented with the following screen, just hit the install option. Boot screen. Install Security Onion. Once you select the install option the system will start to boot and then show the setup screen. Part I Operating System. First thing to set is the Operating System language. Select language. Now decide either to use or not 3rd party technology, such as Flash player or MP3 codecs. Third party software. Select how the system will be installed on your hard disk, the disk encryption and LVM setups dig not worked out of the box, so if you are no familiarized with it just click install and then continue when asked. Setup HD install. Now select the location, this will set the locale datetime options, click on your country then continue. Select your keyboard layout, use the detection tool if in doubt. Keyboard layout. Then set your credentials, you will have to answer the following Your name. Computer name. Username. Password. Confirm password. Set it to ask for a password during systems startup. Your credentials. Note Do not select the encrypt me home folder option, despite I did not tried it myself but people complain about that on forums. At the end of this process restart the system to boot from hard disk. Part II Network. Once system restarts you can run the setup script from the desktop, then give the password you set on the last step when asked. Then it asks if you want to set up your network interfaces, choose Yes to setup network. Setup network interfaces. Choose network configuration method to use, we are going to use static configuration. Network configuration mode. Set the IP Address of this machine. Set IP address. Set the network mask. Set network mask. Set IP of the gateway. Set gateway. Set the DNS servers IP. Set DNS servers. Set the local domain. Set local domain. Set any special network settings if needed, then reboot the system again. Reboot. Part III Sensors and servers. Run the setup script from the desktop again when system restarts and follow the next steps. First you choose which mode of the install script to run, We are going to run the Production mode here to show you details. Setup mode. Select which mode Sguil will be installed sensor Install agents for monitoring. Install service to manage the monitoring. Install both, sensors and server, we are going to use this one. Sguil mode. Set a username for Sguil, ELSA and Squert interfaces. Sguil username. Define a password and confirm. Sguil password. Set how many days to keep the log. Days to keep. Set the numbers of days to repair My. SQL tables. Days to repair. Select IDS engine to use, either Snort or Suricata. Select IDS engine. Select the IDS ruleset to use. Select IDS ruleset. Set the minimum number of PFRING slots. Enable the use of IDS engine. Enable IDS engine. Enable Bro network analysis framework. Enable Bro. Enable the executable file extraction feature of Bro. This feature helps a lot to identify malware. Enable exe extraction. Disable bro httpagent to save resources if your are goingto use ELSA. Disable httpagent. Enable argus session management. Enable Argus. Disable Prads asset management aas we are using Bros conn. Disable Pradis. Enable full packet capture, this is strongly recommended unless denied by disk limitations. Enable full packet capture. Specify the maximum pcap file size in megabytes. This will dpend on your needs and disk availability but something between 1. Set pcap file size. Enable mmap IO for pcap files on netsniff ng for best performance if you have a reasonable amount of memory. Enable mmap on netsniff ng. Set the minimum space available on the disk to start purging pcap files. Disk free space. Disable Salt configuration management system unless you are going to run more nodes. Disable Salt. Enable ELSA log framework. Enable ELSAConclusion. You are done, Security Onion must be working at this point. You can start using the tools to inspect your environment now. Here are some screenshots. Sguil on alert generated by a request to testmyids. Network Miner. Sguil and Network. Miner. Squert view on the same event. Squert GPL attack. ELSA search relative to the event. ELSA GPL attack event. The event above can be analyzed in many other ways on different Security Onion tools, we can go from a simple alert to the very instructions within some malware, it will depend on the incident. This is not the case here, maybe on posts to come we dig deeper on malware forensics or other uses for the security onion tools. Thats all for now, thanks for readingSupported virtualization platforms and build types. Turn. Key works well with all the major virtualization platforms e. Black Ops And Crack Rocks Graffiti on this page. VMWare, Virtual. Box, Parallels, Xen, QEMUKVM, etc. It provides appliances in a range of build types optimized and pre tested for various popular virtualization platforms. If you dont already have virtualization software installed, Virtual. Box is available in a free open source edition for most major OSs. VMWare Player and Server products are proprietary but free to download. KVM is 1. 00 free software built into the Linux kernel which supports many front end management tools. Proxmox Virtual Environment is a free, open source enterprise grade hypervisor which provides both KVM and LXC. Build type. Headless. Packaging. Installation. Kernel. Extras. Works best with. Generic hybrid ISONo. ISO Live CDUSB image. Custom installer di livelinux generic Bare metal hardwarevia CD or USB flash driveAny virtual machine e. KVM, Hyper V, Xen. Server that can install from CD or ISO image. VM optimized OVANo. Stream able OVA archive file containing a read only, compressed type 3 VMDK disk image and an OVF VM configuration file. Import OVA Virtual. Box and VMware support double click importlinux genericopen vm tools. Virtual. Box. VMWare products Player, Workstation, Server, ESX, v. SphereVM optimized VMDKNo. ZIP file containing a writeable VMDK disk image and a VMX VM configuration file. None pre installed, ready to run hard disk imagelinux genericopen vm tools. Virtual. Box use existing hard diskLow end VMWare products Player, Workstation, ServerQEMUKVMalso it has been reported that VMDK works with Xen HVM although not confirmed. Open. Stack. Yes. Tarball containing filesystem image, kernel and initrd files. Extract tarball, register AMI with Glance blog postlinks to tutorial videoslinux genericheadless initialization fence,userdata integration,ebsmount, preseeding. Open. Stack. Proxmox. Yes. Tarball containing appliance filesystem optimized to run on Proxmox VE LXCDownload import template via the Turn. Key channel within the web. UI or manually download tarball and upload to PVESupports v. LXC probably v. 3. Open. VZnaheadless initialization fence,preseeding. Proxmox VEOther container i. Open. VZLXC based cloud and virtualization solutions. Open. Node. Yes. OVA image containing Open. VZ OVF container optimized for Open. Node. Update to opennode tui rpm package version to 2. Open. Node. Any virtualization solution that supports OVA OVF packaged Open. VZ container filesystems. Xen. Yes. Tarball containing appliance filesystem optimized to run as a Xen dom. U guest. Varies between Xen setupsnaheadless initialization fence,preseeding. Any Xen based private or public cloud. LXCYes. Tarball of container LXC build see Proxmox buildTurn. Key LXC template news announcementna. Turn. Key LXC appliance. Any Linux distribution that supports LXC undocumentedDocker. Yes. Docker images hosted on the docker index. Docker news announcementnaheadless initialization fence,preseeding,preconfigured run and expose. Any Linux distribution that supports Docker. Other virtualization platforms. Whilst other VM platforms arent specifically supported, many support VMDK andor there is often a way to use an existing format e. ISO. Often tools are provided with your virtualization software of choice to convert images to the one required. Examples that have been documented are Headless vs non headless builds. In a conventional installation e. Live CD ISO the user has interactive access to the virtual console during deployment and first boot. By contrast, headless builds are not expected to provide the user with interactive access to the virtual console. The main difference this creates is when and how the system interacts with the user to set passwords, basic application configurations In non headless builds, the appliance is setup by the user on first boot. In headless builds, the appliance is setup by the user on first login. For further details see the inithooks documentation. VM optimized images. These are images optimized for deployment on Virtual Machines, using popular virtualization software e. Virtual. Box, VMWare, Parallels. Features. Pre installed Appliance is pre installed to a VMDK hard disk image. Includes open vm tools VMWare tools contain drivers which improves performance when running an appliance under VMWare. When running under Virtual. Box or other virtualization platforms, the included open vm tools are not used. Pros and cons. The main advantage easier setup as no installation step is required. Better performance on VMWare out of the box. The main disadvantage cant be deployed to non virtualized bare metal hardware. Flavors. VM optimized images are available in two closely related formats OVA build as of v. VM build. It is a single file. VMDK processed with VMWares OVFtool. It contains. Disk image read only, compressed VMDK hard disk image. OVF VM configuration file OVF is a standards based Virtual Machine configuration format. Compatibility. Virtual. Box supports OVA import via double click or via an import appliance wizard which converts the OVA to a native Virtual. Box format. The conversion process takes a few minutes. VMWare products OVA is supported by all current VMware products such as Player, Workstation, Server, ESX and v. Sphere. It too will import with double click or via the import wizard. VMDK VM build previously this was the primary VM build offered for download. We continue to offer it as it can be imported into KVM without conversion and possibly others such as Xen HVM. It can also be used with Virtual. Box and VMware if preferred. It is a zip archive which includes. Disk image Ready to run, writeable VMDK hard disk image. VMX VM configuration file VMX is a legacy VMware only Virtual Machine configuration format. Compatibility Virtual. Box supports adding the VMDK as a virtual hard disk. The VM hardware e. RAM has to be configured by hand as VMX is not supported by Virtual. Box. See the virtualbox installation tutorial. Low end legacy VMWare products VMX is point and click on VMWare Player, VMWare Workstation, VMWare Server. Generic ISOThis is a single master image format that can be installed anywhere. Features. Custom installer di live can install appliance to any available storage device. Live CD demo mode allow users to try appliance without installing. Generic kernel includes bare metal hardware support, and most types virtual machines e. VMWare, Virtual. Box, Xen HVM, Parallels. Pros and cons. The main advantage a single universal image format that works almost anywhere. The main disadvantage an ISO needs to be installed by hand and includes no out of the box virtualization optimizations. Open. Stack builds. These are Turn. Key builds for the Open. Stack cloud platform. Features EBS auto mounting support weve updated our custom EBSmount mechanism for Open. Stack, which automatically mounts EBS devices when attached. Support for automating instance setup via the user data scripts mechanism. Automatic APT configuration on boot saves bandwidth costs by using the closest package archive for maximum performance. SSH key support instances that are launched with a key pair will be configured accordingly. SSH host key fingerprints displayed in system log verification of server to prevent man in the middle mitm attacks.