Security Onion Intrusion Detection System Basic Setup Tutorial

Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. has a ton of videos and security how too’s, check it out!

Network Security Monitoring made Easy with Security Onion LiveCD

Want an easy to use intrusion detection and monitoring solution that is easy to use and install? Look no further than Doug Burk’s (SANS GSESecurity Onion LiveCD.

This security Linux distribution marries the every popular SNORT Intrusion Detection System (IDS), and Sguil (Security analysis program created by a former member of the Air Force’s CERT team) in an easy to use package.

You can run Security Onion completely off the CD or install it and run it from a hard drive. I wanted to see how easy it was to use, so I installed it and ran it through the paces.

I chose to run it in LiveCD mode. Once it boots to desktop, you simply run the setup script, then choose advanced or quick setup:

I chose the quick setup. Next just choose a name and password for the Sguil server. Setup is now complete!

Next just double-click on Sguil, choose what interface to monitor and that is it. You now have a complete, up and running Intrusion Detection and Monitoring system. Very quick to set up and simple to use. 

Testing worked great, I did some simple attacks against the system with Backtrack 4. It detected the attacks and listed the events in the Sguil interface. Right clicking on the alerts brings up a menu where you can view a transcript of the attack, or even view the packet stream in Wireshark!

Security Onion runs on Xubuntu 10.04 and includes:

  • Snort updated to
  • Suricata updated to 1.1beta1
  • Barnyard2 updated to 1.9 Stable.
  • Vortex updated to 2.9.0.
  • Installed OSSEC for host-based intrusion detection.
  • Installed Squert web interface for Sguil.
  • Installed Armitage GUI interface for Metasploit.
  • What an awesome tool for network defense. An intrusion detection and monitoring system used by many large companies, preconfigured and ready to use even on your small business or home system. This would work great with Dualcomm’s Network port mirroring device.  Check it out!


    EasyIDS: Intrusion Detection Made Easy

    Looking for an easy way to set up and learn Intrusion Detection Systems? Look no further than EasyIDS.

    EasyIDS is a complete IDS solution based on the CentOS Linux operating system. Snort can be difficult to set up, especially for those new to Linux. EasyIDS takes all the hard work out and gives you a complete monitoring system with a graphical user interface.

    All you need is a machine with  384MB+ of RAM, an 8GB+ hard drive and 2 network cards. EasyIDS does the rest. Just pop the CD in (it formats the drive, make sure the drive you use has no important data on it), follow the prompts and that’s it. It installs Snort, Oinkmaster (updater for Snort), Basic Analysis and Security Engine (BASE), SnortNotify, and PMGraph.

    I installed EasyIDS in a VMWare virtual machine. To do so, you need to add an extra virtual network card and use the “I will install my OS later” option. Because it wants a monitoring NIC and an administration NIC, I set one of the VMWare cards as DHCP and the other as bridged. This seemed to work well.

    Though VMWare recognizes the disk as Easy Install capable, it does not install right using the auto-install. Just make sure you have the disk in the drive and power up the virtual machine after it is created, it will boot off the CD and do a full install.

    Just a safety note, don’t leave the CD in the drive when you are done, especially if you have boot from CD enabled. I did and when one of my family members went to use the computer later, it auto-booted off the CD and wanted to format the drive.  Luckily they asked before hitting the “Enter” key to format.   🙂

    Once the program is installed, final configuration and setup is completed through a web interface from another system. One Network card acts as the monitoring nic and connects to the traffic you want to monitor. The other card connects to your switch and is used as a control/ administration port.

    Works good, and being a graphical interface, it is fairly easy to use. If you are interested in learning IDS systems, check it out!

    Intrusion Detection In-Depth: Maximizing ROI for IPS/IDS

    If you are looking for some exceptional computer security webinars, by leading experts, look no farther than Core Security. They have an extensive library of pre-recorded webcasts and also have live seminars.

    If you are new to Intrusion Detection and Prevention Systems, Mike Poor (SANS Instructor) has an excellent webinar called “Intrusion Detection In-Depth: Maximizing ROI for IPS/IDS and Other Defenses“.

    The material Mike presents is pulled from his SANS “Intrusion Detection In-Depth” course. The seminar answers many questions including why IDS systems are needed, where to put them, and how to test them.

    IDS systems are not going away any time soon and as Mike explains, they are needed now more than ever. Also, Mike discusses his prefered method of focusing the majority of your time and attention to IDS systems that protect your critical assets instead of perimeter IDS systems.

    Mike’s reasoning is that perimeter IDS systems, though needed for forensic evidence and required in some businesses, produce mounds of data that can tie up critical analyst resources. The analyst time is much better spent by focusing on the IDS systems that protect critical assets.

    He likens this security approach to the Tower of London. It is a fortress that has gates, walls, and armed guards. But like most websites, they allow access to 99.9% of the visitors. The majority of the security though is protecting the Crown Jewels. You can see them, but they are protected by some of the best security in the world.   

    Mike’s process for selecting an IDS, pre-testing, monitoring and auditing are covered and well worth the time. He is a very good instructor and is easy to understand. The information is pertinent to the IT tech learning IDS protection, and also to small & large businesses looking to install IDS systems. Check it out!