Security Onion Intrusion Detection System Basic Setup Tutorial

Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. has a ton of videos and security how too’s, check it out!

Defend Against Next Generation Network Attacks with FireEye

FireEye (from Rsignia’s Website):

Security-conscious organizations choose FireEye for industry-leading protection against the next generation of threats that cross vectors and attack with advanced malware, zero-day, targeted APT attacks. FireEye’s Malware Protection Systems (MPS) supplement traditional and next-generation firewalls, IPS, AV and Web gateways, whose signatures and heuristics cannot stop this next generation of threats.

Today’s defenses–even next-generation firewalls–leave significant security holes in the majority of corporate networks. These traditional tools were designed for the known–not the increasingly predominant unknown threats specifically devised to evade detection. By combining signature and signature-less detection, and integrating inbound and outbound protection, FireEye combats today’s stealthy Web and email threats with near-zero false positive rates.

Network Security Monitoring made Easy with Security Onion LiveCD

Want an easy to use intrusion detection and monitoring solution that is easy to use and install? Look no further than Doug Burk’s (SANS GSESecurity Onion LiveCD.

This security Linux distribution marries the every popular SNORT Intrusion Detection System (IDS), and Sguil (Security analysis program created by a former member of the Air Force’s CERT team) in an easy to use package.

You can run Security Onion completely off the CD or install it and run it from a hard drive. I wanted to see how easy it was to use, so I installed it and ran it through the paces.

I chose to run it in LiveCD mode. Once it boots to desktop, you simply run the setup script, then choose advanced or quick setup:

I chose the quick setup. Next just choose a name and password for the Sguil server. Setup is now complete!

Next just double-click on Sguil, choose what interface to monitor and that is it. You now have a complete, up and running Intrusion Detection and Monitoring system. Very quick to set up and simple to use. 

Testing worked great, I did some simple attacks against the system with Backtrack 4. It detected the attacks and listed the events in the Sguil interface. Right clicking on the alerts brings up a menu where you can view a transcript of the attack, or even view the packet stream in Wireshark!

Security Onion runs on Xubuntu 10.04 and includes:

  • Snort updated to
  • Suricata updated to 1.1beta1
  • Barnyard2 updated to 1.9 Stable.
  • Vortex updated to 2.9.0.
  • Installed OSSEC for host-based intrusion detection.
  • Installed Squert web interface for Sguil.
  • Installed Armitage GUI interface for Metasploit.
  • What an awesome tool for network defense. An intrusion detection and monitoring system used by many large companies, preconfigured and ready to use even on your small business or home system. This would work great with Dualcomm’s Network port mirroring device.  Check it out!


    EasyIDS: Intrusion Detection Made Easy

    Looking for an easy way to set up and learn Intrusion Detection Systems? Look no further than EasyIDS.

    EasyIDS is a complete IDS solution based on the CentOS Linux operating system. Snort can be difficult to set up, especially for those new to Linux. EasyIDS takes all the hard work out and gives you a complete monitoring system with a graphical user interface.

    All you need is a machine with  384MB+ of RAM, an 8GB+ hard drive and 2 network cards. EasyIDS does the rest. Just pop the CD in (it formats the drive, make sure the drive you use has no important data on it), follow the prompts and that’s it. It installs Snort, Oinkmaster (updater for Snort), Basic Analysis and Security Engine (BASE), SnortNotify, and PMGraph.

    I installed EasyIDS in a VMWare virtual machine. To do so, you need to add an extra virtual network card and use the “I will install my OS later” option. Because it wants a monitoring NIC and an administration NIC, I set one of the VMWare cards as DHCP and the other as bridged. This seemed to work well.

    Though VMWare recognizes the disk as Easy Install capable, it does not install right using the auto-install. Just make sure you have the disk in the drive and power up the virtual machine after it is created, it will boot off the CD and do a full install.

    Just a safety note, don’t leave the CD in the drive when you are done, especially if you have boot from CD enabled. I did and when one of my family members went to use the computer later, it auto-booted off the CD and wanted to format the drive.  Luckily they asked before hitting the “Enter” key to format.   🙂

    Once the program is installed, final configuration and setup is completed through a web interface from another system. One Network card acts as the monitoring nic and connects to the traffic you want to monitor. The other card connects to your switch and is used as a control/ administration port.

    Works good, and being a graphical interface, it is fairly easy to use. If you are interested in learning IDS systems, check it out!