Security Onion Intrusion Detection System Basic Setup Tutorial

Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. Irongeek.com has a ton of videos and security how too’s, check it out!

Simple Network Security Monitoring with Security Onion & NetWitness Investigator

If you want a robust, cost effective and easy to use Intrusion Detection System (IDS) and Network Security  Monitoring (NSM) platform, look no further than Doug Burks “Security Onion”.

Security Onion:

“Security Onion is a Linux distro that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.”

What is great about Security Onion is that it takes all the guess work out of setting up an effective IDS and takes the output of intrusion attempts and displays the critical ones in a nice user interface called Sguil.

You can install Security Onion to a new machine, or just run it as a live CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system.

When two network cards are installed with Security Onion, one is configured as a monitoring only sensor and the other is configured to connect to your internal LAN.

Simply connect the Dualcomm port mirroring device inline with whatever traffic you want to monitor. Then connect your sensor line from Security Onion to the mirrored port and you can analyze all your network traffic live.

Another cool feature of Security Onion is that it keeps a copy of all of your network traffic stored in a daily log file.

Now if all the tools that are included in Security Onion are just not enough for you (and trust me there is a ton of them!), you can take the raw daily captures directly from Security Onion and analyze them in Netwitness Investigator.

“NetWitness® Investigator is the award-winning interactive threat analysis application of the NetWitness enterprise network monitoring platform. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data captured and reconstructed by the NetWitness enterprise security platform.”

Simply navigate to the NSM directory on your Security Onion installation, then to the sensor directory, then to the nic used for monitoring, and finally the daily logs directory. Then choose a log file. The files cap out at 128 MB by default and then another file is created with an incremented number in the file name. A sample file name would be “snort.log.1315337092“.

Next copy that file off to a flash drive and import it directly into your Windows system running NetWitness Investigator.

Investigator then parses the information and gives you an amazing view of the packets captured. At the top, the program lists any threats that it detects as warnings. It also breaks the data down into easily navigable headings like Service Type, Source & Destination Country, City and IP address.


You can then drill down from high level topics like Destination Country to recreations of the actual data sent in a few clicks. You can look at the information transferred including scripts, programs, pictures and videos. You can also search the entire data collected for phone numbers, credit cards, hacker terms, date/time or location.

Finally, Investigator supports Google Earth to view packet travel and location data.

Security Onion & Netwitness Investigator, a powerful threat detection combination.