Building an Infosec IT Home Lab #10 | Install and Configure Security Onion IDS
ฝัง
- เผยแพร่เมื่อ 18 ก.ย. 2024
- We will deploy Security Onion Intrusion Detection System, which also comes with threat hunting and log management capabilities. This is part of our FREE "How To Build an Infosec Lab Series".
Please consider supporting this channel by becoming a member here : / @itsecuritylabs . Members make it possible to keep this content free and can get extra support from me upon request.
Security Onion Hardware requirements: docs.securityo...
Download Security Onion: github.com/Sec...
Set a SPAN port on DLINK switch: eu.dlink.com/u... Connect and Direct Message me on Linkedin: / howard-mukanda-24503144
I just want to tell you Howard - your dedication and drive to showing the world how to utilize a skillset such as this is easily one of the most inspiring instructional series I've ever come across. Even with the slight language barrier due to your accent, your charisma makes it non-existent, not to mention your command of the English language is incredible. You are one of the most professional human beings I've ever wanted to follow in my life. You are a testament to the aphorisms of following your heart no matter what and you will succeed. Of the 100's of videos I've watched in my pursuit of all things network security - I not only choose yours as #1 hands down - I recommend you to everyone who asks me who the best is for this type of info. While I may not be anybody special - I want to tell you that you have earned my respect as #1 and I am not only happy to follow your guides - I'm even excited to. Keep up the good work man, you are incredible. For what it's worth, I'm super proud of you, you've come a long long way!
Mark said everything I wanted to say. I am truly inspired by Howard's dedication to this channel, the very reason I decided to subscribe.
to those interested, you can add splunk to security onion depending on your hardware performance may be affected but if you have enough ram and good CPU you can enhance threat hunting capabilities. early days on this test but so far not bad. anyway good video.
This is very well done. Excellent explanation at a pace that is perfect. Thank you for sharing your knowledge.
Thank you
As someone who’s recently built a wazuh instance from the ground up - I find it increasingly odd how every security onion video I come across barely mentions it. Very very power tool, with lots of integration capabilities, and rules for active responses. Such a HUGE competent that continues to be glossed over. The wazuh modules API is also very nice and makes it extremely easy to see what’s going on with each of your hosts. All this other stuff is great too… I just don’t understand why people aren’t talking about wazuh / ossec more in these vids lol
Thank you, Brother, you are Awesome! Keep making new videos!!!
Man...I was looking for this for long time...thank you !
Thank you so much I.T Security Labs
You’re welcome
Thank you very much. I had a dedicated machine for securityonion but it was overkill. Now it's virtual and running like a breeze. Great video's. I use a mikrotik 10 port router at home. Easy to configure a span port.
Great stuff man! ....keep them coming we appreciate you!
dont know if you guys cares but if you are stoned like me during the covid times you can stream pretty much all the latest series on InstaFlixxer. Have been watching with my girlfriend for the last few months xD
@Bode Moses Yup, have been using instaflixxer for since december myself :D
Absolutely amazing work, keep up the great work u are doing.
Can u plz also make a video on how to make alerts against security events using Security Onion? I wonnder if security onion has the capability to generate alerts so the SoC team can immediately tale action on it.
Great video.
this content is really really good for others as well ;)
Thank you
Wow ! Such a great video.
I have a couple questions:
1. If I had two VLANS on the switch - one for the router/firewall and switch and servers(vlan100/192.168.100.x address main) to be on and another for APs (vlan200/192.168.200.x). Would I set the VMware IDS to the vlan it is physically connected to or leave it blank ?
2. If this IDS was connected to a second switch which is trunked to the first one which is then trunk connected to the router, would I port mirror on the trunk port of the second switch ?
1) connect to the one it’s physically connected to 2) yes, mirror the trunk port that connect up to the other switch (which leads to the router), that way you get everything
You are pretty good. Like it
Hi I.T Security Labs 👋. I am currently learning security..please made more video about IT Security world.. I am interested in IT Security and want to develop career in IT Security.
Thank you!! 😁
Do you organize one on-one or group tutoring? Very and educative topics
Seems like it is running, but no alerts in SO. I think I am fuzzy on: the lack of alerts does this is indicate there is something wrong with the installation/mirroring for SO, or are the alerts something that need to be configured. I installed 2.4.20 on an Esxi 8
Great series! I so appreciate all of these videos.
So-status should show if the node is healthy. Make sure all containers are running without errors
@@ITSecurityLabs Thanks yep, Node status is "OK" and all the containers are green and running, no errors, in the Grid UI area of SO. Maybe no alerts because it has not been up long enough? Only an hour so far. All very fun.
@@jenniferbate9513 look at the time zone in your web ui. Also make sure that you have a proper monitor interface.
@@ITSecurityLabs OK I reinstalled and triple checked everything walking my way through your video to make sure I understood the dataflow.
I think the problem was... iptables on the SO machine?! It was sending alertsalertsalerts in the command line of Security Onion ENDLESSLY like a crying baby.. until I shut off its iptables. I am still not sure why or what that is about. But I just got my first alert in the GUI. So that is good news. Yahoo
iptables seems to turn back on, on its own, after a few minutes. I am not sure. I will go see if anyone else in the SO community has had this issue.
Thank you so much. Great video
I've installed in my home lab security onion on both ESXI and Virtualbox successfully, unfortunately on both platforms kibana is not receiving alerts. I've tried versions 2.3.171 till 2.3.190 but with same problem. My monitor network configuration on virtualbox is host only and dhcp and similar on ESXI. I,m using kali to attack other machines on same network in the lab.Can you suggest what i can try to make this work.
Thanks for the video. Some feedback, you should explain each stage of why you do what you do. For example - the DNS server. Maybe I'm the noob here, but I always left it to the Google DNS servers. Is there a particular reason you chose the DNS server that you did? Likewise, you are running thru a lot of the steps just to walk thru them. It would be great if you walked us thru the rationale. Thanks.
You want your primary dns to be internal as you might have resources that a public dns might not know about. Say your internal intranet webpage or any other service you just don't expose to the internet and register.
very useful video, thank you so much it will save lot of time..
and Sir, i have been given a task which was
tassigned to me by my supervisor, i have 3 days for this and your dictation would be helpful thank you
a.
Sign-up a free elastic account on
cloudelastic co
b.
Integrate your machine with elastic using beats client
c.
Aggregate your machine’s logs on elastic
d.
Create a dashboard
e.
Install suricata IDS client on your machine, integrate logs with elastic
f.
Install
TPOT honeypot and integrate the logs with elastic
i searched lot of sites but most of tutorial sites gave only 404. pls help me with step by step instructions, you are my hope now.
Hi,
I really like ur channel, u are doing an amazing job. I am facing an issue while installing securityonion that the installation setup is getting hanged up at SaltStack installation.
We would really appreciate if u can make a video highlighting the fix for that issue.
Could you tell me which application you are using for the layout of the network. I don't think it is Visio. BTW - nice job.
Hey, i recalled you had a video that showed how you SPAN traffic through pfsense to security onion via VirtualBox, did you take down that video? I would like to reference to it again to setup my security onion. As i currently am using VMware workstation, do not have the same options as VMware Esxi
th-cam.com/video/57Da4uVdoiM/w-d-xo.html
yw
So why do you want it to be in evaluation mode?
is there a differences for eval mode and the standard?
Should the vSwitch port that is connected to your physical NIC on your PC be 10gbit on both ends or does that not matter. I mean I would belive it would best to use a 10gbit for IDS and other monitoring features a SIEM requires for maximum throughput of bandwidth?
also awesome video, also what is Playbook and the Osquery you selected under the install of Security Onion?
see documentation (-> architecture) for differences in installation mode (i.e. evaluation).
Hello, I have a very old server and it does not support VMware so I mounted CentOS 7 and I am using VMware that brings native, I installed Security Onio as a virtual machine, on the physical machine I have a monitoring port that works fine, I already tried it with wireshark, my problem is that I can't get the traffic to the virtual machine, can you help me?
thanks man fot this video ;-)
You started this playlist with instructions on installing Pfsense virtually and recommended we install it virtually but in this video you are giving instructions on how to set up Sec Onion from a setup which has Pfsense installed physically. This is very confusing.
Thank you for this amazing video. I had a question regarding this product, can I install this on the cloud and monitor an organisation and its local servers? Or do I need to deploy it locally. I want to run this on the cloud and use it to monitors local servers, if that is a possibility lot of things can be achieved.
Yes, you need a sensor, It requires more config.
Have you had any luck getting syslog into it? I had no issues on setup 2.3.1 and 2.3.2 but cannot seem to get any syslog into it. Seems like the logs are reaching the security onion server as seen on tcpdump but they are not being displayed in Kibana
It looks like logstash is not getting the data from syslog-ng. That’s interesting.
I bet if you run “sudo so-logstash-restart” you get a message “No such container so-logstash” ? In that case, you need to make sure logstash is properly installed
In my case, logstash was missing from the output of so-status
@@ITSecurityLabs I have the same problem. How did you fix it?
@@giogsrvey5039 do you have logstash?
how useful is the IDS this if most or all of the traffic is encrypted?
Not useful. Most big corps will have ssl decrypters before data is sent to the ids
I used NAT for adapter 1 and Bridge (Allow All) 2nd adapter for my Security Onion. For web access I chose IP address and I have "so-allowed" my host machine IP address but I can't access security Onion webpage. Please what am I doing wrong? Send help
Security onion needs one monitor mode and another bridged interface with the static ip in the same subnet as your bridged network
Thank you for this video. How many tries did it take you to deploy Security Onion? My Security Onion ver2.3 deployment keeps on going into an installation loop meaning the deployment completes then upon first reboot it reinstalls again and this kept on going for more than ten times before I gave up. Now I understand this is bleeding edge but 10 times was my limit. My configuration specs are as follows: 4CPUs, 16GB RAM and 500GB HD (set to fixed instead of dynamic allocation) and deploying this in Virtualbox.
With those specs your installation should succeed without any issues. When you say it gets in a loop, ...are you removing the installation media when the install is complete? You need to remove the iso after installation is complete before rebooting
@@ITSecurityLabs OMG, I cannot believe I made such a rookie mistake. Removing the ISO media did the trick, thank you
Hi, great vid!. I'm using vmware workstation pro 16. Do I have an option to set the sniffing interface to promiscous mode?
You don’t need to choose that mode. You should be able to see the traffic from the interface without any issues
Does your dell server have two physical Nics?
Yes
can you help me with the same installation for AWS cloud?
I am using Vmware fusion and done with the install of eval version. But cannot get to the web GUI of the security onion Any ideas?
Must be your networking. How is your fusion network setup?
@@ITSecurityLabs it’s standalone on the NAT
@@ITSecurityLabs same brother, pfsense, cannot get the web interface, I even configure it
Buddy of mine installed and said it was missing events
I had issues with the 2.3 release. I downloaded 2.3.1 and that one works. I am able to see all events including strelka files
@@ITSecurityLabshe said it was I5vpro 12gb ram on 2.3.1
What ip should i give to my onion ?
Hello, can you share your architecture diagram on git our google drive.