Thursday, April 7, 2011

Security Onion 20110321: Distributed Sguil Sensors

Security Onion 20110321 is now available!  This new version includes an updated Setup script that allows you to easily create a Sguil server and then create multiple Sguil sensors that report back to the Sguil server.

How do I get it?
New users can download the latest ISO image from here.  Existing Security Onion users can perform an in-place upgrade to version 20110321 using the following commands:

wget http://downloads.sourceforge.net/project/security-onion/security-onion-upgrade.sh
sudo bash security-onion-upgrade.sh 
Existing users, please note that running Setup on a previously configured system will remove any existing configuration.

How do I create a Sguil server?
You have three options:
1.  Launch Setup and choose "Quick Setup".  This will install a Sguil server AND create a Sguil sensor for each ethernet interface on the server.
2.  Launch Setup, choose "Advanced Setup", and choose "Both".  This will install a Sguil server AND create a Sguil sensor for each ethernet interface on the server, but will give you more options than "Quick Setup".
3.  Launch Setup, choose "Advanced Setup", and choose "Server".  This will just install a Sguil server.

How do I create a Sguil sensor?
Launch Setup, choose "Advanced Setup", and choose "Sensor".  Enter the name/address of the Sguil server and a username that has sudo permissions on the server.  A terminal window will appear prompting you to login to the server to complete the server configuration.

Demo
Download the latest ISO image from here.
Boot the Security Onion ISO and choose Install from the boot menu.
Standard Ubuntu installer appears.  Follow the prompts to complete your installation.
Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
Double-click the Setup desktop shortcut.
Administrative password prompt appears.  Enter your password and click OK.

Welcome screen appears.  Press Enter.

Quick Setup screen appears.  Press Enter.

Username screen appears.  Enter your desired Sguil username and press Enter.

Password screen appears.  Enter your desired Sguil password and press Enter.

Password confirmation screen appears.  Confirm your desired Sguil password and press Enter.

Settings confirmation screen appears.  Press Enter.

Setup creates the Sguil server and sensors and then starts all services.




Setup Complete screen appears.  Press Enter.

Double-click the Sguil desktop shortcut.  Login window appears.  Enter the Sguil username/password you specified in Setup.

Sensors window appears.  Click "Select All" and then click "Start Sguil".

Sguil main window appears.  Simulate an attack by going to a terminal and typing "curl http://testmyids.com".

A new alert should appear in the Sguil window.  Notice that the sensor is named server-eth0, where "server" is the hostname and "eth0" is the interface that saw the traffic.

We've now verified that the Sguil server is running correctly.  Let's go to our second machine and build a sensor.
Boot the Security Onion ISO and choose Install from the boot menu.
Standard Ubuntu installer appears.  Follow the prompts to complete your installation.
Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
Double-click the Setup desktop shortcut.
Administrative password prompt appears.  Enter your password and click OK.

Welcome screen appears.  Press Enter.

Quick Setup screen appears.  Click "No, use Advanced Setup".

Components screen appears.  Click "Sensor" and click "OK".

Server Hostname screen appears.  Enter server hostname/address and press Enter.

SSH Username screen appears.  Enter username on server and press Enter.

IDS Engine screen appears.  Press Enter.

Interfaces screen appears.  Select your desired interface(s) and click OK.

Confirm Settings screen appears.  Click "Yes, proceed with the changes!".

Terminal appears prompting to accept SSH key of server.  Type "yes" and press Enter.


Password prompt appears.  Enter password and press Enter.

Sudo prompt appears.  Enter password and press Enter.


Setup creates the Sguil sensor(s).

 Setup starts all Sguil services.

Setup Complete screen appears.  Press Enter.

Simulate an attack by opening a terminal and typing "curl http://testmyids.com".  

At this point, we can return to our server.  In the Sguil window, click File and then click "Change monitored networks".

Sensor selection window appears.  Notice that there are new sensors named sensor-eth0, sensor-eth1, sensor-eth2, and sensor-ossec.  Select the new sensors and click "Start Sguil".

Click the "Agent Status" tab and verify that the the new sensors are checking in.

Notice that there is a new alert with a sensor name of sensor-eth0, where "sensor" is the hostname of the sensor and "eth0" is the interface which saw the traffic.

In this blog post, we've demonstrated how Security Onion can build an army of distributed Sguil sensors in just a few minutes.

18 comments:

mhockey.us said...

Is there a way to create sensors, etc. via the command-line? A command line version of "setup" would be cool.

Doug Burks said...

"setup" is just a bash script that is a wrapper around the excellent NSMnow scripts such as nsm_server_add and nsm_sensor_add. Take a look at "setup" and you'll see what I mean.

mhockey.us said...

Thanks. I'll check it out.

dis9team said...

我们团队支持你.我很喜欢这个ISO. :D

Alfon said...

Hi,

When you add a remote sensor, it is necessary to connect to a server sguil. Could add a snort sensor without sguil server as does prelude ids for example?.

Best Regards,

Doug Burks said...

Hi Alfon,

I'm not sure that I fully understand your question, but I think you have 2 options:
1. Run Quick Setup. This will create a standalone sensor with its own Sguil server (so no need for a separate box running Sguil server).
2. If you just want to run Snort by itself without Sguil at all, you can certainly do that by manually running Snort with a standard snort.conf.

Scott said...

When a sensor is added in this manner is the full pcap data stored on the sensor and only transferred to the server when queried or does it all get shuffled to the server?

Doug Burks said...

Hi Scott,

Yes, the full pcap data is stored on the sensor and only retrieved when requested.

Thanks,
Doug

Open Source said...

Thanks Doug, excellent Tool!!.

One question, in case of placing a sensor in a DMZ without connection with the internal sguil server. What kind of open ports would be needed to make them visible?

Thanks

Doug Burks said...

Hi Open Source,

Currently, sensors need to be able to connect to the server on ports 22 and 7736.

Hope that helps!

Thanks,
Doug

Emilio said...

Thanks Doug, it works!.

Another question. Is there any method to update the version of sensors (without internet connection) from the server?

Regards

Doug Burks said...

Hi Emilio,

Unfortunately, there is no supported method of updating the sensors (without Internet connection) from the server. You could try mirroring the packages on Sourcefire and hacking the update script to pull from your mirror.

Thanks,
Doug

N8 said...

Hi Doug,

How do you remove a remote sensor that is no longer be used?

Thanks,

Nate

Doug Burks said...

Hi N8,

You don't HAVE to do anything, but if you want to clean up the Sguil interface, you can remove the sensor via MySQL.

If you have further support questions, please use our mailing lists:
http://code.google.com/p/security-onion/wiki/MailingLists

Mike said...

Hello Doug, I just tried running this and the installer did not give me an option of which IDS I wanted to utilize. Did it default to Snort and make the proper changes for reporting without any prompt? Or request for Oinkcode?

Doug Burks said...

Hi Mike,

It sounds like you chose "Quick Setup" which automatically chooses Snort and the free Emerging Threats ruleset, which doesn't require an oinkcode.

If you want more options, please choose "Advanced Setup" instead of "Quick Setup".

If you have further questions or problems, please use our mailing list:
http://code.google.com/p/security-onion/wiki/MailingLists

Thanks,
Doug

isha said...

hey dough
i configured the network info, setup the sensor but still my sguil setup is not showing the packets which i am sending...
.
and one more thing, the monitoring interface should have the static ip or dhcp???

Doug Burks said...

Hi Isha,

Please send a detailed email to our mailing list:
http://code.google.com/p/security-onion/wiki/MailingLists