How do I get it?
New users can download the latest ISO image from here. Existing Security Onion users can perform an in-place upgrade to version 20110321 using the following commands:
wget http://downloads.sourceforge.net/project/security-onion/security-onion-upgrade.shExisting users, please note that running Setup on a previously configured system will remove any existing configuration.
sudo bash security-onion-upgrade.sh
How do I create a Sguil server?
You have three options:
1. Launch Setup and choose "Quick Setup". This will install a Sguil server AND create a Sguil sensor for each ethernet interface on the server.
2. Launch Setup, choose "Advanced Setup", and choose "Both". This will install a Sguil server AND create a Sguil sensor for each ethernet interface on the server, but will give you more options than "Quick Setup".
3. Launch Setup, choose "Advanced Setup", and choose "Server". This will just install a Sguil server.
How do I create a Sguil sensor?
Launch Setup, choose "Advanced Setup", and choose "Sensor". Enter the name/address of the Sguil server and a username that has sudo permissions on the server. A terminal window will appear prompting you to login to the server to complete the server configuration.
Demo
Download the latest ISO image from here.
Boot the Security Onion ISO and choose Install from the boot menu.
Standard Ubuntu installer appears. Follow the prompts to complete your installation.
Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
Double-click the Setup desktop shortcut.
Administrative password prompt appears. Enter your password and click OK.
Password screen appears. Enter your desired Sguil password and press Enter.
Password confirmation screen appears. Confirm your desired Sguil password and press Enter.
Settings confirmation screen appears. Press Enter.
Setup creates the Sguil server and sensors and then starts all services.
Setup Complete screen appears. Press Enter.
Double-click the Sguil desktop shortcut. Login window appears. Enter the Sguil username/password you specified in Setup.
Sensors window appears. Click "Select All" and then click "Start Sguil".
Sguil main window appears. Simulate an attack by going to a terminal and typing "curl http://testmyids.com".
A new alert should appear in the Sguil window. Notice that the sensor is named server-eth0, where "server" is the hostname and "eth0" is the interface that saw the traffic.
We've now verified that the Sguil server is running correctly. Let's go to our second machine and build a sensor.
Boot the Security Onion ISO and choose Install from the boot menu.
Standard Ubuntu installer appears. Follow the prompts to complete your installation.
Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
Double-click the Setup desktop shortcut.
Administrative password prompt appears. Enter your password and click OK.
Welcome screen appears. Press Enter.
Quick Setup screen appears. Click "No, use Advanced Setup".
Components screen appears. Click "Sensor" and click "OK".
Server Hostname screen appears. Enter server hostname/address and press Enter.
SSH Username screen appears. Enter username on server and press Enter.
IDS Engine screen appears. Press Enter.
Interfaces screen appears. Select your desired interface(s) and click OK.
Confirm Settings screen appears. Click "Yes, proceed with the changes!".
Terminal appears prompting to accept SSH key of server. Type "yes" and press Enter.
Password prompt appears. Enter password and press Enter.
Sudo prompt appears. Enter password and press Enter.
Setup creates the Sguil sensor(s).
Setup starts all Sguil services.
Setup Complete screen appears. Press Enter.
Simulate an attack by opening a terminal and typing "curl http://testmyids.com".
At this point, we can return to our server. In the Sguil window, click File and then click "Change monitored networks".
Sensor selection window appears. Notice that there are new sensors named sensor-eth0, sensor-eth1, sensor-eth2, and sensor-ossec. Select the new sensors and click "Start Sguil".
Click the "Agent Status" tab and verify that the the new sensors are checking in.
Notice that there is a new alert with a sensor name of sensor-eth0, where "sensor" is the hostname of the sensor and "eth0" is the interface which saw the traffic.
In this blog post, we've demonstrated how Security Onion can build an army of distributed Sguil sensors in just a few minutes.
Is there a way to create sensors, etc. via the command-line? A command line version of "setup" would be cool.
ReplyDelete"setup" is just a bash script that is a wrapper around the excellent NSMnow scripts such as nsm_server_add and nsm_sensor_add. Take a look at "setup" and you'll see what I mean.
ReplyDeleteThanks. I'll check it out.
ReplyDelete我们团队支持你.我很喜欢这个ISO. :D
ReplyDeleteHi,
ReplyDeleteWhen you add a remote sensor, it is necessary to connect to a server sguil. Could add a snort sensor without sguil server as does prelude ids for example?.
Best Regards,
Hi Alfon,
ReplyDeleteI'm not sure that I fully understand your question, but I think you have 2 options:
1. Run Quick Setup. This will create a standalone sensor with its own Sguil server (so no need for a separate box running Sguil server).
2. If you just want to run Snort by itself without Sguil at all, you can certainly do that by manually running Snort with a standard snort.conf.
When a sensor is added in this manner is the full pcap data stored on the sensor and only transferred to the server when queried or does it all get shuffled to the server?
ReplyDeleteHi Scott,
ReplyDeleteYes, the full pcap data is stored on the sensor and only retrieved when requested.
Thanks,
Doug
Thanks Doug, excellent Tool!!.
ReplyDeleteOne question, in case of placing a sensor in a DMZ without connection with the internal sguil server. What kind of open ports would be needed to make them visible?
Thanks
Hi Open Source,
ReplyDeleteCurrently, sensors need to be able to connect to the server on ports 22 and 7736.
Hope that helps!
Thanks,
Doug
Thanks Doug, it works!.
ReplyDeleteAnother question. Is there any method to update the version of sensors (without internet connection) from the server?
Regards
Hi Emilio,
ReplyDeleteUnfortunately, there is no supported method of updating the sensors (without Internet connection) from the server. You could try mirroring the packages on Sourcefire and hacking the update script to pull from your mirror.
Thanks,
Doug
Hi Doug,
ReplyDeleteHow do you remove a remote sensor that is no longer be used?
Thanks,
Nate
Hi N8,
ReplyDeleteYou don't HAVE to do anything, but if you want to clean up the Sguil interface, you can remove the sensor via MySQL.
If you have further support questions, please use our mailing lists:
http://code.google.com/p/security-onion/wiki/MailingLists
Hello Doug, I just tried running this and the installer did not give me an option of which IDS I wanted to utilize. Did it default to Snort and make the proper changes for reporting without any prompt? Or request for Oinkcode?
ReplyDeleteHi Mike,
ReplyDeleteIt sounds like you chose "Quick Setup" which automatically chooses Snort and the free Emerging Threats ruleset, which doesn't require an oinkcode.
If you want more options, please choose "Advanced Setup" instead of "Quick Setup".
If you have further questions or problems, please use our mailing list:
http://code.google.com/p/security-onion/wiki/MailingLists
Thanks,
Doug
hey dough
ReplyDeletei configured the network info, setup the sensor but still my sguil setup is not showing the packets which i am sending...
.
and one more thing, the monitoring interface should have the static ip or dhcp???
Hi Isha,
ReplyDeletePlease send a detailed email to our mailing list:
http://code.google.com/p/security-onion/wiki/MailingLists