Setting Up Security Onion on VMware for Your Cybersecurity Home Lab
Security Onion is a powerful open-source platform for network security monitoring, intrusion detection, and log management. It is widely used by cybersecurity professionals to detect and analyze security threats.
https://docs.securityonion.net/en/2.4/installation.html
What You Need Before You Start
- VMware Workstation or VMware Player:
- Security Onion ISO File:
Download the latest version from:
https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md
Check the SHA256 Hash of the ISO File
sha256sum securityonion-2.3.300-20240401.iso
Expected Hash: 12306CDAFBF6F2AA0E1924296CFEFE1213002D7760E8797AB74F1FC1D683C6D7
Compare the Output:
- If the hashes match, your download is safe and complete.
- If not, re-download the ISO to avoid installation issues.
Step 1: Setting Up VMware for Security Onion
Open VMware Workstation:
Click on “Create a New Virtual Machine.”
Choose the Installation Method:
Select “Custom (Advanced)” and click Next.
Choose the hardware compatibility for your new virtual machine
Keep it as “Workstation 17.5 or later”, as it provides the latest features and compatibility.
It is perfect for modern operating systems like Security Onion.
ESX Server Option:
Do not check the “Compatible with ESX Server” unless you are planning to migrate this VM to an ESXi server.
Since the goal is to run Security Onion on a local machine, this is not needed.
Click Next to proceed.
Select Installation Media:
Choose “I will install the operating system later”
Click “Next” to proceed.
Choose the Guest Operating System:
In the “Guest Operating System” selection window:
- Set the Operating System to “Linux”.
- Select “Ubuntu 64-bit” from the dropdown list.
Security Onion uses an Ubuntu-based environment.
Selecting Ubuntu 64-bit ensures better integration with VMware tools and drivers.
Incorrect OS selection might lead to performance issues or problems with network adapters and integrations.
During installation, Security Onion may automatically configure certain settings when the OS is set correctly.
Click “Next” to proceed.
- Guest operating system: Keep it on Linux.
- Version: Choose Other Linux 4.x kernel 64-bit.
Name Your Virtual Machine:
Give your VM a recognizable name, like “Security_Onion”.
Click Next to proceed.
Allocate Resources:
Processor: Set to 4 cores (or more if available).
Security Onion requires decent processing power, and 4 cores will help with performance, especially during analysis tasks.
Click Next to proceed.
Memory (RAM): Set to 8GB or more
8GB is the minimum recommended RAM for Security Onion. If you can allocate more (12GB or 16GB), it might improve performance, but 8GB is okay to start with.
Click Next to proceed.
Configure the Network:
Choose “Bridged” for network type (recommended) or “NAT” if needed.
NAT is a safe choice for testing and learning. It allows the VM to access the internet through the host’s network, which is useful for updates and downloading packages.
Click Next to proceed.
Choose I/O Controller Type:
SCSI Controller Type: LSI Logic (Recommended).
A SCSI (Small Computer System Interface) controller in VMware is used to manage virtual disks attached to the virtual machine. It acts as an interface between the VM and the virtual hard drives, providing efficient and fast data transfer.
The recommended option is usually the best, especially for compatibility and performance.
Click Next to proceed.
Choose the Disk Type:
SCSI (Small Computer System Interface):
It is a good choice for most server and Linux-based environments.
Offers better performance and scalability than IDE.
Matches the LSI Logic controller you selected earlier.
Set Up Virtual Hard Disk:
Choose “Create a new virtual disk”.
Click Next to proceed.
Allocate at least 100GB of disk space.
Security Onion needs more space due to log storage and analysis tools.
Choose “Store virtual disk as a single file”.
Best choice for performance and management.
Creates a single file for the entire disk, which is easier to manage.
Reduces fragmentation, resulting in better performance.
Click Next to proceed.
The virtual disk file will be named Security_Onion.vmdk.
.vmdk stands for VMware Disk, which is the format for storing virtual machine disk images.
By default, it will be stored in the same folder as your virtual machine files, typically in: C:\Users\YourUsername\Documents\Virtual Machines\Security_Onion.
Click “Browse” if you want to change the storage location, but this default location is usually fine.
Click Next to proceed.
Click “Customize Hardware…” to add an Extra Network Adapter for:
- Monitoring Network Traffic:
- One adapter (Management Interface) can handle normal operations (updates, web access).
- The second adapter (Monitoring Interface) can be set to Promiscuous Mode, allowing it to capture and analyze network traffic without interfering with the primary network.
2. Separation of Roles:
- NAT/Bridged Adapter: For management tasks like accessing the web interface of Security Onion.
- Host-Only/Bridged Adapter: Dedicated to monitoring network traffic from a specific network segment.
3. Improved Security:
- Keeping the management network and the monitored network isolated enhances security.
- This setup prevents an attacker from easily accessing the management interface if the monitoring network is compromised.
Click “Add…” and select “Network Adapter”.
Click Finish to proceed.
Configure the New Adapter:
- Set the first adapter to NAT or Bridged for management.
- Set the second adapter to Bridged or Host-Only.
- If you want to capture all network traffic, set it to Promiscuous Mode under the “Advanced” settings.
Click Close to proceed.
Reviewing Your Virtual Machine Configuration.
Click “Finish” and start the virtual machine.
Once the VM is created, insert the Security Onion ISO as a virtual CD/DVD:
Go to “Edit Virtual Machine Settings”.
Select “CD/DVD (SATA)”.
Choose “Use ISO image file” and browse to the Security Onion ISO.
Make sure “Connect at power on” is checked.
Click Ok to proceed.
Start the Virtual Machine:
Power on the VM and proceed with the Security Onion installation.
Step 2: Installing Security Onion
When the virtual machine starts, a boot menu will appear. “Install Security Onion 2.3.300”.
Warning Message: Data Deletion Confirmation
The installation process is asking for confirmation before proceeding because it will:
- Erase all data on the virtual disk (100 GB) created for Security Onion.
- Delete all existing partitions on this virtual disk.
Since this is a new virtual machine, there is no critical data on the disk.
Type “yes” and pressing Enter is the correct action.
Set up the admin user account for managing Security Onion. This account will have full administrative privileges on the system.
The username “admin” is fine, but you can change it to something more secure or unique if needed.
Enter a strong password for the admin account.
- A good password should include:
- At least 8 characters.
- A mix of upper and lower case letters, numbers, and special characters.
- Avoid common words or easily guessable information.
Confirm Password: Re-enter the password to confirm.
Installation in Progress.
Wait for the installation to complete.
The initial installation of Security Onion is complete.
Press Enter to reboot the virtual machine.
Step 3: Initial Setup of Security Onion
Log In to Your VM:
Use the username and password you created during installation.
Continue with the installation by selecting “Yes” and follow the on-screen instructions.
Press Enter to proceed.
Select “Install” to run the standard Security Onion installation. This will set up the full system, including all necessary components for network security monitoring and analysis.
Press Enter to proceed.
Select EVAL mode.
EVAL (Evaluation Mode): Ideal for testing and learning. Not recommended for production environments.
Press Enter to proceed.
Agree to the Elastic License for Elastic Stack version 7.11 and above.
Type AGREE to proceed.
Set the hostname for the Security Onion installation. The hostname is a unique name for the system within our network.
- The default hostname is securityonion, which is perfectly fine to use.
- If we want, we can change it to something more specific or meaningful for the environment, such as soc-server or network-monitor.
Press Enter to proceed.
Select the Network Interface Card (NIC) that will serve as our management interface for Security Onion.
- The management NIC is used to access the Security Onion interface and manage the system.
- Typically, will choose the NIC connected to our main network, allowing access to the web interface and remote management.
- We set up two network adapters earlier, so we would choose the NAT or bridged adapter as the management NIC.
- The other adapter (in a host-only ) will be used for monitoring traffic.
Select by using the arrow keys to navigate and pressing the Space key to choose it.
- NAT Mode allows Security Onion to access external networks (e.g., download updates or access external threat intelligence feeds) while keeping the VM hidden behind the host’s IP.
- Bridged Mode is often used in more advanced setups where you need Security Onion to act as a direct observer on the network, seeing all network traffic as if it were another device on the physical network.
Management NIC: Set to Host-Only to restrict management access to your host machine only. This is useful for a controlled, lab-based environment.
- Monitoring NIC: Set to NAT or Bridged if you plan to capture and analyze network traffic from your external network or if you need to connect to the internet for updates.
For Learning and Isolated Testing:
- Management: Host-Only
- Monitoring: NAT
For Real Network Monitoring:
- Management: NAT/Bridged (to allow access from the network)
- Monitoring: Bridged (to capture live network traffic)
Select DHCP.
If you are setting up Security Onion in a home lab or testing environment, DHCP is usually the quickest option, as it allows the network to automatically assign an IP address to the Security Onion system.
Press Enter to proceed.
A warning indicates that if we use DHCP, the IP address could change over time, potentially causing connectivity issues when trying to manage Security Onion.
Press Enter to proceed.
The setup is now initializing the network configuration.
Press Enter to proceed.
Select Standard installation since the Security Onion manager has internet access.
Press Enter to proceed.
Select how Security Onion will connect to the internet:
- Direct: Allows internet requests to connect directly without any intermediary.
- Proxy: Routes internet traffic through a proxy server, which can provide additional security and control, often used in enterprise environments.
Since this setup is for a learning or evaluation environment and assuming no proxy server is required, select Direct.
Press Enter to proceed.
At this stage, Security Onion will perform preflight checks designed to verify that the system meets all the necessary requirements for installation.
Select Continue.
Automatic (Recommended): Updates will be installed every 8 hours if available. This is useful for ensuring the underlying operating system is always up-to-date with the latest patches, which is crucial for security and stability.
Press Enter to proceed.
Select the Network Interface Card (NIC) for the monitoring interface.
The monitoring interface is used to capture and analyze network traffic.
Press Enter to proceed.
Set the OS patch schedule for Security Onion.
Automatic (Recommended): Updates will be installed every 8 hours if available. This is useful for ensuring the underlying operating system is always up-to-date with the latest patches, which is crucial for security and stability.
Press Enter to proceed.
Define the “home networks” using CIDR (Classless Inter-Domain Routing) notation. Home networks are the IP address ranges that Security Onion will consider as internal or trusted networks.
The default input includes the three common private IP address ranges:
- 10.0.0.0/8: Covers 10.0.0.0 to 10.255.255.255, a large block often used in enterprise networks.
- 192.168.0.0/16: Covers 192.168.0.0 to 192.168.255.255, commonly used in home and small office networks.
- 172.16.0.0/12: Covers 172.16.0.0 to 172.31.255.255, also used in enterprise environments.
This should ensure that Security Onion correctly monitors and identifies traffic from all relevant networks.
Press Enter to proceed.
- Grafana: Provides visualization and monitoring of system metrics. It is helpful for keeping an eye on the performance of your Security Onion deployment and underlying systems.
- Osquery: Enables you to query your endpoints using SQL-like queries. It’s useful for endpoint visibility and monitoring.
- Wazuh: This is a security information and event management (SIEM) and host-based intrusion detection system (HIDS). It helps in detecting security threats and monitoring endpoint activities.
- Playbook: Allows for the creation of response playbooks, helping to automate incident response workflows.
- Strelka: A file analysis framework that allows you to analyze files that pass through your network, which is particularly useful for malware detection and file integrity monitoring.
Enabling all these services will provide a comprehensive security monitoring and response platform. However, be aware that enabling all these services will increase resource usage, particularly RAM and CPU. Make sure your virtual machine has enough resources allocated to avoid performance issues.
If your VM has at least 8 GB of RAM (preferably more) and sufficient CPU cores, it should be good to proceed.
Press Enter to proceed.
Keep the default Docker IP range unless you have specific network requirements or if the default IP range conflicts with your existing network. The default range is typically configured to avoid conflicts in most environments.
Press Enter to proceed.
Enter an email address to create an administrator account for the Security Onion web interface.
Press Enter to proceed.
Set a password for the provided email address.
Press Enter to proceed.
Re-enter the password for the provided email address.
Press Enter to proceed.
Select “IP” to access the web interface; it is the safest and most straightforward option, especially if you are not setting up DNS or a load balancer. By using the IP address, we can directly access the Security Onion web interface without needing to configure additional name resolution settings.
Press Enter to proceed.
Select “Yes” and proceed to configure NTP servers.
Configuring NTP (Network Time Protocol) servers is highly recommended, especially for a Security Onion deployment. Accurate time synchronization is critical for logging, correlation of events, and forensic analysis. If your server’s time is not accurate, it could lead to confusion when analyzing logs and incidents.
Press Enter to proceed.
Keep the Current Servers: The NTP servers 0.pool.ntp.org and 1.pool.ntp.org are good choices. They are part of the global NTP pool and provide reliable time synchronization.
This setup ensures that if one server is unreachable, Security Onion can still synchronize time with the others.
Press Enter to proceed.
Select “Yes” if you want to manage and monitor Security Onion from a different device. This is particularly useful for remote management or if running the VM in a headless state.
Note: make sure that:
The firewall rules allow the appropriate ports (default is port 443 for HTTPS).
The network settings (like the bridged or NAT adapter) permit external connections to the VM.
Press Enter to proceed.
Specify which IP addresses or IP ranges are allowed to access the Security Onion web interface.
In a lab environment or a controlled network, a CIDR range like 192.168.1.0/24 or 192.168.0.0/16 is practical.
Press Enter to proceed.
If all matches the network setup and intended use, select Yes.
Press Enter to proceed.
The installation process might take a while, so give it some time.
After the installation process completes: Remove the ISO file from the virtual CD/DVD drive to avoid booting into the installer again.
Go to VM settings > Removable Devices > CD/DVD > Disconnect.
Start the VM again, and it should boot into the Security Onion operating system.
Login with the credentials you set up during the installation process.
Resolving Security Onion Web Interface Accessibility Issues
If the Security Onion web interface is not accessible, run the command sudo so-allow to resolve the issue. S
The so-allow command in Security Onion is typically used to configure the firewall to allow traffic from specified IP addresses or subnets to access the web interface and other services.
sudo so-allow
Enter a to access the Security Onion web interface via a browser.
Press Enter to proceed.
To allow access from the entire local network, enter 192.168.0.0/16.
Press Enter to proceed.
The output indicates that the IP range 192.168.0.0/16 has been added to the analyst role successfully. It also shows that the Wazuh service is being restarted. The green text with “Result: True” and “Succeeded: 20 (changed=5)” indicates that the commands ran successfully without any errors.
Check the status of all critical services and components running within the Security Onion environment.
sudo so-status
output show [OK], indicating that the Security Onion services are running properly. You should now be able to access the web interface using the IP address shown earlier.
On your Kali Linux machine (or any machine on the same network), open a web browser (Firefox or Chromium).
Enter the Security Onion management IP address in the address bar: https://Security_Onion_management_IP.
Firefox will display a warning about a “Potential Security Risk Ahead.”
Because the Security Onion server uses a self-signed SSL certificate, which is not automatically trusted by browsers.
Click on “Advanced”.
Click “Accept the Risk and Continue.” This is safe to do because we know the server you are accessing is legitimate and under your control.
Use the email and password we set during the installation.
“Overview” Page of Security Onion
What You See: This is the main dashboard of Security Onion. It provides an overview of the platform and is designed to guide new users through the system.
Key Sections:
- Getting Started: This section offers quick links to resources like Help, Cheatsheets, and Training. These resources are essential for beginners to learn how to effectively use Security Onion for threat detection and network security.
- What’s New: Displays the latest features and updates of the current version (2.3.300) of Security Onion. It is important to keep up-to-date with new features to make the most of the platform.
- Customize This Space: Explains how you can modify the dashboard. The customization is done by editing the motd.md file, which uses Markdown formatting. This allows you to personalize the interface according to your monitoring needs.
Navigation Menu on the Left:
- Overview: Home screen with general information.
- Alerts: Where you can view security alerts generated by the system.
- Dashboards: Provides visual analytics of your network traffic.
- Hunt: Allows for more detailed investigation into potential threats.
- Cases: You can create and manage security cases.
- PCAP: Packet capture analysis.
- Grid: Manages distributed sensors (the orange exclamation mark indicates an issue or attention needed).
- Administration: Manage system settings and configurations.
Tools Section:
- Links to additional integrated tools like:
- Kibana: For data visualization.
- Grafana: For system monitoring.
- CyberChef: A versatile tool for data transformation.
- Playbook, FleetDM, Navigator: Additional utilities for monitoring and managing endpoints.
The bottom part of the dashboard with instructions on how to modify the welcome screen or dashboard content.
Customization Instructions:
To change the display content:
sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
Edit the new motd.md file using a text editor.
Customization allows adding specific information or instructions for the team directly into the Security Onion dashboard, improving workflow and efficiency.
Applying the changes by restarting the Security Operations Center (SOC) with:
sudo so-soc-restart
The documentation or information section of Security Onion. It lists the “End of Life” (EOL) dates for various versions of Security Onion and its components. An EOL date means that the specific version or software will no longer receive updates, support, or security patches.
Key Details on the Page:
- Security Onion 2.3 EOL:
- The current version (2.3) will reach EOL on April 6th, 2024.
- Users are advised to upgrade to Security Onion 2.4.
- More information is available via the provided link.
2. Ubuntu 18.04 EOL:
- Ended support in April 2023.
- Important if your Security Onion setup is running on Ubuntu 18.04, as you will not receive updates or security patches.
3. TheHive and Cortex EOL:
- These components were removed from Security Onion in version 2.3.120.
- They reached EOL on December 31, 2021.
4. Older Security Onion Versions EOL:
- Security Onion 16.04: EOL on April 16, 2021.
- Security Onion 14.04: EOL on November 30, 2018.
5. Additional Components EOL:
- ELSA: Reached EOL on October 9, 2018.
- Xplico: Reached EOL on June 5, 2018.
If are using any of the listed EOL software, upgrade to ensure continued support and security.
Running unsupported software can leave the system vulnerable to security threats, as you won’t receive critical updates.
Regularly check EOL notices for all components of the security infrastructure.
Access Each Dashboard:
- Kibana Dashboard:
- Go to the Security Onion web interface.
- On the left menu, find and click on Kibana.
- Verify that the Kibana dashboard loads correctly.
2. Grafana Dashboard:
- In the same menu, click on Grafana.
- You should see system performance metrics and visualization panels.
- If prompted, use the same credentials set during the installation.
3. Wazuh Dashboard:
- Click on Wazuh from the tools section.
- You should be able to see alerts, monitoring, and endpoint visibility data.
2. Start Monitoring: Setting Up Data Sources and Monitoring Traffic
A. Adding Data Sources:
Go to the Administration Panel:
Click on Administration in the Security Onion web interface.
Navigate to Data Sources.
Adding New Data Source:
Select the type of data source you want to add (e.g., syslog, packet capture, endpoint agents).
Follow the on-screen instructions to configure the data source.
You might need to install agents on endpoints or configure network devices to send logs to Security Onion.
B. Monitoring Network Traffic:
PCAP (Packet Capture):
Go to the PCAP section to view captured network traffic.
We can analyze the data using tools like Zeek or Suricata.
Using the Hunt Interface:
The Hunt section allows you to search and filter through collected logs and data.
This is useful for threat hunting and identifying suspicious activity.
C. Setting Up Alerts and Dashboards:
Creating Custom Dashboards:
In Kibana or Grafana, create custom dashboards to visualize specific data points.
We can set up charts and graphs to monitor network performance, threat alerts, and more.
Configuring Alerts:
Use the Alerts section to set up notifications.
Configure rules to trigger alerts when specific events or behaviors are detected.
3. Validate that Everything is Working:
Generate test traffic (using network scanning tools or by accessing monitored endpoints).
Check if the traffic appears in the dashboards.
Test alerting mechanisms to ensure they trigger as expected.
Troubleshooting Tips:
If a service is not accessible, restart it using:
sudo so-restart
Check for logs or errors:
sudo tail -f /var/log/syslog
Summary and Next Steps
The installation and setup of Security Onion on VMware have established a powerful home lab for network security monitoring and threat analysis. This environment provides hands-on experience with essential cybersecurity tools such as Kibana, Wazuh, Grafana, and Suricata.
Key Benefits:
- Threat Detection Practice: Gain real-world experience in identifying and responding to security incidents.
- Network Traffic Analysis: Enhance skills in monitoring and analyzing network activity.
- Threat-Hunting Proficiency: Develop advanced techniques using the Hunt interface.
- Scenario Simulation: Safely replicate and study real-world attack scenarios to validate detection strategies.
Next Steps:
- Generate Test Traffic: Use tools like Nmap or Metasploit to assess detection effectiveness.
- Create Custom Dashboards: Design and implement personalized dashboards and alerts for specific security events.
- Experiment with Threat-Hunting Techniques: Utilize the Hunt interface to refine investigative methodologies.
- Document Findings: Compile analysis results and insights to create a strong portfolio for cybersecurity roles.
This home lab is not only a practical learning tool but also a valuable asset for advancing a career in security operations and threat analysis.
Explore deeper, analyze thoroughly, and uncover new insights. The hunt is on!