Security Onion install for Ubuntu 18.04LTS

After getting frustrated with CentOS7 and the included Security Onion ISO, I decided to go to my favorite Linux Distro – Ubuntu Server 18.04LTS.  What a beautiful operating system.

First and foremost, you will want to make sure you have the basic things you will need:

  1. ESXi or any other HyperVisor
  2. Linux Ubuntu Server 18.04LTS
  3. An Internet Connection
  4. Enough hardware to support Security Onion: 200 GB of SSD space, 16GB RAM, 4 CPU Cores.
  5. Two Virtual Switches

You will want to start by creating your virtual switches.  You will need two different V-Switches: one for management and one for monitoring. 

For this example, I have created a LAN_mgmt and LAB_vlan15 V-Switch. The two switches are on separate vlans and cannot talk to each other.

Alright. Let’s get into the setup process.

Here, you will define how many processing cores, the amount of memory allocated, as well as other virtual hardware settings.  I have given the Ubuntu 18.04LTS virtual machine 8 threads, 16GB of RAM, as well as 200GB of storage. 

Go ahead and power on your virtual machine.

Once your new Ubuntu 18.04 machine powers up, you will need to run through the setup process.  If you have done this already, go ahead and skip to the “Creating an LVM” step to create a new partition for Security Onion.

When you get to the Network Connections area, it is important that you take note on which interface is which.  This will be important later when installing Security Onion.  In my case, ens160 is on my management vlan, while ens192 is on my monitoring vlan.

Creating an LVM for Security Onion is required, and it is recommended that your new “nsm” LVM is at least 100gb.  In this example, I have created an LVM for 99.399GB.

Run through the rest of the Linux Ubuntu setup, remembering what username and password you use to login.  You do not need to install any Featured Server Snaps.

Alright, so, you have just logged into your new Ubuntu Server 18.04LTS terminal and are waiting to see what is next.  Luckily for you, we can go ahead and install SecurityOnion here with just three simple commands.

git clone

cd securityonion

sudo bash so-setup-network

After you run these commands, it will take a minute to run the installer, but you will eventually get to the Security Onion Setup menu. 

We will want to click Yes to continue.

Next, we are going to be asked how we want to install Security Onion.  For most lab setups, you will want to install Security Onion in EVAL mode.  Go ahead and click Ok.

You may get a warning about storage size, but do not worry if this happens.  It should work if you have about 100GB.  If not, just add storage to the VM in ESXi and expand the LVM.

We have already setup are network interface cards and taken note on which interfaces go to which networks.  Click Yes to acknowledge that you know which interfaces go where. 

You may get a warning about DHCP when you click yes.  It is ok if you can check and see what address your device is getting.

This is where Security Onion wants to know what your management NIC is.  We defined it as ens160 earlier, so go ahead and choose that.

The next step will ask which interface will monitor traffic, we will choose ens192 since that is the interface we will want to monitor.

Next we have the patching schedule – just choose Automatic for this lab.

This question is asking about the environment it is being installed in. You can leave this default because it will see all private addresses.

Install it all!

For this section of the setup, you are going to want to create the local account for Security Onion.  Please remember this email and password that you create & use!

This section will define how you will connect to the interface.  I would select IP since you already know what the address is, and you can connect to that easily.

Yes!  You will want to run so-allow to whitelist the devices that you want to connect to this virtual machine.

This question requires a bit of knowledge about your infrastructure.  You will want to put the IP address of the device you want to connect from here.  Please make sure that this address is on the same subnet as your management interface.

Click Ok.

Next, you will click yes to continue the setup in EVAL mode.

Congrats!  You are done with the setup process!  Unfortunately, this last part will take a while.  If your percentage bar gets above 0%, you should be good to go for a quick walk to the mailbox or get a cup of coffee while the setup process finalizes.

It is time to login. To get to this step, you will need to navigate to the mangement IP address. To do this, go to your web browser and type “https://ip_address/” You should be greeted with a login page. If not, see if you can ping the management IP address from the machine you are trying to reach from. If you can ping the address, try running so-allow in the Ubuntu terminal.

Login with the email and password you created earlier and… Voila!! You are good to go!

If you have any questions, please feel free to ask them here or, if you are a fellow UH student, just ask in the Discord!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: