Setting up Security Onion

Setting up security onion can be a pain if you haven’t done it before. If you follow the instructions to the letter, you will be fine, however I am impatient and need to try, and fail, repeatedly so I can memorize how to get it built.

First and foremost, you will want to make sure you have the basic things you will need:

  1. VMWare Workstation 16 pro
  2. download Security Onion ISO file from Security Onion Solutions.
  3. Enough hardware to support Security Onion: 200 GB of SSD space, 16GB RAM, 4 CPU Cores.
  4. Have a second VM to access behind the NAT. This can be Windows, Ubuntu, anything as long as it sits behind the NAT.

Then you will setup your VMWare workstation VM.

NOTE: MAKE SURE YOU FOLLOW THIS PART CLOSELY OR IT WILL NOT WORK!!

Start by creating a new Virtual Machine

Selecting the ISO that we downloaded for SecurityOnion by clicking browse.

Select the OS, Security Onion uses Linux – CENTOS 7 64-bit

Here you can name the VM whatever you want, just make sure you store it somewhere that you have enough room in.

Give it 200 GB

Make sure you select Customize Hardware…

MAKE SURE YOU HAVE THE FOLLOWING SETTINGS!!

Now you are ready to turn on your VM. Once you start it up, it will look like its trying to setup some things. You will then see the following screen. Make sure you select “Install Security Onion 2.3.0”

You will see the following screen. You will then have to enter an Administrative username. This username will be used to login to your server from the VM. It will also prompt you to create a password and to confirm it. Then it will ask you to reboot.

Once rebooted, it will come to the login screen. you will enter the login you just created, hit enter, then enter the password for the login.

It will then prompt you to start setting up Security Onion. Follow the prompts carefully.

https://user-images.githubusercontent.com/1659467/87330029-f5f1e300-c505-11ea-8a8d-2a5cbf0eeeed.png
https://user-images.githubusercontent.com/1659467/90795908-a5c42880-e2dc-11ea-87d6-6252c9866d6b.png
https://user-images.githubusercontent.com/1659467/87334336-7b789180-c50c-11ea-94e0-0c5aded8799d.png
https://user-images.githubusercontent.com/1659467/87334404-9519d900-c50c-11ea-89e7-80a5b70fc683.png

the ethernet port ens33 will be your management network.

https://user-images.githubusercontent.com/1659467/87334452-a8c53f80-c50c-11ea-9661-602ae7047183.png

It will then ask you to setup using an IP address. You will need to know your NAT IP address! If you don’t know your NAT IP address, you can check on your spare VM, or you can go into The VMWare Workstation toolbar, click Edit –> Virtual Network Editor –> Select the NAT network –> Select NAT Settings… and there, it will give you your Subnet IP, subnet mask, and the gateway you want to your for your management port. CAUTION: Your VMWare may be different than mine, so please double check!

Once you have given your Management port an IP address and setup the subnet and gateway, you will have to select the monitor interface. Don’t worry it wont ask you to enter an IP address for this.

https://user-images.githubusercontent.com/1659467/87334531-ca262b80-c50c-11ea-98b6-440ee2bcdbe1.png

It will then have your home network subnets already picked. Click OK,

https://user-images.githubusercontent.com/1659467/87334570-dca06500-c50c-11ea-9760-a8a75a26664a.png
https://user-images.githubusercontent.com/1659467/87334614-ef1a9e80-c50c-11ea-9eb8-5feff68b8e26.png

Here make sure everything is selected and click ok

https://user-images.githubusercontent.com/1659467/87334660-ff327e00-c50c-11ea-917b-6a3891ec003b.png
https://user-images.githubusercontent.com/1659467/87334698-12454e00-c50d-11ea-9fc0-6364cedb8232.png

Now you will have to enter an email address for you to use when you log into Security Onion. This is a different login than previously. However I just used an email address, and clicked ok.

https://user-images.githubusercontent.com/1659467/87334750-2426f100-c50d-11ea-97c0-ab11180f78f8.png

Then you will ask you to enter a password twice for the email address to confirm it.

https://user-images.githubusercontent.com/1659467/90796470-5cc0a400-e2dd-11ea-8429-623c45ebe3ee.png
https://user-images.githubusercontent.com/1659467/90796110-e4f27980-e2dc-11ea-8315-79498926974e.png
https://user-images.githubusercontent.com/1659467/87335033-a0213900-c50d-11ea-8eca-73ae73ba5f5c.png

Now we play the waiting game… It will start installing and give you a percentage. Let it stay there and it will go through eventually. If it stays on 0% there is something wrong and you will have to restart this process. If it is moving along, let it run until its completed.

Once completed, it will let you know and ask you to reboot. Once rebooted, go to your second VM and open a browser to get to https:// <ip address> make sure you remember what IP address you gave the Security Onion to enter in the address bar. You should be able to get to the following screen:

If you had any issues getting to that screen, you will have to make sure you followed all the steps previously. Use the email and password you used in the previous steps to login, and you should see the following screen. Again if you have any issues, please be sure to follow the guide again, as there may have been something overlooked.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: