Project 1: Setting Up Security Onion on a PC (15 points)

What You Need

A 64-bit Windows machine with VMware Player installed. You also need at least 4 GB of RAM.

Installing VMware Player

If you are working in S214, VMware Player is already installed. If you are using some other machine, get VMware Player here:

Download VMware Player (64-bit)

Downloading the Security Onion ISO

In a Web browser, go to https://securityonion.net

At the top, click DOWNLOAD

Download the ISO image. It's a file named securityonion-14.04.5.2.iso

Note: As of 12-10-17, the current version is now "securityonion-14.04.5.5.iso". You can use that one, the main difference is that it no longer includes Xplico by default.

Creating a Virtual Machine

Launch VMware Player. If you see a box asking for an email address, enter one, as shown below, and then click Continue and Finish.

In the "Welcome to VMware Player" box, click "Create a New Virtual Machine", as shown below.

In the "Welcome to the New Virtual Machine Wizard" box, click the "Installer disk image file (iso):" button, Click the Browse... button.

Navigate to the securityonion-14.04.5.2.iso file, and click Open.

Your window should now look like the image below. Click Next.

In the "Select a Guest Operating System" box, select Linux, "Ubuntu 64-bit". Click Next.

In the "Name the Virtual Machine" box, enter a name of YOURNAME-SO as shown below, and click Next.

In the "Specify Disk Capacity" box, accept the default of 20.0 GB and click Next.

In the "Ready to Create Virtual Machine" box, click the "Customize Hardware..." button, as shown below.

Increase the memory to 3072 MB, as shown below. Click Close. Click Finish.

Click "Play virtual machine" to start your virtual machine.

Installing SecurityOnion

The virtual machine boots up, with a light blue Security Onion splash screen. Wait a few seconds and it will finish booting up.

In the "Welcome" screen, accept the default selection of English and click Continue.

In the "Preparing to install SecurityOnion" screen, check both boxes, as shown below, and click Continue.

In the "Installation type" screen, accept the default selection of "Erase disk and install SecurityOnion", as shown below, and click "Install Now".

In the "Write the changes to disks?" box, click Continue.

In the "Where are you?" screen, verify that it has chosen your time zone and click Continue.

The next screen is titled "Keyboard layout", and it's too big to fit on the desktop, as shown below. This is a common problem with graphical Linux installers.

To continue, you need to click on the blue tite bar at the top of this window and drag it to the left, as shown below. Then click Continue.

In the next screen, enter a username and password, as shown below, and click Continue.

Don't forget the username and password! In my case, I used so for both. This is obviously insecure and used only for learning purposes.

When the installation finishes, an "Installation Complete" box appears. Click "Restart Now". Press Enter when you are prompted to. When the pale blue splash screen appears, wait a few seconds for it to boot with the default selection.

Updating the System

Log in with the username and password you chose, as shown below.

At the top left of the desktop, click the little dark rectangle icon. Click "Terminal Emulator", as shown below.

In the Terminal, execute this command:

sudo soup
Enter your password when you are prompted to.

Press Enter when you are prompted to. Wait while software downloads and installs, as shown below.

When the installer prints a question about unattended upgrades, as shown below, press Enter.

When you see the message "All updates have been installed", as shown below, press Enter.

The VM restarts. Log in as usual.

Configuring Network Interfaces

On the SecurityOnion desktop, double-click the Setup icon.

Enter your password when you are prompted to.

In the "Welcome to Security Onion Setup!" box, click "Yes, Continue!".

In the "Would you like to configure /etc/network-interfaces now?" box, click "Yes, configure /etc/network-interfaces!".

The next box says "You only have one interface (eth0), which will be configured as a management interface."

Click OK.

In the next box, click DHCP, as shown below. Click OK.

In the next box, click "Yes, make changes!".

In the next box, click "Yes, reboot!".

Completing Setup

After rebooting, log back in and start the Setup wizard again.

Click "Yes, Continue!".

Click "Yes, skip network configuration!".

If a box asks you whether to use "Stable Setup" or "Experimental Setup", accept the selection of "Stable Setup" and click OK.

In the "Evaluation Mode or Production mode" box, accept the default selection of "Evaluation Mode" and click OK.

The next box asks for a Sguil username. Enter

sguil and click OK.

The next box asks for a Sguil password. Enter

password and click OK.

The next box asks you to confirm the password. Enter

password and click OK.

In the next box, click "Yes, proceed with the changes!".

Click "Yes, Continue!".

When you see the message "Security Onion Setup is now complete!", as shown below, click OK.

Click OK five more times. The SecurityOnion desktop appears, with several icons on it, including Sqert, as shown below.

Capturing a Screen Image

Make sure the SecurityOnion desktop is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 1 from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Recommended Additional Steps

These adjustments make Security Onion easier to use.

Turn Off Power Saving

On the top left, click the little dark rectangular icon. On the right side, click Settings. On the left side, click "Power Manager", as shown below.

Adjust the power-saving settings to be less irritating, as shown below.

Install VMware Tools

This makes the screen resolution adjustible, which helps a lot when using Wireshark.

In the Terminal, execute this command:

sudo apt-get install -y open-vm-tools open-vm-tools-desktop
On the top left, click the little dark rectangular icon. At the lower right, click the icon with a little green man running. Restart your VM.

Set Time Zone

For some reason, the location you set during installation was not retained, and Security Onion runs on UTC.

To set it to the local time zone, in the Terminal, execute this command:

sudo dpkg-reconfigure tzdata
Menus appear that allow you to choose the correct time zone.

Allow Xplico Out

To access Xplico from the host machine, in the Terminal, execute this command:
sudo ufw allow 9876/tcp

Turning in Your Project

Email the images to cnit.50sam@gmail.com with a subject line of "Proj 1 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

References

Security Onion QuickISOImage Installation

Last Modified: 12-10-17