Security Onion (SO)
In the last months, the tendency to talk about cybersecurity was increasing quite a lot. I was wondering if it is possible to have a cyber security infrastructure at home. Of course, that I do not want an extraordinarily complex one with many components. But something that I could run in a decent computer with my current 12Gb RAM.
Precisely last week the Security onion Solutions was releasing the latest version (2.3.40). Since a while ago I have been testing the previous version. The options that I had were a CentOS or Ubuntu and then on top of it, the software. To be honest, I did not test the new release but with the previous one I am more than happy. I will talk about the one that I am running so far (2.3.21).
What it this about?
It is a Linux distribution oriented to threat hunting and monitoring. Of course, free, and open. The software running is very well known, with a good reputation in the industry and specific for the following matters: The hive, Playbook and Sigma, Fleet and osquery, Cyberchef, Elasticsearch, Logstasch, Kibana, Suricata, Zeek, Wazuh. In older versions everything was installed and burned in an ISO but now everything is running in Docker containers. There is a command (so-status) to check the status of the containers.
What options do I have in case that I want to test it?
You can download an ISO, or It can be installed on top of a Centos or Ubuntu distribution. A nice option in the latest version is that it is also available in the Amazon cloud. If you want to test it with a lot of power, this is an exceptionally alternative.
Hardware requirements for EVAL mode is 4 CPU cores, 12GB RAM and 200GB storage.
From the Security Onion use cases mentioned in the documentation (NIDS, HIDS, Static Analysis (PCAP Import) and SOC Workstation), I personally use it in all cases. It is currently in front of my router. I did mirror the switch port that it is going to internet and I have sniffed all the traffic that pass through the port. For my small environment I can afford to have long retention. This is especially important in a production environment. You should keep that in mind. Just doing a quick calculation. For a 50Mbps link the daily saved data is 540GB! Anyway, (since January) the packet loss in my Grafana is always 0.
Which tools can we find inside?
[Alerts]
If we start at the home page from top left, the first interesting option in which we should click on is Alerts.
As you see in the above screenshot, we have an overview of the alerts that, like in the example, you can group by different options. Like event.module or severity. From there, you could also escalate the alert with the blue icon or acknowledge buttons. As soon as you click the alert it is sent to the hive and it would disappear from that page. As you see in the picture, you could also see the acknowledged and escalated alerts.
[Hunt]
In Hunt you have the same information as in the previous option but also Group Metrics and 3 different graphs with occurrences and timeline.
[PCAP]
It is obvious what is this for. Important is the retention that you have in your system. Just selecting for example a port and time filter, you could get from the system all the traffic that matches the options that you selected.
[Grid]
This allows you to see all nodes but with an evaluation license, only one is shown.
[Downloads]
Here there are some links to Elasticsearch Utilities, Wazuh agents and osquery packages and configs. To be honest, I only tested the Wazuh agent.
[Administration]
This is only for users.
[TOOLS]
They have the option to install an analyst VM in which you can investigate the pcaps and do further analysis. But now I have no time for that.
[Kibana]
This is an ELK with more than 90 predefined dashboards in which you could have an overview of the topic. Below the complete logs.
[Grafana]
This is a small monitoring tool of your system status. With the provided dashboard, you can see the status of your CPU and memory and the one consumed by all the modules (Zeek, Suricata, Steno). Also, the packet loss of the modules is shown.
The amount of space consumed by the main partitions “/” and “/nsm” (most of the data is saved here)
Pcap retention, monitor traffic and some more.
I did not check if you can modify the default dashboards. Remember that If you want to modify some configuration the system is salted. Keep that in mind.
[Cyberchef]
I have been using this tool only in CTFs but they have an API and you could automate many tasks. This is a great tool.
[Playbook]
There is also a tool with detection playbooks. You can edit them and modify. If you are good with Sigma rules, this is your place to play. In the following example, you see a playbook.
[Fleet]
This would be deprecated, then I will not comment anything about it.
[The hive]
If we want a Security Incident Response Platform, we also have “The hive”. The tool allows you to deal with the incidents. In combination with Cortex (there is no direct link in the home page of the security onion, but you can view just adding /cortex to the URL), that is an analysis engine, you could use it if you are working as incident responder or in a SOC. The hive is, as they announce in the project website, highly integrated with MISP. It is a threat sharing standard in which you could benefit from other investigation cases that are also in your industry. For example, common cases in banking. In any case, MISP is not installed by default. You need to do some steps if you want it installed in your system.
[Navigator]
Another tool in the list is the Navigator. That is for MITRE ATT&CK. You can personalize it with colors, create groups, select by threat groups, software, mitigations and much more. You could also add different playbooks.
Apart of the “visible” software, there are other pieces as well that are important to mention. Just in terms of networking, we have:
Suricata. This is a network-based IDS and gives us the alerts.
Zeek. This provides protocol metadata logs. It is a network analysis framework. It was previously known as Bro. Thanks to AF-PACKET you can balance the traffic capture using different Zeek workers. The number of workers is selected at the installation but it can also be modified afterwards.
Strelka. For threat hunting. It is used for real-time file scanning but it also can be used for threat detection and incident response. You see it in action when you click “Hunt” in SO.
Stenographer. That is a full packet capture software.
It is important to understand that once you put a network interface in Sniff mode, this is the flow to generate the data and where it would be placed.
If we talk about the machine itself there are more tools involved:
Osquery: This is using SQL commands to describe a device.
Beats: A log shipper to send to Elastic Stack. I did not test it, since my deployment is based on a single machine.
Wazuh: I tried this separately in the past and I was very happy with the results. It is specific for threat detection, integrity monitoring, incident response and compliance.
Syslog: I believe I have nothing to say other than it is a system logging software.
Sysmon: It is designed for Windows logging.
Autoruns: Also designed for windows platform. It can gather information about programs configured to run during the start of a machine.
If you are a threat hunter or incident responder, you should give a chance to this tool. I did try others like RockNSM or SELKS, but Security Onion is better in general.
In the screenshots mentioned in the document, most of them were about the Web interface but of course the command option via SSH is possible. In fact, for some options it is highly recommended. They have a bunch of “so-” commands. With those you can start, stop, restart specific services. Also, if you want to add users, it should be done here and it would be populated to the hive and fleet apart of the one for the Security Onion Console.
Have in mind that for a small lab the Evaluation mode is enough but for a large scale. You need to check the options proposed by them. It always depends on your budget.
References:
Author: Eduardo Cuthbert
Elguber's Blog 
Reply