Step 1:
Upload the security onion iso to the esxi host. Instead of making the esxi host have to constantly ask for data from the iso on the local machine, the security onion iso will be copied to the local disk of the esxi host. Select the host from the left hand window pane, and select the "Summary" tab. Right click on the local datastore and choose browse datastore.
Click on the icon to upload a file. In this case, the security onion iso will be uploaded.
Step 2:
Create and install the new virtual machine. While creating the vm, be sure to use two nics, one in the management port group, and one in the span port group. The management address for the host will be 192.168.1.14.
Attach the iso from the local datastore in the virtual machine settings.
Install security onion normally. Security onion is built on top of ubuntu and has a very easy to use installer.
The process eventually finishes and security onion is ready to use.
Step 3:
Configure security onion. Run the setup utility on the desktop. The questions are very straight forward. There are many other tutorials available online for initial configuration.
Eventually, the setup will complete, and there is an initial web page where many of the tools will be available.
Step 4:
Verify functionality. There are a number of pcaps available on the wireshark website that are captures of attacks. Performing a basic nmap scan of some of the hosts, there are a number of event generated in snorby.
More importantly, all of the traffic on the virtual network is now being logged and examined by security onion. From the snorby interface.
From the squert interface.
One thing to be careful of though is that the vm will be capturing, and saving all of the packets that it sees for analysis. This can quickly overwhelm the system and possibly slow down other vm's on the esxi host. Reserving and limiting resources on the esxi host will be covered in another post.
No comments:
Post a Comment