Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

VMWare Walkthrough

doug edited this page Aug 27, 2019 · 9 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/VMWare-Walkthrough.

Please note this walkthrough was written for the previous version of Security Onion (14.04). The current version of Security Onion is 16.04 and you can follow one of the updated Installation guides.

Overview

This tutorial was written to address setting up Security Onion 14.04 in VMWare Workstation Pro 12 (although this should be similar for most VMWare installations).

If you don't have VMWare Workstation, you could also use VMWare Player, found here:

http://www.vmware.com/products/player/playerpro-evaluation.html

Installation

Follow the steps below to setup a standalone machine in Evaluation Mode:

  1. Obtain and verify the latest Security Onion ISO, found here:
    https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
  2. From VMWare, select File >> New Virtual Machine.
  3. Select Typical installation >> "Click Next".
  4. Installer disc image file >> SO ISO file path >> Click "Next".
  5. Choose Linux, Ubuntu 64-Bit and click "Next".
  6. Specify virtual machine name and click "Next".
  7. Specify maximum disk size (min 20GB), store as single file, click Next.
  8. Customize hardware:
  9. Memory – 3GB
  10. Processors – 2/1 core each
  11. Network Adapter (NAT or Bridged -- if you want to be able to access your Security Onion machine from other devices in the network, then choose Bridged, otherwise choose NAT to leave it behind the host) -- in this tutorial, this will be the management interface.
  12. Add >> Network Adapter (Bridged) - in this tutorial, this will be the sniffing (monitor) interface.
  13. Click "Close".
  14. Click "Finish".
  15. Power on the virtual machine.
  16. Wait for boot or press enter while selecting “Install”.
  17. From the Welcome Screen, select language and click "Continue".
  18. Click “Continue”.
  19. Select "Use LVM with the new SecurityOnion installation" (or "Erase existing disk…").
  20. Click "Install Now".
  21. Confirm changes and click "Install Now".
  22. From the "Where are you?" prompt, select your time zone and click "Continue".
  23. Drag the window to the left (Ubuntu 14.04 bug), and click "Continue".
  24. Enter your name.
  25. Enter your computer’s name.
  26. Select a username and enter a password.
  27. Click "Continue".
  28. Click "Restart Now".
  29. (Optional) Adjust display settings >> Terminal Icons, Settings >> Display > Choose and confirm resolution.

Soup

  1. Before running Setup, ensure you run "soup" to ensure you have the latest updates:
  2. Enter terminal and type the following: sudo soup -y.
  3. You may be prompted to reboot. If so, reboot, and continue to the next step.

Setup: Phase 1

  1. Click the Security Onion "Setup" icon on the desktop.
  2. You will be prompted to enter an administrative password (same one you defined during the install). Enter it here and click "OK".
  3. Setup will ask if you would like to continue. Click "Yes, Continue!".
  4. Setup will ask if you would like to configure /etc/network/interfaces. Click "Yes, configure /etc/network/interfaces!".
  5. Setup will ask which network interface should be the management interface. Select the desired interface and click "OK".
  6. Setup will ask if you would like to use static or DHCP addressing. The quickest and easiest option would be to use DHCP (if it is available, however, for production installs, you may want to use static). Choose your desired addressing type and click "OK".
  7. Setup will ask if you would like to configure sniffing (monitor) interfaces. Click "Yes, Configure sniffing interfaces."
  8. Setup will ask which interfaces should be used for sniffing. Select the desired interface(s) and click "OK".
  9. Setup will present a summary of the changes to be made to the interface configuration. If correct, click "Yes, make changes!".
  10. Set up will ask to reboot so that changes to the configuration can be completed. Click "Yes, reboot!".

Setup: Phase 2

  1. After the machine reboots, click the Security Onion 'Setup" icon.
  2. You will be prompted to enter an administrative password (same one you defined during the install). Enter it here and click "OK".
  3. Setup will ask if you would like to continue. Click "Yes, Continue!".
  4. Setup will ask if you would like to skip network configuration. If you are satisfied with the configuration you specified earlier, click "Yes, skip network configuration."
  5. Setup will ask if you would like to configure "Evaluation Mode" or "Production Mode". For testing, you can simply configure "Evaluation Mode", otherwise, choose "Production Mode" to configure a number of options. In this tutorial, we will choose "Evaluation Mode" for simplicity. This will configure a single instance of Snort and Bro. Select "Evaluation Mode" and click "OK".
  6. Setup will ask which interface(s) should be monitored. Select the desired interfaces(s) and click "OK".
  7. Setup will ask what username and password you would like to configure to access Sguil, Squert, and Kibana. Enter the username and password, and verify the password, clicking "OK" at each prompt.
  8. Setup will present you with a summary of changes to be made upon confirmation. If you are satisfied with the presented changes, click "Yes, proceed with the changes!".

Post-Installation

After setup is complete, you should be presented with several dialogs, offering suggestions and useful information, such as:

Things to keep in mind

  • With the sniffing interface in "bridged" mode, you will be able to see all traffic to/from the host machine's physical NIC. If you would like to see ALL the traffic on your network, you will need a method of forwarding that traffic to the interface to which the virtual adapter is bridged. This can be achieved by switch port mirroring (SPAN), or through the use of a tap.
Clone this wiki locally