Data Center: IDS solution using Security Onion

By | March 1, 2017

An enterprise environment has to be monitored for external threats. There are a lot of very expensive IDS (Intrusion Detection System) that do this for you but you can set up in a production environment a very good solution for zero cost.
The strength of an IDS is given by the IDS threats database, a GUI that presents in a clear way the threats, an effective notification system , a way to gather as much information from all the sources as possible. The following solution can be as effective or more effective that an expensive badly managed IDS solution.

STEP 1: Prerequisites

IDS system software
In my opinion most complete and easy to use out of the box solution is Security Onion
As mentioned by the site:

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and has Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Environment to be monitored
My environment to be monitored consist of:
– 3 machines
– 2 machines are running Fedora Linux , one machine is running Windows 10
– I want a full monitor of the network. There are two switches and both machines (nas1, nas2) are connected to both switches with a bonded connection.

STEP 2: IDS environment setup

The easiest way to use Security Onion is to deploy the ISO in a virtual machine. I deployed Security Onion in an Oracle VirtualBox VM hosted on the XPS 8700 Dell system with Windows 10.
The Dell machine has 3 ethernet port, all the ports will be made available to the virtual machine:
– Network Adapter 1: this is linked to the first port and is going to be the management interface on the Security Onion VM. This port is linked to SW1 switch
– Network Adapter 2: this is linked to the second port and is going to be a monitored interface on the Security Onion VM. This port is linked to SW1 port 4. Note that port 4 is configured on the switch to be a mirror port for all the other ports (Tx and Rx). This way the traffic that passes through SW1 will be sniffed by listening to this port.
– Network Adapter 3: this is linked to the second port and is going to be a monitored interface on the Security Onion VM. This port is linked to SW2 port 4. Note that port 4 is configured on the switch to be a mirror port for all the other ports (Tx and Rx). This way the traffic that passes through SW2 will be sniffed by listening to this port.

Note that all the Network Adapters are configured in bridging mode and the monitoring interface adapters are configured with “Promiscuous Mode: Allow All”. We want to be able to intercept all the traffic from the switch port independent of the source and destination.

STEP 3: Configure Security Onion

I am not going to insist here there are several online tutorials. The specific actions that I have done are:
– add eth0 as the management interface. Use DHCP or static IP does not matter.
– add eth1 and eth2 as monitored interfaces
– choose the standalone Security Onion setup. This will install the servers and clients in the VM. Note that we will have a ossec server and a client already installed on the VM.

STEP 4: Configure Sguil

After setup is done open Squil and select all the monitors.

SO_STEP4_1

Note that we have a eth1, eth2 monitors and ossec monitor. The ossec monitor is the OS monitor agent that for now gets the information from the OS VM.

Then we get to see the main Squil monitor GUI.

SO_STEP4_2

To test the IDS execute in a command line on the VM:

sudo curl http://testmyids.com

You will see an alert in Sguil.

STEP 5: Add extra Fedora Linux ossec agents

After the install we have a ossec agent that reads information from logs only on the OS of the VM. Lets add some more clients.

On the Security Onion VM execute:

sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: 

Press A to add a new agent, add a name and the IP of the machine to be monitored. Repeat for all the machines.

Then list the remote agents:

****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents: 
   ID: 001, Name: nas1.voina.org, IP: 192.168.2.21
   ID: 002, Name: nas2.voina.org, IP: 192.168.2.22
   ID: 003, Name: dell.voina.org, IP: 192.168.2.103

Extract the keys for the remote agents using E. Save the string for each machine as you need it when setting up the client.

Open the firewall to the client machines using “so-allow” utility from Security Onion (press s to add a new sensor and make sure to show the right client IP)

gvoina@gvoina-VirtualBox:~$ sudo so-allow
This program allows you to add a firewall rule to allow connections from a new IP address.

What kind of device do you want to allow?

[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp

If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.

For more information, please see the Firewall page on our Wiki:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall

Please enter your choice (a - analyst, l - syslog, o - ossec, or s - Security Onion sensor):

On Fedora machines nas1 and nas2 do the following:

Add the Atomicorp repository.

wget -q -O - http://atomicorp.com/installers/atomic | sh

Then install the ossec client.

dnf install ossec-hids-client

On the client machines (nas1, nas2) configure the client and import the client key extracted with “manage_agents” on the server from the VM.

[root@nas2 logs]# /var/ossec/bin/manage_client 
****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: 

Configure the client by editing the config (/var/ossec/etc/ossec.conf) file and add the server IP under the “server-ip” tag

Restart ossec-hids on the client machines (nas1 and nas2)

/etc/init.d/ossec-hids restart

On the Security Onion VM restart ossec-control:

sudo /var/ossec/bin/ossec-control restart

STEP 6: Add extra Windows ossec agent

Download the Agent Windows ossec from http://ossec.github.io/downloads.html

After installation add the client key created at Step 5 (the dell client) and indicate the ossec server IP. Trigger a restart of the client.
ossec-win

STEP 7: Monitor

Fire up the Sguil interface and watch for events. Windows 10 will raise for sure some events because of the constant communication of user data to Microsoft (yes I hate it too).

[paypal_donation_button]

2 thoughts on “Data Center: IDS solution using Security Onion

  1. Pingback: Data Center: Add EdgeRouter logs to Security Onion – blog.voina.org

Leave a Reply to George VoinaCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.