Setting Up Network Security Monitoring for Multiple Sensors in Security Onion

So the other day I was wondering about this, especially as I have used SecurityOnion in my MFIRE class. There are a few options when installing NSM on your VM... and I wondered how to set it up so you had a server (maybe with a sensor on it) and then a sensor off somewhere else feeding that server with information. That way, if you are ever on site and are collecting data, but really do not feel like going into each box separately... this would solve that issue. Well, no time like the present to see? Off we go!

1) Google is your friend (duh) I have never met the creator of SecurityOnion (Doug Burks) but I would definitely give him a big hug for creating this tool. Anywhoo... I found him talking about in 2011 doing this exact same thing. Score. 

2) Load up your VMs of Security Onion. Obviously we need two here. 

3) Set up your server FIRST

• Configure NSM
• Go to Applications > NSM > Setup and follow along
• Let's choose advanced... and for grins lets install BOTH a sensor and server

Configure what you want on this Instance

• Choose your IDS... (but choose wisely!) I will use Snort
• Next is the rules you want to use. If you do not have an oinkcode you must go for 'Emerging Threats GPL'. You can get an oinkcode for free over at the Snort website. I Don't worry if you set this up before your oinkcode, you can add it manually in the /etc/pulledpork/pulledpork.conf file.

Rulesets

• Enter your username. Write this down. Seriously- take my pen. Do it.
• Enter your email address. If you won't be sending yourself alerts don't stress this one too much. But write it down all the same.
• This is the big one-- password. Don't forget this!
• Ok now NSM tells you what its about to do. If you are OK with this hit 'Yes'
• Update rules/add any local rules. You can do this by running pulled pork (Applications > NSM > Rule Update)
• Before we leave, run 'ifconfig' in a terminal and note the IP

4) Set up sensor

• Configure NSM
• This is almost like above, except when you hit which components you would like to configure, hit 'Sensor'
• Remember how I said to note down that IP of the server? Well here is where you add it. You can add by host name if you prefer.

May want to ensure you can reach this first to save heartache...

• Now enter a username so NSM can ssh to the server. Note you need to add this user to the sudo list as well. For questions about adding a user or adding a user to a sudo list check out the respective links. (*note* be sure to add a home directory for the user '-m')

Here piggy piggy!

• Ok, choose whichever rules you chose for the server (for me Snort)
• Choose what interface you would like to listen on
• Again, we get NSM telling us what it will do and if you are happy click 'Yes'
• Don't go grab your coffee yet, you will need to enter the password for the SSH user! OK.. NOW go grab your coffee.
• Rules will be pulled from the server when you run 'Update Rules'

5)Fire up Sguil and let er rip!

Hopefully now everything is peachy. Lets fire up Sguil on the server, log in,  and see if we can see the interfaces we can monitor. Drumroll please!

Add What You Would Like to Monitor

Success! We see both the local sensor (melissa-desktop-eth0) and our sensor (MFIRE-eth4). If you are wondering what OSSEC is check it out here. Select the networks you want to monitor and then hit 'Start SGUIL'.

Oooh... data!

Look at all that fun stuff (I highlighted me deleting my user because I originally forgot its home directory. It labeled it as 'attack followed by the addition of a user'.. oops) I will not go into the inner workings of SGUIL here. I will say however if you want to look at this in prettier ways... you can log into Snorby or Squert. I hope you wrote down that information during setup!

Snorby Screenshot

Squert Screenshot

Oh and psh... did I mention Security Onion is free? :)