Evaluate Security Onion on Ubuntu 12.04

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Starting point Ubuntu 12.04 32-bit/64-bit

Download the ISO image for your preferred flavor of Ubuntu 12.04.5, verify its checksum, and boot from it.

    1. Follow the prompts in the installer, but see the two notes below first.
      • When prompted to “encrypt home folder” option, DO NOT enable this feature.
      • When asked about automatic updates, DO NOT enable automatic updates.
    2. Reboot into your new installation.
    3. Login using the username/password you specified during installation.
    4. Verify that you have Internet connectivity. If necessary, configure your proxy settings
    5. Log back in (using “ssh -X” if you’re installing on Ubuntu Server or a headless distro).
    6. Configure MySQL not to prompt for root password:
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
    1. Add the Security Onion stable repository:
sudo apt-get -y install python-software-properties
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
    1. Install the securityonion-all metapackage:
sudo apt-get -y install securityonion-all
    1. Run the Setup wizard:
sudo sosetup
  1. Follow the prompts.
  2. Analyze alerts using the Sguil client, or open a browser to https://localhost where you can access Squert, Snorby, and ELSA.