Services specifically required (list will be updated as we go along):
- Secure remote access onto network (SSH)
- Centralised logging (syslog)
- Equipment monitoring and alerting (nagios or similar)
- Bandwidth monitoring (bandwidthd, etc)
- Alert for outbound malware c&c
I've played with security onion in the past and it does a lot of the above out-of-the-box. I would have liked to run that as one of a number of guests on an esxi host but the hardware isn't up to it. I'm currently running all this on an old xpc shuttle with 2 GB of RAM a 250 GB HDD and a second NIC card (you need 2 ports - one for management and one for the network capturing).
So first of all go download security onion (SO) and get it installed. Its straightforward: Here's the official guide.
It includes the following script to update which we'll need again:
Security Onion Setup is now complete!
Setup log can be found here:
You may view IDS alerts using Sguil, Squert, Snorby, or ELSA (if enabled).
Bro logs can be found in ELSA (if enabled) and the following location:
Rules downloaded by Pulledpork are stored in:
Local rules can be added to:
You can have PulledPork modify the downloaded rules
by modifying the files in:
Rules will be updated every day at 7:01 AM UTC.
You can manually update them by running:
Sensors can be tuned by modifying the files in:
Once thats finished run the following to make sure everything is up to date:
sudo apt-get update && sudo apt-get dist-upgrade
Then make sure all the SO services are running ok:
sudo service nsm status
Thats all for part 1. Next post will be setting up SSH, remote desktop and adding some of the other services.