Security Onion

Security Onion is a intrusion detection and network monitoring tool.

Before You Begin

Security Onion has Snort built in and therefore runs in the same instance. You need to configure Security Onion to send syslog so that InsightIDR can ingest it.

To configure syslog for Security Onion:

  1. Stop the Security Onion service.
  2. Find the syslog-ng conf file.
  3. Change the destination d_net and log lines in the configuration file to look like following:
text
1
# Send the messages to an other host
2
#
3
 destination d_net { udp("_collector_ip_address_" port(_listening_port_defined_in_InsightPlatform)); };
4
 
5
....
6
 
7
# All messages send to a remote site
8
#
9
log { source(s_syslog); destination(d_net); };

You can read additional documentation about Security Onion here: https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration.

If you have Security Onion V2 you will also need to:

  1. Create a new custom configuration file on the manager in /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/ to clone the events and match the cloned events in the output. We recommend using either the http, tcp, udp, or syslog output plugin.
  2. Copy /opt/so/saltstack/default/pillar/logstash/manager.sls to /opt/so/saltstack/local/pillar/logstash/manager.sls
  3. Append your newly created file to the list of config files used for the manager pipeline: - custom/myfile.conf
  4. Restart Logstash on the manager with so-logstash-restart
  5. Monitor events flowing through the output with curl -s localhost:9600/_node/stats | jq .pipelines.manager

You can read additional documentation about Security Onion V2 here: https://docs.securityonion.net/en/2.3/logstash.html#forwarding-events-to-an-external-destination

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Security Onion in the event sources search bar.
    • In the Product Type filter, select IDS.
  3. Select the Security Onion event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select Listen on Network Port and enter the port you used in the configuration file. Specify a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.