Security Onion

Overview

Security Onion is a intrusion detection and network monitoring tool.

Before You Begin

Security Onion has Snort built in and therefore runs in the same instance.

Syslog configurations for this tool can be found in the syslog-ng conf file. Change the "destination d_net" and log lines in the configuration file, and make sure the configuration looks like the example below:

text
1
# Send the messages to an other host
2
#
3
destination d_net { udp("_collector_ip_address_" port(_listening_port_defined_in_InsightPlatform)); };
4
5
....
6
7
# All messages send to a remote site
8
#
9
log { source(s_syslog); destination(d_net); };

Where _listening_port_defined_in_InsightPlatform is the port defined as part of the event source in InsightOps.

For additional documentation about Security Onion, please visit this website.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the IDS icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Security Onion
  6. Choose a timezone, or optionally choose a US timezone
  7. Optionally choose to send unfiltered logs
  8. Configure inactivity timeout threshold in minutes.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Security Onion to "trust" each other during log forwarding.