ex nihilo nilhil fit


A SecurityOnion Lab

Given that I "hack on Zeek and Zeek related accessories" all day at Corelight and given that my home NSM is basically gawk at my router from time to time, I thought it would be useful to have a non-development copy of Zeek running. Bonus if it means I get to spend some more time with my nose in infosec books.

I started out going down the path of just slapping Zeek onto a spare computer but I started reading "Applied Network Security Monitoring" and found SecurityOnion. I wanted to give it a try but I didn't want to deal with the frustration of just dropping it on my network. A pile of Virtual Machines seemed like the way to go (plus it was a nice excuse to dive into VirtualBox networking options).

I knew I needed to set up a couple of test machines to ride along with a SecurityOnion machine but I was a little unsure about how I might throw a (virtual?) tap on that network. After a good overview about vbox networking, I learned that a NAT Network with the SecurityOnion's NIC in promiscuous mode should get me where I wanted to be. As an aside, I also took this time to figure out what the heck all the options do when making a new machine (thanks to the kind stranger on mastodon with that source link).

I ended up with three machines total: A SecurityOnion guest and two Lubuntu guests. Here's the basic layout for the machines:

I used DHCP for all of this because I'm lazy and I figured the addresses wouldn't change too much. I also created a NAT Network specifically for this, which I named so.local. This is done by clicking File, Preferences, Network, and then the 'Adds New NAT Network' widget. The default settings are fine and I'm currently doing everything with IPv4 because I'm stuck in the dark ages.

I set up SecurityOnion in "evaluation" mode. I really thing this mode is poorly named. It gets the job done in this lab and it's probably the mode I'll move to when this is all re-done on hardware at my home.

I also let SecurityOnion auto-configure interfaces, being careful to note which one belonged to the NAT Network as this is the interface we'll want to monitor. We won't be able to get to the other machines via the strictly NAT interface. The number of popup messages post-install in SecurityOnion is nauseating but it seems to get out of your way after that.

Once the setup was done, things were pretty easy to test. I fired up Wireshark in SecurityOnion and set an ip.addr filter for one of the Lubuntu guests. At that point, I pinged one Lubuntu guest from another and watched the packets fly.

All the tools in SecurityOnion seemed to work fine. The big hangup here is that they're obviously not picking up Internet traffic from the guests as that doesn't pass over the "NAT Network" interfaces, it's routed via the "NAT" interfaces. My next step in all of this is figuring out how to fix that so I can mess with stuff like testmyids.com.

I used this time to also tinker with BunsenLabs, SparkyLinux, and Manjaro because why not? I found all three to be pretty neat distributions.

ascia technologies
[ mrrr 0 || 1 ]