Setup IDS at Home- Security Onion 2020

Security Onion is probably the best IDS tool any InfoSec analyst can familiarize themselves with.  It has a load of open-source tools that every organizations should have deployed in some form. Whether it’s snort IPS, Zeek IDS, OSSEC HID or using Security Onion to search your logs in Elasticsearch, you can easily deploy and start using all of these tools.

Lets get first started by downloading Security Onion. Go to the security onion website to check out its features:

Click “Download” on the top menu to be taken to the github page

GitHub page:

Click on the latest ISO image to download it ( time of writing)

Open up Virtualbox (you can also use Vmware Player, but not covered here)
Click on “Tools” -> “New”

Enter the VM details, defining where your files will reside (Machine Folder)
Click Next

I recommend giving the VM 8GB, but give it whatever you can
Click Next

Leave default, click “Create”

Leave default, click “Next”

Leave default, click “Next”

Make sure your root directory is correct (what you chose before). I also like to give the VM 100GB+ of space
Click “Create”

In Virtual Boxes main screen, highlight the VM we just created and click Settings

Under General -> Advanced, make sure your snapshot folder is correct. I typically store this on another (larger) drive.

Under System -> Motherboard, I disable the Floopy drive, and demote it in the boot order:

System -> Processor
I recommend giving the VM at least 4 virtual cores.

Display -> Screen
I crank my video memory because it’s available

Click on the “Empty” Optical drive under “Storage Devices” then click on the disk image next to the “Optical Drive” drop down menu

Select “Choose Virtual Optical Disk File”

Then select the security onion iso we download
Click Open

It will populate the Storage Device:

Now we have to configure the network adapters:
Network -> Adapter 1 (Enabled)
Set “Attached to” = Bridged Adapter
Name = <NIC for your internal LAN>
No additional changes

The second network adapter should be connected to the mirror port of your network switch. It will be used for sniffing network traffic.
Network -> Adapter 2 (Enabled)
Set “Attached to” = Bridged Adapter
Name = <NIC connected to switch mirror port>
Promiscuous Mode: Allow All

Start the VM

Boot to SecOnion

Once Security Onion starts up, you’ll click “Install Security Onion 16.04”


Check download updates and third party software

Erase disk and install Security Onion
Install Now


Set your time zone

Select keyboard layout (might have to click “install” title bar and drag window over)

Click “Continue”

Put in your username and password information:

Security Onion will start it’s setup process

After it’s done click “Restart Now”

Press Enter to reboot

Security Onion Reboots:

Login to SecOnion

Double click “Setup” Enter the root password

Click “Yes, Continue”

Click “Yes, Configure /etc/network/interfaces!”

Set the (typically) first ethernet interface as the management port. You can double check this with a “ifconfig” on the commandline

Setup Security Onion with a static address

Set this IP to something available on your internal network (LAN)

Typical subnet mask /24

Enter gateway IP address

Set DNS, I use my FW and google

I use my domain, but it doesn’t point to my external IP

Click “Yes, configure sniffing interfaces.”
The remaining interface is listed
Select it and click OK

Click “Yes, make changes”

Click “Yes, reboot”

Security Onion will now reboot


Double click “Setup” again

Continue to setup “Yes, Continue!”

This time around we’re going to select “Yes, skip network configuration!”

Continue with the service setup: “Yes, Continue!”

For a standalone home instance of Security Onion, I recommend running in Evaluation Mode. Production mode is out of scope for this article, but might be something I cover in the future.

Select “Evaluation Mode”
Click “OK”

Select the monitoring interface (usually selected already)

Create your Security Onion service user

Set your password

Confirm your password

Click “Yes, proceed with the changes!”

Security Onion setup does its thing…

Security Onion setup is now complete!

Additional details

Now we’re going to test if sniffing & alerting is working. In your host OS’s browser (incognito mode), browse the following site: testmyids(dot)com

Then on Security Onion, we’ll log into squil

Login details

If you’re sniffing successfully, you should see the following alert:
Sport = 80, “GPL ATTACK_RESPONSE id check returned root”
To see more information about the alert and traffic, click “Show Packet Data” and “Show Rule” under the alert list window.

If you right-click the “3.2” or any number in the “Alert ID” column, it will give you a pop up menu. For my example, I select “Transcript”

Now we’re looking at the full packet capture related to the alert. We can see the host which generated the alert

And the full request(blue) and response (red). You can see the string that flagged the alert in the DST response

Everything is working! The last thing to do is install Virtualbox extensions
In the VirtualBox title bar click Devices -> Insert Guest Additions CD image

A popup menu will be displayed. Click “Run” and you’ll be prompted for your password

Once it’s done, press return to close the window

Issue a reboot for settings to take effect

Login, and we’re finally done! You can now resize the screen, drag and drop, share folders, update drivers, etc. with the Virtual Box extensions.

Hopefully this article has been able to guide you through the Security Onion install and setup. It’s quite detailed and lengthy. I see it more of a Setup Security Onion for dummies.

I plan to release a new video tutorial for Security Onion in 2020, but my old videos do not deviate much from this article. Thanks for checking it out!

My next article will be about installing Splunk on top of Security Onion and how you can use that to supplement your IDS.

Leave a Reply

Your email address will not be published. Required fields are marked *