Remote-access Guide

security onion remote access

by Devyn Stiedemann Published 2 years ago Updated 2 years ago
image

Optional: need “remote desktop” access to your Security Onion sensor or server? We recommend SSH X-Forwarding as shown above, but if you want something more rdp-like, you can install FreeNX or xrdp (please note we do NOT support either of these): sudo apt-get install xrdp

Full Answer

What is security onion?

Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

How does security onion use Elasticsearch search?

When using a search node, Security Onion implements distributed deployments using Elasticsearch ’s cross cluster search. When you run Setup and choose Search Node, it will create a local Elasticsearch instance and then configure the manager node to query that instance.

What are the Wazuh components of security onion?

Security Onion utilizes Wazuh as a Host Intrusion Detection System (HIDS) on each of the Security Onion nodes. The Wazuh components include: manager - runs inside of so-wazuh Docker container and performs overall management of agents

How many nodes does security onion support?

From a single network appliance, to a grid of a thousand nodes, Security Onion scales to fit your specific needs. Security Onion and the tools we integrate are all free and open, written by members of the cyber security community.

image

How do I access console security Onion?

Depending on the options you chose in the installer, connect to the IP address or hostname of your Security Onion installation. Then login using the email address and password that you specified in the installer. Once logged in, you'll notice the user menu in the upper right corner.

What port does security onion use?

8080 (Osquery, if enabled)

What is security onion used for?

Security Onion is a free and open source Linux distribution for intrusion detection, security monitoring, and log management. It includes CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

How do you set up a security onion at home?

If you want to install Security Onion using our ISO image:Review the Hardware Requirements and Release Notes sections.Download and verify our Security Onion ISO image.Boot the ISO in a machine that meets the minimum hardware specs.Follow the prompts to complete the installation and reboot.More items...

Where are security onion logs stored?

Debug logs are stored in /opt/so/log/ .

What is security onion Siem?

Security onion is an open-source that does the intrusion detection system (IDS), log management solution, monitoring, etc. It also helps to peel back the security layers of your enterprise. It has many security tools, including Fleet, CyberChef, Playbook, TheHiva, Kibana, Suricata, Elasticsearch, and much more.

What companies use security Onion?

Companies Currently Using Security OnionCompany NameWebsiteTop Level IndustryCarnegie Mellon Universitycmu.eduEducationJCS Solutions LLCjcssolutions.comReal EstateRobotic Researchroboticresearch.comTechnicalNXTKey Corporationnxtkey.comBusiness Services2 more rows

Is security Onion an operating system?

Security Onion is a Linux distro that is based on Ubuntu and contains a wide spectrum of security tools. It is so named because these tools are built as layers to provide defensive technologies in the form of a variety of analytical tools.

Who created security Onion?

Doug Burks - FounderDoug Burks - Founder and CEO - Security Onion Solutions, LLC | LinkedIn.

Can you install security onion on Windows?

0:379:53Security Onion Essentials - Security Onion Installation, Part 1 - YouTubeYouTubeStart of suggested clipEnd of suggested clipAll right so the best place to start when looking to download and install security onion is ourMoreAll right so the best place to start when looking to download and install security onion is our website. If you go to securityonion.net that is going to redirect you to securityonionsolutions.com.

What is Snorby used for?

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

How do you use a Squert?

Adding your own pivotsIn the upper right corner of Squert, click the Filters button.Set the type to URL.Click the + button.Click your New entry.Fill out the alias, name, notes, and URL fields as applicable.Click the Update button.Close the Filters and URLs window.More items...

What is Elsa in security Onion?

ELSA. ELSA is a centralized system log framework built on System log-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web.

Is security Onion a Linux distribution?

In 2008, Doug Burks started working on Security Onion, a Linux distribution for intrusion detection, network security monitoring, and log management.

When will Security Onion Solutions close?

Security Onion Solutions offices will be closed 11/25/2021 and 11/26/2021 for Thanksgiving in the US. You may want to wait until the following week before upgrading your production deployments just in case you run into any issues.

What is the hotfix for Security Onion 2.3.52?

Security Onion Solutions recently released Security Onion 2.3.52. Today, we are releasing a hotfix (SALTYSOUP) that resolves an issue that some users experienced when trying to update older installations. The conditions for the issue are as follows:

When is the Security Onion Conference 2021?

This year's Security Onion Conference is currently scheduled to be held in person in Augusta, GA on Friday, October 1, 2021 (please mark your calendar!). Registration will open August 2.

Is Security onion scalable?

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

Does Security onion 2.3.60 allow anonymous access?

New installations of Security Onion 2.3.60 will not have any anonymous access to Elasticsearch or Kibana. Existing installations will allow anonymous connections until you manually enable Elastic authentication. Once this happens all unauthenticated access will be denied.

Does Security onion support Ubuntu 20.04?

Security Onion 2.3.90 now supports Ubuntu 20.04 but for new installations only. We will add support for in-place upgrades from Ubuntu 18.04 to 20.04 in a later release.

scott runnels

As long as you have access to the management interface on your Security Onion server, you should be able to access it from where you like.

bolts

I guess we'll need to configure a VPN. In the meantime...is there another way?

Liam Randall

It really depends on what you and/or your companies security policy is like.

How many Wazuh agents can be on Security Onion?

Security Onion is configured to support a maximum number of 14000 Wazuh agents reporting to a single Wazuh manager.

Does Wazuh block trusted IPs?

Sometimes, Wazuh may recognize legitimate activity as potentially malicious and engage in Active Response to block a connection. This may result in unintended consequences such as blocking of trusted IPs. To prevent this from occurring, you can add your IP address to a safe list and change other settings in /opt/so/conf/wazuh/ossec.conf in the <!-- Active response --> section. so-allow does this for you automatically when you allow analyst connections.

Can you add a new rule in /opt/so/rules/hids/local_?

You can add new rules in /opt/so/rules/hids/local_rules.xml. You can also modify existing rules by copying the rule to /opt/so/rules/hids/local_rules.xml, making your changes, and adding overwrite="yes" as shown at https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule. To suppress a Wazuh alert, you can add the rule and include noalert="1" in the rule section.

jcmadick on Nov 20, 2020

I've set up a master in AWS, built on Ubuntu 18.04 running the install scripts. Everything works fine on the master. I then attempted to set up a remote sensor. It runs through the setup, then tells me it failed. Looking at the sosetup.log, I see that the remote sensor authenticates to the master and that the master adds the remote sensor.

innovate-support on Jan 25

I'm assuming you are referring to the Security Onion internal firewall. so-allow doesn't have any Salt options, and also doesn't appear to have any options for customization. What's the resolution? Isn't Salt a core function of the system? Isn't it enabled and allowed by default?

BustedSec on Jan 25

Ok, so this is a just a bandaid because they closed my issue about fixing this telling me that it should open these ports during initial setup (even though it doesn't) but this should get you started. I'm still trying to get it all working right myself.

BustedSec on Jan 25

also, I got it temporarily working by just telling ip tables to allow friggin everything while debugging, then selectively seeing what is needed and then enabling that ip tables rule.

BustedSec on Jan 26

After running the sudo so-firewall includehost sensor command I then I also edited /opt/so/saltstack/local/pillar/minions/sensorname.sls (don't do this... just restarted minion and it won't reconnect) and changed the IP address from the local IP to the WAN IP.

BustedSec on Jan 26

might wanna confirm 5644 is open (beats) from the forward node to the manager node by scanning your manager node with nmap -p 5644 managernodeip. Also 5604 and 5605 for salt comms. Might need to install nmap with yum first

BustedSec on Jan 26

oh! you need to accept the key. Just type salt-key and get a list of all keys then type salt-key -a hostname

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9