One thing I notice through researching various security topics, is that Security Onion kept popping up on me. It’s a free open source Linux distribution for threat hunting, security monitoring, and log management. I see it referenced quite a bit so I figured it would be a good tool to setup in my lab and get more familiar with.
They have an iso ready to go so I figured I’d quickly download it and spin up a quick VM no problem right?
Wrong!
I’m not sure what it is, but I’ve had the hardest time getting this thing deployed properly! Most of the machines in my VMWare lab are on a private VMnet so they can talk to each other. I enable a secondary NAT interface within a machine when I need to connect to the internet but for the most part, everything is on the virtual network only.
I’ve got all the usual suspects, Kali, Sift, Parrot, Slingshot, BlackArch, various “regular” Linux distros, Metasploitable 2, Windows boxes, etc, all running with no issues. I’m familiar with VMWare both from the workstation/player aspect and the enterprise/server side. So I should be fine right? LOL…I guess not!
I figured I could configure Security Onion’s management interface for the VMnet, which would allow me to pull up the web interface from any of my other machines on the same network. I also setup another interface on a separate VMnet for the monitoring or “sniffing” port (though I think VMWare Workstation may not quite support the mirror/SPAN setup I need).
The install went fine but I could NOT get the web interface to work. I could ping it from other devices on the VMnet with no problem, just no web interface. I ran “so-allow” and enabled analyst mode for the whole VMnet network, just to make sure that wasn’t the issue (even though I had already set that up during installation).
I rebuilt the Security Onion machine multiple times (not a fast install!), with various configurations of NAT, VMnet, and Host-Only network configurations with no luck. Same issue.
I thought this would be a pretty simple install, but it looks like I have some troubleshooting to do! I’m sure it’s something simple I’m missing or overthinking, but I plan to try and setup multiple SO configurations. I’d like to setup an EVAL, an IMPORT, and an Analyst VM (not sure if this is different than import though?), and maybe even a Standalone deployment, just to get familiar with the process.
I feel like it would be a bit more simple if I were to setup a dedicated physical Security Onion device on my lab network (which I may do as well) but this is definitely something I will continue to explore.
Leave a Reply