I am a cybersecurity student testing out network sensor distributions like Malcolm/ HedgeHog Linux and Security Onion as they are open source and recommended by Cybersecurity & Infrastructure Security Agency (CISA).
All three only supports x86-64 architecture (standard Intel or AMD 64-bit processors). I though alternatively of installing on a portable 32GB orange pi however since these computers (like raspberry pi’s) are based on ARM processor architecture it is not a viable option currently.
It is still possible to set up inside of a Virtual Machine provided that the computer used has enough resources and thus I have been looking at implementing into Qubes.
Once I have Security Onion Properly Setup I will dive into further examination of Malcolm/ Hedgehog Linux which are not as powerful as Security Onion. chatGPT 4 does not have any information on Malcolm/ Hedgehog Linux as its knowledge base is up to September 2021 however it does have some knowledge of Security Onion. chatGPT’s advice regarding qrexec for HVM’s is not accurate.
I was able to setup Security Onion with 14 GB of ram 4 cores and 200GB of memory in alignment with recommendation from the official documentation.
Pairing with Qubes it would offer an extra layer of security by services such as:
- Zeek (formerly known as Bro): Zeek is a powerful network analysis framework that captures and analyzes network traffic, providing detailed insights into network behavior, connections, protocols, and anomalies.
- Suricata: Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that monitors network traffic and detects potential security threats such as malware, exploits, and suspicious activities.
- Elasticsearch: Elasticsearch is a distributed search and analytics engine used for storing and searching large volumes of data. It is used by Security Onion to index and store network and log data for efficient searching and analysis.
- Kibana: Kibana is a web-based visualization and analytics platform that works in conjunction with Elasticsearch. It provides a user-friendly interface for exploring, visualizing, and analyzing data collected by Security Onion.
- Wazuh: Wazuh is a host-based intrusion detection system (HIDS) that monitors and analyzes system logs, file integrity, and other host-level activities to detect potential security incidents.
- Snort: Snort is an open-source network intrusion detection system (NIDS) that performs real-time traffic analysis and packet logging. It helps identify and alert on suspicious network activities.
- Sguil: Sguil is a network security monitoring (NSM) console that provides a unified view of events and alerts generated by various security tools. It assists in the analysis and investigation of security incidents.
- NetworkMiner: NetworkMiner is a network forensic analysis tool that captures and analyzes network traffic, extracting useful information such as files, emails, and metadata from network packets.
In summary SecurityOnion properly set up in Qubes would be akin to having ones own mini I.T. Team on your Labtop or Desktop.
As a network sensor security onion requires TWO Network Interface Cards. One to connect to the internet for sending reports and One to monitor all of the data packets on a wifi network. So far Security recognizes the one virtualized NIC provided to all HVM’s for internet access. I need to attach a second usb NIC which is taking info from my physical network.
Because of the RAM requirements Security Onion cannot run with the native USB devices attached (as recent forum updates have shown that HVM’s with more than 4GB ram will not start with normal device attachments)
I attempted to attach via qrexec services however I get
Error attaching device to Security onion failed. Error QubesVMError - Domain security onion: qrexec not connected
My Security Onion version is 2.3.240 and is based on CentOS Linux release 7.9.2009 (Core)
Does anyone have any suggestions to get qrexec working?
$ sudo yum install qubes-guest-tools No package qubes-guest-tools available
$ sudo yum qubes-usb-proxy No such command: qubes-usb-proxy
Any suggestions would be greatly appreciated.