Setting up Security Onion for Internal Network Monitoring

I am a cybersecurity student testing out network sensor distributions like Malcolm/ HedgeHog Linux and Security Onion as they are open source and recommended by Cybersecurity & Infrastructure Security Agency (CISA).

All three only supports x86-64 architecture (standard Intel or AMD 64-bit processors). I though alternatively of installing on a portable 32GB orange pi however since these computers (like raspberry pi’s) are based on ARM processor architecture it is not a viable option currently.

It is still possible to set up inside of a Virtual Machine provided that the computer used has enough resources and thus I have been looking at implementing into Qubes.

https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools

Once I have Security Onion Properly Setup I will dive into further examination of Malcolm/ Hedgehog Linux which are not as powerful as Security Onion. chatGPT 4 does not have any information on Malcolm/ Hedgehog Linux as its knowledge base is up to September 2021 however it does have some knowledge of Security Onion. chatGPT’s advice regarding qrexec for HVM’s is not accurate.

I was able to setup Security Onion with 14 GB of ram 4 cores and 200GB of memory in alignment with recommendation from the official documentation.

https://docs.securityonion.net/en/2.3/hardware.html

Pairing with Qubes it would offer an extra layer of security by services such as:
  • Zeek (formerly known as Bro): Zeek is a powerful network analysis framework that captures and analyzes network traffic, providing detailed insights into network behavior, connections, protocols, and anomalies.
  • Suricata: Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that monitors network traffic and detects potential security threats such as malware, exploits, and suspicious activities.
  • Elasticsearch: Elasticsearch is a distributed search and analytics engine used for storing and searching large volumes of data. It is used by Security Onion to index and store network and log data for efficient searching and analysis.
  • Kibana: Kibana is a web-based visualization and analytics platform that works in conjunction with Elasticsearch. It provides a user-friendly interface for exploring, visualizing, and analyzing data collected by Security Onion.
  • Wazuh: Wazuh is a host-based intrusion detection system (HIDS) that monitors and analyzes system logs, file integrity, and other host-level activities to detect potential security incidents.
  • Snort: Snort is an open-source network intrusion detection system (NIDS) that performs real-time traffic analysis and packet logging. It helps identify and alert on suspicious network activities.
  • Sguil: Sguil is a network security monitoring (NSM) console that provides a unified view of events and alerts generated by various security tools. It assists in the analysis and investigation of security incidents.
  • NetworkMiner: NetworkMiner is a network forensic analysis tool that captures and analyzes network traffic, extracting useful information such as files, emails, and metadata from network packets.

In summary SecurityOnion properly set up in Qubes would be akin to having ones own mini I.T. Team on your Labtop or Desktop.

As a network sensor security onion requires TWO Network Interface Cards. One to connect to the internet for sending reports and One to monitor all of the data packets on a wifi network. So far Security recognizes the one virtualized NIC provided to all HVM’s for internet access. I need to attach a second usb NIC which is taking info from my physical network.

Because of the RAM requirements Security Onion cannot run with the native USB devices attached (as recent forum updates have shown that HVM’s with more than 4GB ram will not start with normal device attachments)

I attempted to attach via qrexec services however I get

Error attaching device to Security onion failed. 
Error  QubesVMError - Domain security onion: qrexec not connected

My Security Onion version is 2.3.240 and is based on CentOS Linux release 7.9.2009 (Core)

Does anyone have any suggestions to get qrexec working?

I attempted

$ sudo yum install qubes-guest-tools
No package qubes-guest-tools available

and

$ sudo yum qubes-usb-proxy
No such command: qubes-usb-proxy

Any suggestions would be greatly appreciated.

It should be possible to attach USB devices to your HVM without any problems. There can be problems with some GPU or NIC PCI passthrough but I didn’t see any reports about failing to attach USB devices to VM.
But you need to have Qubes tools installed in your VM to be able to attach USB devices to it. Or you can PCI passthrough you USB controller to this HVM then you won’t need to install Qubes tools in it.

If you want to install Security Onion in Qubes OS then it’s better to clone existing Qubes OS Fedora or Debian template with Qubes tools already installed and then install Security Onion inside this template instead of installing from Security Onion iso in new StandaloneVM:
https://docs.securityonion.net/en/2.3/installation.html#installation-on-ubuntu-or-centos

This likely indicates that you haven’t configured the repository in which the qubes-guest-tools package can be found. As a result, after checking all the repositories it knows about, yum reports that it wasn’t able to find any package with that name.

As you can read in the error message, your terminal thought that qubes-usb-proxy was a command name. You know it is a package name… what could be missing?

Look at the previous command you wrote:

sudo yum install some-package-name

The install command is missing in the second attempt.

Hint: when writing code or terminal output in the forum, you can use a series of three backticks in order to make code blocks more readable. (Those are sometimes called fenced code blocks because the backticks look like little fences around the code.) When asking for help in a forum, whatever you do to make reading easier increases your chances to get answers! :wink:

I went into settings for sys-usb while it was shut down, moved the USB controller from Selected to Available, clicked Apply then OK.

I then went into the settings for SecurityOnion HVM and moved the PCI device corresponding to the USB controller form the Available Column to Selected. I then went to Configure Strict Reset for the USB controller before clicking apply and ok

I started SecurityOnion VM which was previously running fine before attaching the USB controller and I get the message

Booting from Hard Disk…
Boot failed: could not read the boot disk

Booting from Floppy…
Boot failed: could not read the boot disk

No bootable device.

This is the same message I receive for all of my other HVM when the ram settings are above 4GB. Below 4GB the HVM’s boot fine.

SecurityOnion cannot run with 4GB

I’ve tested on my sys-usb HVM and it works fine with 8GB RAM with Intel Alder Lake processor and chipset USB controllers passthrough to it. Seems like the problem exists for some specific PCI devices maybe related to memory addresses used by these devices.

That is correct I made a mistake

Based on your advice I attempted to add repos based on what was available from the website https://yum.qubes-os.org/r4.1/

I executed the following in terminal of Security Onion

sudo vi /etc/yum.repos.d.qubes.repo

I then added the following repository configuration

[qubes-templates-itl]
name=qubes-templates-itl
baseurl=https://yum.qubes-os.org/r4.1/templates-itl/
gpgcheck=1
gpgkey=https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
enabled=1
metadata_expire=7d

[qubes-templates-community]
name=qubes-templates-community
baseurl=https://yum.qubes-os.org/r4.1/templates-community/
gpgcheck=1
gpgkey=https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
enabled=1
metadata_expire=7d

[qubes-dom0]
name=qubes-dom0
baseurl=https://yum.qubes-os.org/r4.1/current/dom0/fc32
gpgcheck=1
gpgkey=https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
enabled=1
metadata_expire=7d

I wasnt sure if the link for the baseurl under qubes-dom0 would be accurate since fc32 corresponds to fedora rather than centOS. This was the suggestion based on the output from chatGPT4.

on the website https://yum.qubes-os.org/r4.1/current/

there is another folder vm/

which has centos7/

to substitute under [qubes-dom0]
baseurl=https://yum.qubes-os.org/r4.1/current/dom0/fc32
gpgcheck=1

with

baseurl=https://yum.qubes-os.org/r4.1/current/vm/centos7/

There was no corresponding centos in the dom0 subfolder

I tried using each link in the entry before saving and exiting back to terminal and running the command

sudo yum install qubes-guest-tools qubes-usb-proxy

The output is below and was the same for both links used

Loaded plugins: versionlock
Excluding 5 updates due to versionlock (use "yum versionlock status" to show them)
No package qubes-guest-tools available
No package qubes-usb-proxy available
Error: Nothing to do

I do not believe that the issue is with the versionlock as that was set by the SecurityOnion team for compatibility within system (as it allows you to review the sensor data on other computers). I could be wrong

I ran the command yum versionlock status

Loaded plugins: versionlock
3:docker-ce-23.0.6-1.e17.*
0.wazuh-agent-4.4.1-1.*
0:docker-ce-rootless-extras-23.0.6-1.e17.*
1:docker-ce-cli-23.0.6-1.e17.*
0:containerd.io-1.6.21-3.1.e17.*
versionlock status done

Anyone have suggestions?

CentOS 7 has reached EOL and is no longer maintained so I’m not sure if you’ll be able to install qubes tools there.
I’d still suggest you to just install Security Onion in one of supported Qubes OS templates.

@MrGreen Let’s start with formatting: I edited the first code quote of your post to format it as a code block.

If you edit it now, you’ll see how it’s done, and you can do the same for the other blocks of code / terminal output. That will allow to read the URLs correctly instead of seeing “Index of …”. (The forum automated formatter for links is aware that they shouldn’t be modified when they are properly identified as code.)

1 Like

If you open the repository in a browser, you’ll see that the packages are indeed not there:
https://yum.qubes-os.org/r4.1/current/dom0/fc32/rpm/

So either the package names are wrong, or that’s not the right repository :slightly_smiling_face: (And indeed, the versionlock mention seems unrelated.)

dom0 is never CentOS, that’s why there is no need for such a directory. You can have CentOS virtual machines however (templateVM, appVM, dispVM), which would explain why the vm/centos7 directory exists.

1 Like

Hi @MrGreen. Thanks for the post! I wasn’t aware of the SecurityOnion project, but it does seem interesting!

I took the liberty to add some Markdown formatting to make the post easier to read. I hope you don’t mind. If you do, feel free to revert it via the edit history :pencil2: (top-right corner of the post).

edit:

Whoops. I had missed Gonzalo already having made some edits. This is probably annoying when done twice. Sorry @MrGreen :pray:

1 Like

Since CentOS is built based on Redhat the other option I had was to test using the fedora based link for the rpm files in the repo

https://yum.qubes-os.org/r4.1/current/vm/fc38/rpm/

i used the following entry into

[qubes-templates-itl]
name=qubes-templates-itl
baseurl=https://yum.qubes-os.org/r4.1/templates-itl/
gpgcheck=1
gpgkey=https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
enabled=1
metadata_expire=7d

[qubes-templates-community]
name=qubes-templates-community
baseurl=https://yum.qubes-os.org/r4.1/templates-community/
gpgcheck=1
gpgkey=https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
enabled=1
metadata_expire=7d

[qubes-dom0]
name=qubes-dom0
baseurl=https://yum.qubes-os.org/r4.1/current/vm/fc38/rpm
gpgcheck=1
gpgkey=https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
enabled=1
metadata_expire=7d

There seem to be files here related to qubes-usb-proxy, qubes-core-agent and qubes-guest-tools

Input:

sudo yum install qubes-usb-proxy

output:

Loaded plugins: versionlock
https://yum.qubes-os.org/r4.1/current/vm/centos7/rpm/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address  this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/

qubes-templates-community          | 3.0 kB 00:00
qubes-templates-itl                | 3.0 kB 00:00
Excluding 5 updates due to versionlock (use "yum versionlock status" to show them)
No package qubes-usb-proxy available
Error: Nothing to do

Input:

sudo yum install qubes-core-agent

output:

Loaded plugins: versionlock
https://yum.qubes-os.org/r4.1/current/vm/fc38/rpm/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/

Excluding 5 updates due to versionlock (use "yum versionlock status" to show them)
No package qubes-core-agent available
Error: Nothing to do

Input:

sudo yum install qubes-guest-tools

Output:

Loaded plugins: versionlock
https://yum.qubes-os.org/r4.1/current/vm/fc38/rpm/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/

Excluding 5 updates due to versionlock (use "yum versionlock status" to show them)
No package qubes-guest-tools available.
Error: Nothing to do
 

I went to the website https://wiki.centos.org/yum-errors

and they provided a summary of the possible errors (which the one above fell under) as well as the Leadning Causes and Fixes

I attempted Fixes 2 through 4 as I was already connected to the internet however after running all of the previous commands I still received the same error messages.

I updated dom0 through the Qube Manager and serendipitously attempted again to attach the wireless network card to Security Onion through sys-usb (loaning it).

This time I received no errors with attachment and it showed SecurityOnion in parentheses after the peripheral

In order to check that the wireless card was being seen inside of security onion I ran the command

ifconfig -a

which listed out a large number of components despite there being only one virtual NIC originally set up

I then tried a different approach by running

ls /sys/class/net

to list all the connections without descriptions. I still wasn’t able to quickly tell the network card so I removed and ran the same ls command above which showed one less listing that before.

I reattached the NIC using the same method as before however running ifconfig -a and ls /sys/class/net results in no change in the listings which means that there possibly is a bug that requires SecurityOnion to be shut down before attempting to reattach devices after disconnecting.

It look as though the light is at the end of the tunnel but I am unsure what specifically fixed the issue.

If someone could test out I think this could be of great benefit to the community. This also is a path to setting up Hedgehog linux for analysis with Malcolm as it requires Two NIC as well.
Going this route of attachment would allow for the possibility of running Hedgehog Linux/ Malcolm simultaneous as Security Onion provided that one has a powerful enough labtop or desktop

The Librem 14 offers up to 64 GB of ram and potentially 4TB (which can later be expanded as memory technology improves year to year) and is the setup I opted for to explore this configuration.

As a side note: utilizing one of the following Wifi Adapters may be a more inconspicuous alternative to plugging in a large visible wifi antenna to a labtop although may not offer the same range.

[https://www.amazon.com/TP-Link-Mini-Wireless-Supports-10-9-10-14/dp/B07PB1X4CN/ref=sr_1_5?crid=36VAF09JGGQ6L&keywords=usb+wifi+card&qid=1684181842&sprefix=usb+wifi+card%2Caps%2C960&sr=8-5](https://Wifi Card)

I will restart SecurityOnion and update later.

1 Like

After Restarting Security Onion I have yet to replicate the previous condition.

Edit: In order to work the sys-usb must be restarted before reattaching peripheral to SecurityOnion (restarting security onion is not the issue). Any detachment requires restarting sys-usb.

This is a minor bug but the objective of getting two Adapters into Security Onion appears to be resolved (I just still don’t know which of the steps actually resolved it)

commands I ran in dom0 that previously gave no result are as follows:

qvm-features Security-Onion stubdom-qrexec 1

and

qvm-usb attach Security-Onion MyPeripherals:3-6

These are the only other relevant changes that I made to system. MyPeripherals is the persistent version of sys-usb (which is normally defaulted to be disposable) that I have setup for Qubes. One would need to replace the name of this VM with the one that has control over the usb controller.

This command should not have been the reason as the wireless card that I attached to Security Onion currently shows

MyPeripherals:2-1 - ATHEROS_UB93_12345(Security-Onion)

With

MyPeripherals: 3-6 Generic_USB3.0_Card_Reader_000000001532 

available for use in MyPeripherals for attaching other Wireless cards to other VM’s (like Hedgehog). Additionally Security Onion takes about 3 min for all of the internal tools to start even when the OS is fully operational and terminal is accessible.

I will continue to fiddle around with Security Onion in the coming weeks and update the thread with any additional issues. I will also see about picking up a USB dongle to expand ports as there are only two USB-A ports and one USB-C in addition to 1 HDMI and 1 Ethernet on the Librem 14.

1 Like