Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The majority of deployments for Security Onion and IDS/IPS require a tap or span port to mirror the traffic to the host running Security Onion. Most cloud environments don’t provide anything like a tap or span port, so we will show you on this guide how to install Security Onion on AWS.

Solution Overview
Most cloud environments don’t provide anything like a tap or span port, but we can use daemonlogger or netsniff-ng as a virtual tap. This virtual tap will copy all traffic from our production cloud box to an OpenVPN bridge, that transports the traffic to our Security Onion sensor where it is then analyzed. This guide has been tested on a Ubuntu 16.04 AWS machine and Security Onion 16.04.
This approach is considered experimental! USE AT YOUR OWN RISK!
The cloud client uses daemonlogger to copy all packets from eth0 to tap0 (OpenVPN). OpenVPN transports the packets to the cloud sensor, where tap0 is a member of bridge br0. The standard Security Onion stack sniffs br0. NIC offloading functions must be disabled on all of these interfaces (eth0 and tap0 on cloud client, and tap0 and br0 on cloud sensor) to ensure that Snort, Bro, etc. all see traffic as it appeared on the wire.
Installing Ubuntu and Packages required for Security Onion
We are going to install Ubuntu 16.04 (ami-0565af6e282977273) on AWS and enable the GUI. If you don’t know how to enable the GUI on a Ubuntu EC2 Machine, please check the post ‘How To Enable GUI On AWS EC2 Ubuntu server’. In order to have a functional Security Onion we will provision the AWS instance with 8GB of RAM and 2 Cores (instance type m5a.large). We have found out these are the minimum requirements, to have a working Security Onion Deployment. As part of the installation, we need to assign a Security Group, which allows TCP/22, TCP/443, TCP/80, UDP/1194 and TCP/3389. You can use the GUI for launching the EC2 instance, or AWS CLI commands like the followings:
aws ec2 create-security-group --group-name securityonion --description "securityonion"Take note of the group-id and replace below, These are the rules which will enable us to connect to the EC2 instance, you can replace the IP address with your own IP if you only want to allow access for yourself, which is our recommendation.
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 443 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol udp --port 1194 --cidr 0.0.0.0/0On the next command we will create the EC2 instance, replace with the SSH key you usually use for connecting to your EC2 instances and with the id of the securityonion security group that we just created.
aws ec2 run-instances --image-id ami-0565af6e282977273 --instance-type m5a.large --key-name key --security-group-ids <group-id>Enabling GUI on EC2 Instance
After creating the instance, enable GUI and RDP access to it. This is required because the Security Onion Wizard requires GUI. If you don’t know how to do that, check the post ‘How To Enable GUI On AWS EC2 Ubuntu server’
Installing the required packages
Login to the EC2 instance and run the following commands:
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
sudo apt-get -y install securityonion-all syslog-ng-core
sudo apt-get updateSecurity Onion Sensor
We are going to install and launch the wizard for SecurityOnion now.
First, ensure that the bridge-utils package is installed:
sudo apt-get install bridge-utilsFor the next steps you need to connect through RDP to the device, using a RDP Client.
Run Security Onion Setup Phase 1 (Network Configuration), allow it to write your /etc/network/interfaces file, but DON’T reboot at the end:
sudo sosetupAdd br0 to /etc/network/interfaces and disable offloading functions:
cat << EOF | sudo tee -a /etc/network/interfaces
# Bridge for OpenVPN tap0
auto br0
iface br0 inet manual
  bridge_ports none
  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
EOFReboot:
sudo rebootRun Security Onion Setup Phase 2 and choose to monitor br0:
sudo sosetupSetup has locked down the UFW firewall, so let’s go ahead and allow OpenVPN port 1194 and 443 so we can connect to the SecurityOnion GUI:
sudo ufw allow 1194
sudo ufw allow 443Install OpenVPN:
sudo apt-get update
sudo apt-get install openvpn easy-rsaNext, copy files to the /etc/openvpn/easy-rsa/ directory:
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/The next step, changing the certificate details, is optional if you are just building a lab, although it must be done if deploying in production:
Edit /etc/openvpn/easy-rsa/vars:
sudo vi /etc/openvpn/easy-rsa/varsChange these lines at the bottom so that they reflect the proper settings for your new CA:
export KEY_COUNTRY
export KEY_PROVINCE
export KEY_CITY
export KEY_ORG
export KEY_EMAIL
export KEY_CN
export KEY_NAME
export KEY_OUSetup the CA and create the first server certificate:
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:sudo .  ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
sudo su
source ./vars ## execute your new vars file
./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
./build-ca  ## generate the master Certificate Authority (CA) certificate and key
./build-key-server server ## creates a server cert and private key
./build-dh
cd keys
cp server.crt server.key ca.crt dh2048.pem /etc/openvpn/
# The Certificate Authority is now setup and the needed keys are in /etc/openvpn/Create a script that OpenVPN will call when the tunnel comes up to add tap0 to br0 and disable offloading functions on tap0:
cat << EOF | sudo tee -a /etc/openvpn/up.sh
#!/bin/sh
BR=\
DEV=\
/sbin/ip link set "$DEV" up promisc on
/sbin/brctl addif $BR $DEV
for i in rx tx sg tso ufo gso gro lro; do ethtool -K $DEV $i off; done
EOFCreate a script that OpenVPN will call when the tunnel goes down:
cat << EOF | sudo tee -a /etc/openvpn/down.sh
#!/bin/sh
BR=\
DEV=\
/sbin/brctl delif $BR $DEV
/sbin/ip link set "$DEV" down
EOFMake both of these scripts executable:
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.shCreate OpenVPN server.conf:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gzModify /etc/openvpn/server.conf:
sudo sed -i 's|^dev tun$|;dev tun|g' /etc/openvpn/server.conf
sudo sed -i 's|^;dev tap|dev tap|g' /etc/openvpn/server.conf
sudo sed -i 's|^comp-lzo|;comp-lzo|g' /etc/openvpn/server.conf
sudo sed -i 's|^dh dh1024.pem|dh dh2048.pem|g' /etc/openvpn/server.conf
cat << EOF | sudo tee -a /etc/openvpn/server.conf
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
EOFRestart OpenVPN server:
sudo service openvpn restartCheck log for errors:
sudo tail -f /var/log/syslogVerify tap0 came up:
ifconfigIf tap0 is UP, the installation on the Security Sensor is completed. If that is not the case, make sure you didn’t miss any step and that you run the commands with root privilgeies (sudo) or from a root shell (sudo su)
Generate client certs
Now that we have completed the installation of Security Onion, we can move on to the requirements for configuring each client. This is the part, where the usual IDS/IPS configuration is different, to the setup for the solution in a Cloud environment. As we don’t have a tap or span port, we need to configure each client to forward the traffic to the Security Onion Sensor.
Perform the steps in this section for each cloud client you want to monitor.
Generate client cert (replacing client with the name of the cloud client you want to add):
sudo su
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars             ## execute the vars file
./build-key clientThe next step is to copy the files to the client. This step is VERY IMPORTANT, do not try to configure the VPN in the client without performing these steps first, because the tap0 interface won’t come up on the client and you will have a hard time figuring out why, so before getting in any client configuration copy the files as described below:
scp /etc/openvpn/easy-rsa/keys/client* username@hostname:~/
scp /etc/openvpn/easy-rsa/keys/ca.crt username@hostname:~/Cloud client configuration
Now, we can move to the actual configuration on the client itself. We are also going to use Ubuntu 16.04, as the new EC2 instance that will be the client for this guide. 
Log-in to the client using SSH and as explained before, check you have the required files in the home directory:
ls -la client* ca.crtIf the files are there, then you can carry on and perform the steps in this section on each cloud client you want to monitor.
Install openvpn and daemonlogger:
sudo apt-get update
sudo apt-get install openvpn daemonloggerCopy crt files to /etc/openvpn/:
sudo cp client* /etc/openvpn/
sudo cp ca.crt /etc/openvpn/Create OpenVPN client.conf:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/Modify /etc/openvpn/client.conf:
sudo sed -i 's|^dev tun$|;dev tun|g' /etc/openvpn/client.conf
sudo sed -i 's|^;dev tap|dev tap|g' /etc/openvpn/client.conf
sudo sed -i 's|^comp-lzo|;comp-lzo|g' /etc/openvpn/client.conf
cat << EOF | sudo tee -a /etc/openvpn/client.conf
up "/etc/openvpn/up.sh"
down "/etc/openvpn/down.sh"
EOFFind the “remote my-server-1 1194” line in /etc/openvpn/client.conf and replace my-server-1 with the hostname or IP address of your OpenVPN server.
Create a script that OpenVPN will call when the tunnel comes up to disable offloading functions on tap0 and start daemonlogger. The daemonlogger BPF at minimum should exclude the OpenVPN traffic on port 1194 (‘not port 1194’). You may need to restrict this BPF even further, if there is other traffic you do not wish to send across the OpenVPN tunnel.
cat << EOF | sudo tee -a /etc/openvpn/up.sh
#!/bin/sh
IN=eth0
OUT=\
daemonlogger -d -i $IN -o $OUT 'not port 1194'
for i in rx tx sg tso ufo gso gro lro; do ethtool -K $OUT $i off; done
EOFCreate a script that OpenVPN will call when the tunnel goes down:
cat << EOF | sudo tee -a /etc/openvpn/down.sh
#!/bin/sh
pkill daemonlogger
EOF
 Make both of these scripts executable:
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Restart OpenVPN client:
sudo service openvpn restartCheck log for errors:
tail -f /var/log/syslogVerify that tap0 came up:
ifconfigIf the tap0 doesn’t come up, verify you can connect from the client to the Security Onion Server, they need to be able to communicate through udp/1194, so check your security group settings if that is not the case.
Disable NIC offloading functions on main ethernet interface. Add the following to your eth stanza in /etc/network/interfaces OR add to /etc/openvpn/up.sh:
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; doneCheck traffic
Your Security Onion sensor should now be seeing traffic from your Cloud Client. Verify as follows:
sudo tcpdump -nnvvAi tap0tap0 should be a member of br0, so you should see the same traffic on br0:
sudo tcpdump -nnvvAi br0When you ran Setup phase 2, you configured Security Onion to monitor br0, so you should be getting IDS alerts and Bro logs.
This guide ‘How to install Security Onion on AWS’, has been written by our Principal Consultant Oscar Pucheta.