Taishaun_OwnensCNS-533_Lab

Enterprise Security Infrastructure Controls and Regulatory Compliance
IS-533 LABIS-533 LAB
Purpose
The primary purpose of this lab is to expose the students to network security monitoring and the
level of details that security standards sometimes require. The secondary purpose of this lab is to
assist in the creation of the final standard for logging.
The lab has been created in three parts:
Part 1: Create two client virtual machines to monitor with Security Onion
Part 2: Create a Security Onion virtual machine and install Splunk
Part 3: Test network settings and explore Security Onion via Splunk
Depending on the type of system you will be using, these labs may take some time to complete.
Specifically, the installation and then update of Security Onion will take over 30 minutes on some
systems. Plan accordingly.
Please post any questions to the Course Discussion Forum. These instructions were written as the
lab was built, so there may be errors. Posting to the forum will allow everyone to adjust the lab.
Requirements
Download VMware for your system at the CDM - VMware software store
http://e5.onthehub.com/WebStore/ProductsByMajorVersionList.aspx?ws=b2c0cd57-97e2-de11-a13b-0030487d8897&vsro=8&JSEnabled=1
Download the 32 bit version of the Ubuntu Desktop for your test systems. Do not apply any
updates. Once Security Onion is configured and running, this will be traffic that can be observed.
The Desktop version will be easier to download other software such as Nmap and Nessus. The
Ubuntu systems will be configured using NAT within VMware Workstation/Fusion
http://www.ubuntu.com/download
Download Security Onion and note that it is a 64 bit distribution. If the laptop/desktop being used
for this lab cannot run it within VMware Workstation/Fusion, follow the install guide for
downloading and installing the Security Onion packages onto the 32 bit version of Ubuntu
Desktop.
http://code.google.com/p/security-onion/wiki/Installation
http://sourceforge.net/projects/security-onion/files/12.04.3/
IS-533 Lab Page 1 of 15

Part 1
Virtual Machine Setup
Each dialog window has a button to proceed through the configuration of the virtual machines
(VM). The instructions assume that once the appropriate fields are entered or selected, the student
will click on the appropriate button.
Open VMware Workstation/Fusion and create two VMs
First VM
1. Navigate the menu and select Create New Virtual Machine
2. Choose Custom

3. Accept the Hardware Compatibility defaults
4. Choose Installer disc image file (iso) and navigate to the folder where you downloaded the
iso image and select it
5. Complete the Easy Install User Information
6. Enter the computer name - ubuntu-1 or anything you will remember (so you can distinguish
between the systems in Security Onion
7. Accept the Processor defaults

8. Accept the Memory defaults
9. Choose Use network address translation (NAT)
10. Accept the I/O Controller defaults
11. Select Create New Virtual Disk
12. Accept the Default Type
13. Accept the Default for the size - Note: For the lab you will not need more than the default
size provided
14. Accept the Disk file name
15. Click Finish to begin the O/S install - Note: Depending on the speed of your system, the
install may take longer.
16. Upon completion of the VM creation, Logon and launch Terminal
17. Type ifconfig and press enter
a. Enter the First VM's IP address here: 192.168.60.128
18. Follow these steps to create your second VM
a. Enter the second VM's IP address here: 192.168.60.130
19. Test Internet browsing

Part 2
Security Onion Setup
1. Navigate the menu and select Create New Virtual Machine
2. Choose Custom
3. Accept the Hardware Compatibility defaults
4. Choose the Security Onion Installer disc image file (iso) and navigate to the folder where
you downloaded the iso image and select it

5. Use the down arrow to display the Version choices and select Other Linux 2.6.x kernel 64-
bit
6. Enter "Security_Onion" for the Virtual Machine Name
7. Accept the Processor defaults
8. Accept the Memory defaults (Use 1024MB if possible)
9. Choose Use network address translation (NAT) (VMware automatically defaults to NAT)
10. Accept the I/O Controller defaults
11. Select Create New Virtual Disk
12. Accept the Default Type

13. Change the Maximum disk size to 20 GB if possible
14. Accept the Disk file name
15. Click Finish
Note: The installation of Security Onion will not start until the VM is powered on.
16. Click VM on Tool Menu and Select Settings
17. Click Add and if prompted by Security Notification, accept it
18. Click Add
19. Click Network Adapter and click Next

20. Ensure that NAT: Used to share the host's IP address is selected
21. Click Finish
22. Click OK to exit Virtual Machine Settings
23. Click Power on this virtual machine
24. Select install - start the installer directly
Note: Depending on the amount RAM and speed of the system, Security Onion may take some
time to load
25. Double-Click on Install Security SecurityOnion 12.04 icon
26. Choose language
27. Click Continue without selecting any options on Preparing to install SecurityOnion
28. Select Erase disk and install SecurityOnion
29. Confirm time settings
30. Confirm Keyboard layout
31. Enter User Information
Note: For this lab, select Log in automatically to save time updating Security Onion. This lab will
be done on an isolated network. This setting is normally not selected as a good security practice.
32. Click Restart Now
Note: If you didn’t select auto-logon, you will need to logon to continue
33. Double-click on the Terminal Emulator icon on the Desktop
34. Type sudo apt-get update && sudo apt-get dist-upgrade
35. Type your password

36. Type Y to continue
37. Type sudo reboot
38. Enter the password you entered during the install
39. Double-click on the Setup Icon on the Desktop to begin configuring Security Onion
40. Enter the password you entered during the install
41. Click Yes, Continue
42. Click Yes, configure /etc/network/interfaces
43. Click on eth0 for the management interface
44. Click on DHCP
45. Check the box next to eth1 for the interface used for sniffing
46. Click Yes, make changes and reboot!
47. Double-click on the Setup Icon on the Desktop to continue configuring Security Onion
48. Click Yes, to continue
49. Click Yes, skip network configuration!
50. Select Advanced Setup
51. Select Standalone
52. Enter a Sguil username
53. Enter an email address for Snorby
54. Enter a password that will be used for Sguil, Squert, Snorby and ELSA (ELSA won't be
used for this lab)
55. Confirm your password
56. Select Snort
57. Select Emerging Threats GPL
58. Select eth1
59. Click Yes, enable the IDS engine
60. Click Yes, enable Bro
61. Click Yes, enable http_agent
62. Click Yes, enable Argus
63. Click Yes, enable Prads
64. Yes, enable full packet capture
65. Accept the default for the pcap files
66. Accept the default disk usage size

67. Click No, disable ELSA
68. Click Yes, proceed with the changes
69. Click OK to complete the setup
70. Click OK to acknowledge the Security Onion configuration
71. Click OK to acknowledge support options
72. Security Onion is now configured
73. Open a browser in Security Onion and go to www.splunk.com
Note: Splunk Enterprise 6 was released while creating this lab. There is an option for downloading
older versions. These instructions were written for the version below.
74. Click Free Download
75. Click on Splunk-5.0.5-179365-linux-2.6-amd64.deb or the 32 bit version
76. Register with Splunk
77. Note: Splunk will not send emails except to "thank you" for downloading it. Remember
the password that is created with this step.
78. Click on Splunk-5.0.5-179365-linux-2.6-amd64.deb splunk-6.2.1-245427-linux-2.6-amd64.deb
or the 32 bit version
79. Click on Save file
80. When the download is complete, close the browser and Double-click on Terminal Emulator
81. Type cd Downloads
82. Type sudo dpkg -i splunk-6.2.1-245427-linux-2.6-amd64.deb Enter your password
83. Type sudo /opt/splunk/bin/splunk start
84. Press Enter down until License agreement has been completed
85. Type Yes to agree with the license
86. sudo /opt/splunk/bin/splunk enable boot-start
87. Close the Terminal window
88. Open the browser
89. Navigate to localhost:8000
90. Enter admin and changeme to login
91. Create a Splunk admin password
92. Click on Manager (top right on menu)
93. Click on Apps
94. Click on Find more apps online
95. In the search field type Security Onion
96. Click on Read more

97. Click on the Documentation tab
98. Scroll down to Required Splunk Apps:
99. Right-click on each of the Apps, and select Open in new tab
100. Click the Download button and accept the license agreements when prompted
101. Save each file (they will be save to the Downloads folder)
102. Navigate back to the Manager
103. Click on Apps
104. Click on Install app from file
105. Browse to the %user%Downloads folder and select a file
106. Click Upload
107. Do this for each App - Ignore the restart message until all Apps are installed
108. Click on the Download for Security Onion and install it
109. Click Restart Splunk

Part 3
1. Double-click on the Terminal Emulator icon
2. Type sudo wireshark
3. Enter your password
4. Choose OK to accept the warning about running Wireshark as root
Note: There is a secure configuration for running Wireshark that should be undertaken for
production systems.
5. Start capturing on Eth0
6. In the Filter box, type ICMP and click Apply
7. In one of the Ubuntu systems, open a terminal and ping the other one
8. Insert a print screen of your Wireshark capture here:
9. Browse to http://localhost:8000
10. Login using Admin and the password you defined
11. Navigate to the Security Onion App
12. Insert a Print Screen of the Overview page here:

13. Open the Snorby page from Security Onion. If there is an error, correct the URL to
https://localhost:444
14. Add an exception to your browser's security
15. Login using the email address and password you provided during the install
16. Insert a print screen of the Snorby Dashboard here:
17. Exit Wireshark without saving the capture
18. Open the Squert page. If there is an error, correct the URL to
https://localhost/squert/login.php
19. Insert a print screen of the Squert Dashboard here:

20. Start your Ubuntu virtual machines
21. Apply the security updates on both systems
22. Observe the changes to the Overview, Snorby and Squert Dashboards
23. This completes the lab. Make sure each virtual machine is closed down cleanly.

Taishaun_OwnensCNS-533_Lab

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Taishaun_OwnensCNS-533_Lab (20)

Taishaun_OwnensCNS-533_Lab