You are one of the best ever teacher with such clarity that I have ever listen on utube! Millions thanks for this great share!

Thank you for your time and clear walkthrough :)

Great video. Pretty clear and useful. But, at the end of the process, I am not getting alerts on Squert, having run the exact same steps. Any help with this would be appreciated. Thanks!

Hi Jesse Thanks for this wonderful video. I have installed security onion and everything seems to be working fine. When we run the demo av file in it we can see the logs packets and all the relevant information. What do we have to do to use security only to capture live traffic via a spanned port and display traffic details on the kabana dashboard. We have tried everything and unfortunately we are unable to see any live traffic information. Or we can to capture file on a separate PC using wireshark and upload that .pcap ?

Best tutorial i seen so far!

Sir this is fantastic. You made me take my lab to the next level. I was wondering if you could make more videos for beginners like us to take us to the next level after installing the SO. More inclined towards advance setup, and how to monitor, analyze etc stuff. This will not only fill confidence in new users, but will also attract new enthusiasts to try out SO for their lab and enterprises.

Awesome, thanks Jesse!

Can you show how we can access Securityonion Console webpage, In latest version we have lot of ools included in SOC page

I will be trying it out tonight

great tutorial

Awesome tutorial I have subd

Can anybody tell how can i put my network interface to promiscuous mode in my vmware workstation pro15

i didn't understand how Security Onion communicate with the host. how data from the host flows to Security Onion - without sharing data from host how sguil for example can show alerts? (i'm new so sorry if the question is not clear enough)

Do you have anymore Videos on Security Onion? Is there an Udemy that focuses on Security Onion you teach?

I've followed every step, up to 'sudo tcpreplay -l 20 -i enp0s8 -t /opt/samples/zeus-sample-1.pcap ', however, Squert is not picking up on trojan alerts. Running on Hyper-V, advice is appreciated.

Hi Jesse Thankyou for this great video. Everything is working fine but I am not able to locate peek app using locate zeus and thus subsequent command is not running. How to resolve this?

Hi Jesse, How are you doing? I really liked your video and full of great information and easy steps to follow. I did have some issues though and I would like some help solving them. I have tried to solve them I have not not had success yet. For instance, I had issues with seeing the quert alerts at the end and I think is because of the two issues. First issue is I couldn't set the network adapter from manual to automatic, once I press "apply" I receive an error" and the second issue is the "so-logstash" service keeps failing on me. I reset the services as you indicated in the video and this is the only service it keeps failing. I hope I could get some feedback and guidance, thank you in advance! Carlos Moya

Jesse. Good Stuff for noobs. Question about bridging my LAN interface on my laptop to make it the sniffing interface. I'm running VB 6.0 on my laptop (testing) per your setup instructions. Windows 10, Wifi interface connected to my LAN segment (just did NAT inside the VM), physical NIC on the laptop is not configured, but I have it in bridged mode connected to a SPAN of my internet WAN interface on my firewall. enp0s3 - mgmt nic enp0s8 - sniffer nic my win10 physical machine running Wireshark can see all traffic - promiscuously in the VM, tcpdump on the enp0s8 interface can only see broadcast and multicast, the VB settings for Adapter 2 is set to Bridged promiscuous mode - Allow ALL. I don't understand why VB/Ubuntu isn't seeing all traffic. help? also, will the SecOnion tools app see this traffic without additional configuration?

Unable to connect localhost on port 3374 . when I am starting sguil this error was occurring what I have to do?

When doing the locate zeus, and the 'sudo tcpreplay -l 20 -i enp0s8 -t /opt/samples/zeus-sample-1.pcap' , the trojan activity did not pop up in squert. after 20 minutes of troubleshooting, I was able to figure out that I didn't necessarily have enough RAM, and that the logstash wasn't working properly. I then tried the 'sudo sosetup-minimal' command, which seemingly fixed everything. Can you make any sense of this?

I installed SO successfully, and update it, but nothing show on SGUIL, I checked all the services, all OK. I am running SO on VMware fusion (MAC). Any hint?

Good video, thank you!

so nice, very kind! thanks ^____^

Very clear instructions thank you. What would you do if you have no domain name? Can't get past this part of the install.

Hi Jesse, Recently i have started my project under which i am configuring SO on AWS to monitor mirror traffic. But unfortunately i am also facing Below issues. >Internet is not working post installation: I am using Ubuntu 16.04, t2.large instance there are 2 interfaces on the instance eth0 and eth1 with no wireless interface. >Somehow elastic stack is also in failed state after installation. During installation i haven't encountered any issues or error which may result in elastic stack failure. I tried restarting ELK stack but it's not working. >AWS mirror events are reaching SO and i am able to see events through tshark on monitoring interface 1(eth1) Not able attach SS for your reference hence pasting output of /etc/network/interfaces and service status for your reference. Need your support to mitigate these issues. **************************************************************************************************** /etc/network/interfaces root@ip-10-1-2-84:~# cat /etc/network/interfaces # This configuration was created by the Security Onion setup script. # # The original network interface configuration file was backed up to: # /etc/network/interfaces.bak. # # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # loopback network interface auto lo iface lo inet loopback # Management network interface auto eth0 iface eth0 inet static address 10.1.2.84 gateway 10.1.2.1 netmask 255.255.255.0 dns-nameservers 10.1.2.84 dns-domain lab.com auto eth1 iface eth1 inet manual up ip link set $IFACE promisc on arp off up down ip link set $IFACE promisc off down post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 # You probably don't need to enable or edit the following setting, # but it is included for completeness. # Note that increasing beyond the default may result in inconsistent traffic: # taosecurity.blogspot.com/2019/04/troubleshooting-nsm-virtualization.html # post-up ethtool -G $IFACE rx ********************************************************************************************************** SO service outcome root@ip-10-1-2-84:~# sudo so-status sudo: unable to resolve host ip-10-1-2-84: Connection refused Status: securityonion * sguil server [ OK ] Status: HIDS * ossec_agent (sguil) [ OK ] Status: Bro Name Type Host Status Pid Started bro standalone localhost running 6901 19 Sep 12:41:39 Status: ip-10-1-2-84-eth1 * netsniff-ng (full packet data) [ OK ] * pcap_agent (sguil) [ OK ] * snort_agent-1 (sguil) [ OK ] * snort-1 (alert data) [ OK ] * barnyard2-1 (spooler, unified2 format) [ OK ] Status: Elastic stack * so-elasticsearch/usr/sbin/so-elasticsearch-status: line 22: docker: command not found [ FAIL ] * so-logstash/usr/sbin/so-logstash-status: line 25: docker: command not found [ FAIL ] * so-kibana/usr/sbin/so-kibana-status: line 22: docker: command not found [ FAIL ] * so-freqserver/usr/sbin/so-freqserver-status: line 22: docker: command not fo und [ FAIL ] * so-curator/usr/sbin/so-curator-status: line 22: docker: command not found [ FAIL ] * so-elastalert/usr/sbin/so-elastalert-status: line 22: docker: command not fo und [ FAIL ] ************************************************************************************************************************* Thanks in Advance, Nitesh

hello, i'm researching through security onion, i see SO apply the alert in download.conf, Can i create the alert in local.conf and use it ? and Can i ignore the alerts in the download.conf? thanks

How can we import syslog and AV logs in the security onion. Is there a way to import these files without connecting devices? Jesse K

how do i configure elastalert to send emails in security onion ?

hi. how do i block ftp 21 and smtp 25 using SO?

excellent Video!!!!!!!!!!!! sir now i am started as noob in security monitoring now i want to know how security onion monitor other machines in the network?? is it all other machines in my network need any packages to install?? and how can i make my security onion monitor all my systems in the network.

we did everything step by step till time frame of 7:18 minutes. and im getting Fatal : no bootable medium found. can you help with this?

Plz help. Cant use wireshark and network miner in sguil.

Hi, I recently instaled SO, and everything seems to work, except when I try to run curl testmyids.com, I don't get any alerts, I checked if the rule is enabled and it seems to be, so I don't know what could be the problem. I'm totally new to all of this and would appreciate any suggestions

can i install SO on centOS 7 ?

I know this may be tedious, but if possible, can you make a video on how to set up Security Onion with Proxmox? i.e. Mirroring traffic from a switch to a VM on Proxmox?

Great tutorial. Followed every step, installed and verified smoothly. Still, I cannot log in to any tool. For instance when I log to sguil, it says invalid user name or pass. And I am inputting correct one. I did restart server, everything is OK, but still cannot log in. Anyone has same issue?

I've got a noob question. At the end of the tutorial when opening Squert, I get a privacy error NET::ERR_CERT_AUTHORITY_INVALID. Should I worry about this? I didn't see it in your video. Any tips?

I found myself having to baby SO, if I just let it run for a while, something would break and some service would stop.

I installed this on my mums laptop

please who can help , i need to run command below , how to fix , thanks 1 max@max-VirtualBox:~$ sudo service nsm status ● nsm.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) max@max-VirtualBox:~$