Once the Security Onion image is installed, not much is happening until you actually install the applications that security onion simplifies the installation of. The primary purpose, at least from this particular tutorials perspective is the installation of Snort and Snorby as well as several other moving Snort related parts like PulledPork and Barnyard.
Snort is obviously the IDS while Snorby is the user interface. There are several options for a Snort user interface and in fact, these installation instructions will help to install three different options Snorby, SQueRT and Sguil (though Snorby is a personal favorite). More information on the available Snort GUIs can be read on Snort’s blog which can be found here.
Again, Before I dive directly into my tutorial here, please be aware that Irongeek has posted a great video tutorial here
Step 1: Launch the Snorby/Snort Installation Wizard
To begin the installation of Snort/Snorby within Security Onion simply click the Snorby icon on the desktop. If you are running this in a VM, you may be prompted to enter your host systems admin password.
Step 2: Breezing through the installation wizard
1. Yes, Continue!
2. Yes, use Quick Setup!
3. Enter a username you like (For Sguil Login)
4. Enter a e-mail that you like (For Snorby Login)
5. Enter the password you want (For Sguil, Squert, and Snorby)
6. Confirm your password
7. Yes, proceed with the changes!
This is a simple setup and obviously if you want to setup Snort to listen on a non-default interface, you merely need to change the interface in the advanced instead of the quick setup at number two.
Step 3: Update Snort Rules
This is the last step before it is time to log into the Snorby interface. Simply go to Applications->IDS Rules->Rule Update
Step 4: Login to Snorby
This can be done either by double clicking the “Snorby” icon or by directing a local network browser to https://
Step 5: Checkout the Dashboard
Once logged in the Snorby dashboard will appear. If one needs to populate some test data into their IDS, try visiting here (this will produce a few false-positive triggers but at least one will know the IDS is monitoring!)