Security Onion是一个免费和开放的Linux发行版,用于威胁搜索、企业安全监控和日志管理。
易于使用的设置向导允许你在几分钟内为你的企业建立一支分布式传感器部队
Security Onion包括一个原生的网络界面,其内置的工具可供分析师用于响应警报、威胁狩猎、将证据编入案例、监控网格性能等
一、准备服务器环境,当前环境:
1.Centos7.9 32G 8C 300G 两块网卡
2.准备docker镜像加速工具,执行安装拉取镜像不加速会失败,开启加速工具后需要将主机名、127.0.0.1、localhost,排除在外不然会导致无法写入es容器数据,导致容器启动失败。
二、开始安装,首先配置加速器
1.开启加速器,我这里使用的是如下工具,其他需要各位自己解决,进入加速器目录,配置好config.json文件,启动docker镜像加速器。
2.查看加速器端口,配置本地加速环境变量,私网地址和本机主机名无需加速
[root@220-220 v2ray]# netstat -lntup
tcp 0 0 127.0.0.1:10808 0.0.0.0:* LISTEN 4426/
tcp 0 0 127.0.0.1:10809 0.0.0.0:* LISTEN 4426/
[root@220-220 v2ray]# vim /etc/profile
79 no_proxy_192=$(echo 192.168.220.{1..255}|sed 's/ /,/g') #不加速的地址,必须包括本地地址,根据自己要求修改
80 export no_proxy="220-220,${no_proxy_192}" #不加速生效,包括220-220主机名和以上私网地址
81 export https_proxy=127.0.0.1:10809 #https通过本地10809加速
82 export http_proxy=127.0.0.1:10809 #https通过本地10809加速
3.git拉取项目
[root@220-220 ~]# git clone https://github.com/Security-Onion-Solutions/securityonion
4.安装security onion
[root@220-220 v2ray]# cd /root/securityonion/
[root@220-220 securityonion]# ./so-setup-network
选择YES
选择EVAL
填写AGREE
填写主机名
选择YES
选择Ok
选择流量镜像接口网卡,Ok
选择自动更新
写入地址
选择安装的插件
Docker 容器ip保持默认
填写管理员邮箱地址
输入两次管理员密码
使用IP地访问WEB页面
选择YES
填写需要访问的地址0.0.0.0/0为所有地址可以访问
确认填写的信息
等待安装
[root@220-220 ~]# tailf sosetup.log #查看安装日志
[root@220-220 ~]# while sleep 3; do docker images | grep ghcr.io | wc -l;done
5 #查看当前已经pull多少镜像
[root@220-220 ~]# docker images| grep -v 220-220 | wc -l #共需要下载32个镜像
32
[root@220-220 ~]# docker ps |grep -v ID |wc -l #共启动30个容器
30
[root@220-224 ~]# so-allow #开放端口
Choose the role for the IP or Range you would like to allow
[a] - Analyst - 80/tcp, 443/tcp
[b] - Logstash Beat - 5044/tcp
[e] - Elasticsearch REST API - 9200/tcp
[f] - Strelka frontend - 57314/tcp
[o] - Osquery endpoint - 8090/tcp
[s] - Syslog device - 514/tcp/udp
[w] - Wazuh agent - 1514/tcp/udp
[p] - Wazuh API - 55000/tcp
[r] - Wazuh registration service - 1515/tcp
Please enter your selection: a #a 80/443端口
Enter a single ip address or range to allow (ex: 10.10.10.10 or 10.10.0.0/16): 192.168.28.0/24 #允许访问的地址
Adding 192.168.28.0/24 to the analyst role. This can take a few seconds...
[root@220-220 ~]# so-status #查看各组件状态
Checking Docker status
Docker ----------------------------------------------------------------------------------------------------------------- [ OK ]
Checking container statuses
so-aptcacherng --------------------------------------------------------------------------------------------------------- [ OK ]
so-curator ------------------------------------------------------------------------------------------------------------- [ OK ]
so-dockerregistry ------------------------------------------------------------------------------------------------------ [ OK ]
so-elastalert ---------------------------------------------------------------------------------------------------------- [ OK ]
so-elasticsearch ------------------------------------------------------------------------------------------------------- [ OK ]
so-filebeat ------------------------------------------------------------------------------------------------------------ [ OK ]
so-fleet --------------------------------------------------------------------------------------------------------------- [ OK ]
so-grafana ------------------------------------------------------------------------------------------------------------- [ OK ]
so-idstools ------------------------------------------------------------------------------------------------------------ [ OK ]
so-influxdb ------------------------------------------------------------------------------------------------------------ [ OK ]
so-kibana -------------------------------------------------------------------------------------------------------------- [ OK ]
so-kratos -------------------------------------------------------------------------------------------------------------- [ OK ]
so-mysql --------------------------------------------------------------------------------------------------------------- [ OK ]
so-nginx --------------------------------------------------------------------------------------------------------------- [ OK ]
so-playbook ------------------------------------------------------------------------------------------------------------ [ OK ]
so-redis --------------------------------------------------------------------------------------------------------------- [ OK ]
so-sensoroni ----------------------------------------------------------------------------------------------------------- [ OK ]
so-soc ----------------------------------------------------------------------------------------------------------------- [ OK ]
so-soctopus ------------------------------------------------------------------------------------------------------------ [ OK ]
so-steno --------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-backend ----------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-coordinator ------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-filestream -------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-frontend ---------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-gatekeeper -------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-manager ----------------------------------------------------------------------------------------------------- [ OK ]
so-suricata ------------------------------------------------------------------------------------------------------------ [ OK ]
so-telegraf ------------------------------------------------------------------------------------------------------------ [ OK ]
so-wazuh --------------------------------------------------------------------------------------------------------------- [ OK ]
so-zeek ---------------------------------------------------------------------------------------------------------------- [ OK ]
5、页面展示
登录页面
文章来源:https://www.toymoban.com/news/detail-518618.html
问题记录:在执行安装命令时,安装进程会将的daemon.json管理配置文件会将registry-mirros里面的内容清空,security onion需要推送镜像到本地私有仓库,找不到私有仓库地址会导致docker重启失败,文件如下:
[root@120-221 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [ "https://:5000" ],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base" : "172.17.0.0/24",
"size" : 24
}
]
}
处理方式:启动安装命令后手动将本地ip地址加入registry-mirros:私有仓库地址,实例如下:
文章来源地址https://www.toymoban.com/news/detail-518618.html
到了这里,关于Security onion 开源IDS入侵检测系统 2.3.220超详细保姆级部署教程的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!