First and foremost, I know SecurityOnion 16.04 for EOL/EOS. We are trying to move away from it, it takes time. So I am trying to add new capabilities to the system. One is Strelka, which I did find a GitHub from Wes (SecurityOnion). Figured this would be an almost straightforward install (Never is).
Link to Github
Also found the old 16.04 documentation. Strelka was not a supported add-on to SecurityOnion (No Support), doesn't matter, stated earlier SecurityOnion 16.04 went EOL/EOS over a year ago now.
Next, I found an old ISO of Security Onion 16.04.6.2 (A few numbers off from the last official version). I am going to run setup for Stand-Alone(Basic setup Zeek/Suricata/Elastic). And then run a sudo soup before I start and try to make any changes to the system.
The previous VM I tried to run the Strelka install failed with Kibana issues, and then Docker issues so was unsure how this was going forward. Granted that was 16.04.2.
I ran the following from the terminal
wget https://raw.githubusercontent.com/weslambert/securityonion-strelka/master/install_strelka && sudo chmod +x install_strelka && sudo ./install_strelka
20 minutes later with a lot of RED, the install completed successfully per the output on the screen. The next step was to pump some data through it. With it being a new VM I didn't have it set up for traffic, so decided to just use sudo so-replay which pumped a lot of sample PCAP through the system.
Now the moment of truth, I opened up Kibana and looked for Strelka data (There is now a link in the left hand navigation window).
Clicked the link and it showed the next two images
So it seems to be sort of working, none of the other fields really filled in on this dashboard (could be the PCAP data was not good, or the actual install was not 100% installed). I guess I will have to go through the error logs and see if there is anything that makes sense.
No comments:
Post a Comment