Cisco Subnet An independent Cisco community View more

Peeling the Security Onion

Security Onion saved me so much time it made my eyes water

Setting up a properly installed and well-tuned IDS/IPS system can be time consuming. If you have ever tried to set up a fully-functional Snort system, you are familiar with the time it requires. If you want to get an IPv6-capable IDS system up and going quickly then you should look at Security Onion. Once you get it working there are also some low-cost alternatives to capture the packets and observe them.

IPv6 Security with Snort

Many organizations are starting to deploy IPv6 in their Internet edge environments. As they do so they want to have equal protections for their IPv6 traffic as they have for their IPv4 traffic. However, their current IPv4 security systems may not give them all the IPv6 features they wish.

In doing so, you may want to test various IPv6 security systems in your lab and get a solid Snort system up and running detecting some common IPv6 attack packets. However, as you start to get a Snort system working with IPv6, you will realized that the task is going to take some time. The Snort on Fedora 14 document written by Nick Moore Is an excellent document and is very detailed and a great resource.

However, with only a few precious days of summer remaining, you may prefer to be enjoying the outdoors rather than spending copious amounts of time in a lab. Therefore, you may be looking for a quick and easy way to set up a system that could perform security monitoring of IPv6 connections.

In Walks Security Onion

I heard about this thing called "Security Onion" recently when a friend of mine attended the Black Hat USA 2011 TCP/IP Weapons School 3.0 taught by Richard Bejtlich of Tao Security. He raved about the class and mentioned Security Onion to me. I have heard Richard Bejtlich speak on security topics at conferences and I have enjoyed his extremely valuable blog so I knew that was a solid recommendation to check out this utility. You should try to buy copies of his books if you want some very practical defensive security systems information.

Security Onion is a Xubuntu-based live CD that has many intrusion detection tools pre-installed and ready to go. Security Onion comes with a working Snort, Suricata, Sguil and Squert configuration. It comes with many other useful tools all packages in a nice neat package. Thanks to Doug Burks for helping all of us save time getting a ready-made IDS up and going quickly.

Security Onion

It is easy to find the main Security Onion web site and find useful information about how to use it. The blog is very useful. You should read through all the historical articles and read through the presentation that is available. The FAQ also provides useful tidbits of information to get you started and help you customize your installation.

Once you get the system up and going and configured the interfaces, you can configure your custom Snort rules for IPv6. There is a limited amount of information available on the parameters for configuring IPv6 rules so here are some samples. To test your configuration you may want to set up some simple rules to capture IPv6 pings.

alert ip icmp any -> any any (msg:"IPv6PING-request"; itype:128; classtype:icmp-event; sid:2000001; rev:1;) alert ip icmp any -> any any (msg:" IPv6PING-reply"; itype:129; classtype:icmp-event; sid:2000002; rev:1;)

Here is a sample rule that matches on IPv6 packets that contain a routing header.

alert ip any any -> any any (msg:"IPv6 routing header"; ip_proto:43; classtype: policy-violation; sid:20000005; rev:1;)

Based on what you want to capture you can customize these to suit your needs.

Low-Cost Taps and Alternatives

Monitoring IP network connections for malicious activity is sometimes easier said than done. You may be limited on the number of SPAN/port mirroring sessions available. You may want to obtain a packet monitoring switch to help you gain visibility to multiple monitoring points in your environment. Your organization may be lucky enough to afford an Anue Systems or Gigamon Systems packet monitoring switch.

However, if you are on a budget then you may need some other low-cost alternatives to getting the packets to your Security Onion IDS/IPS. You may be able to acquire an older 10/100BaseT tap that works just fine in your lab because you are doing simple testing and don't require GigabitEthernet speeds.

A friend of mine recently told me about a video presentation by Tony Fortunato (Senior Network Performance Specialist at The Technology Firm) on how to use a NETGEAR GS108e as a network tap. This switch has a graphical user interface that allows you to configure port mirroring. The only issue that I see with this problem is that I don't have any Windows XP lab computers that I can run the ProSafe utility on.

Security Onion mentioned on their web site about this company DualComm that has some low-cost tap/SPAN switches. You may want to try to get your hands on one of these switches too because they are USB powered and look pretty portable.


I recommend that you download Security Onion and set yourself up a simple test environment. This is a great tool to use if you are pressed for time. Once you get your Security Onion system working then you can start to use it to gain more understanding about IPv4 and IPv6 protocol security and help defend your organization from security threats.


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10