Building a Virtual Cyber Security Lab Part 3 – The Security Onion

In this part of the video series we will continue creating our virtualized lab training environment by installing the Security Onion network security monitoring VM. Securtiy Onion will provide the ability to monitor the lab for security threats and attacks; i.e. the “Detect” aspect. The detect function is critical for an analyst to know, and serves as the foundation to build upon.

At a minimum make sure your lab VM host system has the following specs:

  • Multicore processor with virtualization capability
  • 8 GB of RAM (more is better!)
  • Hard drive with lots of space (SSD’s are better!)

My system has 6 cores, 32 GB RAM and a 2TB SSD for the VM’s and works great. We will use VMWare’s Player as the virtualization software. Make sure you enable virtualization in the bios of the system. VMWare Workstation Player can be downloaded from VMWare’s site for free, all you need to do is register. Once installed create a folder called SecOps-VM, in this folder create three more folders called sift, kali and sec-onion. Download Security Onion at:

You will be using this VM for network security monitoring as an alternative to commercially available tools. Do not think for a minute that these tools are a lesser product, in most cases they are equal or superior to their commercial counterparts. Together these three VM’s will provide you the tools to attack, detect and respond in your lab environment.

Create a new VM in VMWare Player and put it the folder you creates for Security Onion. Edit the virtual machines settings giving it 2 processors, 8 GB of ram and 2 network interfaces. The second network interface is the sniffing interface that will monitor the lab. Boot the VM and click on the “install Security Onion” link. Select the appropriate options during the install, one setting for sure to pay attention to is the time zone, it is best to use GMT for everything so you will have a normalized time across all possible locations. This may seem like it is not necessary in a lab, but you should get used to it now since most large organizations will be at GMT.

Once it gets done installing hit “reboot now” and let it reboot. When it reboots it would be a good time to install the VMWare tools so you can get good screen resolution before you continue with the install. Once VMWare Tools are installed reboot the system again.

Continue the install and select the first interface when asked and make sure it is set for DHCP. Select the second interface as the sniffing interface and follw the prompts to reboot again. When it starts back up hit setup to continue but this time do not setup the network. Select the second interface as the monitoring interface and then enter the user names when prompted.

Now your pretty much done, however there is still one big problem; the virtual network does not allow promiscuous mode on the interfaces. To fix this we need to change the settings in the Security Onion vmx file. Open the .vmx file in notepad++ and lets add the following to the file:

ethernet1.noPromisc = "FALSE"

This allows the sniffing interface to do its job and sniff. Start by opening Squil and check out the network.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.