Peeling back your Network Layers with Security Onion

Peeling Your Network Layers With

{ _id: “Mark Hillick”, “company”:
“Kybeire” }

Friday 23 November 12

> db.whoam.findOne()

{
"contact": {
"email": "mark@kybeire.com",
"web": "www.hackeire.net",
"twitter": "markofu"
},
"work" : { "10gen" : "MongoDB" },
"cert" : { "GIAC GSE" : true },
"state" : { "Nervous" : true, "Relaxed" : false },
"tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1},
{"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ],
"try-to-help" : [ { "IrissCert" : "not very well"} , {"Security
Onion" : "not well enough"} ]
}

SO @ IrissCon

Last Presentation - need
humour!!!

Or at least an attempt at it :)


Four Things

This talk is NOT an IDS talk!

This talk will be fairly
technical :)

And fast :)

If you don’t like Lego or Star
Wars, you might want to leave

Creator

Doug Burks - the guy is
incredible, he does not sleep :)

Grew out of SANS Gold Paper

Wanted to help make Sguil &
NSM “easier” to deploy!


So, what is it?

Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM
(Network Security Monitoring).

New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit

Old version => Xubuntu 10.04 [LTS], 32 bit only

Contains many security tools.

The easy-to-use Setup wizard allows you to build an army of distributed
sensors for your enterprise in minutes!

Open-Source : so it’s all there!!!!


Traditionally

DEFENCE-IN-DEPTH

Layers, layers & more layers:

Firewalls; IDS/IPS; WAF

Restrict inbound, allow all
outbound

Different FW tech

ACLs on Routers

But what is going on?


IDS Alert, what now?

alert ip $EXTERNAL_NET
$SHELLCODE_PORTS -> $HOME_NET any
(msg:"GPL SHELLCODE x86 inc ebx NOOP";
content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:
2101390; rev:7;)


NSM, Old-Style :(

WTF???????

Ah man, this sucks!

grep this, awk that, sed this,
pipe to cvs, scp & open excel :(

Then make pretty for
mgmt :)


State of IDS

Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg


NSM

NSM != IDS

Clarity!!!

“the collection, analysis, and
escalation of indications and
warnings (I&W) to detect and
respond to intrusions”

Richard Bejtlich, TaoSecurity Blog
http://taosecurity.blogspot.com/2007/04/networksecurity-
monitoring-history.html


NSM, ONION-STYLE :)


CHILDS-PLAY


Architecture

Server, Sensors or Both

Ultimate Analyst Workstation


Deploy, Build & Use

Aggregate or Tap

Use Cases:

Production - traditional DCs
on VM

Cloud Infrastructure

Personally: HackEire & @
home ETC

Admin - aptitude & upstart :)

Haz Tools 1

IDS: Snort or Suricata - your choice :)


Haz Tools 2

Bro: powerful
network analysis
framework with
amazingly detailed
logs

OSSEC monitors local
logs, file integrity &
rootkits

Can receive logs from
OSSEC Agents and
standard Syslog


Haz Tools 3

Complete List: http://code.google.com/p/security-onion/wiki/Tools

Directory Structure

Data : /nsm

backup, bro, server data &sensor data

By sensor name “$hostname-$interface”

Config : /etc/nsm

ossec, pulledpork, securityonion

$hostname-$interface

pads, snort, suricata, barnyard etc

Logs: /var/log/nsm

NSM

sudo service nsm
restart

bro

ossec

sguil

sudo service nsm-
server restart

sudo service nsm-
sensor restart


Pivot To Wireshark


Attack : Client-Side



Innocence



Oops, now
Innocence
inside!


Sit Back, Relax & Enjoy

Upcoming Demo of Client-side attack

User clicks on link

Channel is created back to attacker


CS Attack: Sguil


CS Attack: Snorby


CS Attack: Bro 1

bash/bro scripting

framework & built-in scripts

/nsm/bro/logs/current

http.log

conn.log


CS Attack: Bro 2

DETAIL, DETAIL, DETAIL......


CS Attack: Elsa


CS Attack: Network
Miner


CS Attack: Network
Miner

$ ls -lart | grep 4444

-rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22
10.20.0.111:4444_10.20.0.165:1804-6.raw


Ah, yeah, now.......


Ah, yeah, now.......

How many clicks does it take you to get from an alert to
the packet????

Can you pivot?

Could you take a Windows Administrator off the
street???


Don’t Forget


All Wrapped Up

Thanks to Doug & the team

No more

compiling

messing with installations

sorting out pre-requisites

Significantly reduced testing

Point & Click


Conclusion

Easy Peasy

Powerful - haz tools

Nice pictures, GUIs &
graphs for
management ;-)

Open-Source is possible
& SO viable

Commodity H/W

Support - mixture!


Want to join?

Security Onion needs:

Documentation & Artwork

Web Interface

Package Maintainers

Performance Benchmarks

Me -> “GetOpts -> sosetup &
Chef”

http://code.google.com/p/security-onion/wiki/TeamMembers


Further Reading!!!

Project Home: https://code.google.com/p/
security-onion/

Blog: http://securityonion.blogspot.com

GG: https://groups.google.com/forum/?
fromgroups#!forum/security-onion

Wiki: http://code.google.com/p/security-
onion/w/list

Mailing Lists: http://code.google.com/p/
security-onion/wiki/MailingLists

IRC: #securityonion on irc.freenode.net

The Future: https://code.google.com/p/
security-onion/wiki/Roadmap


Contact Me

mark@kybeire.com

@markofu

BTW, Star Wars Fan :)


Pics Links

Onion: https://secure.flickr.com/
photos/7157427@N03/3248129452/

Star Wars Lego: http://imgur.com/a/
0XvKw (Huge thanks to Mike
Stimpson ->
www.mikestimpson.com:) )

Book -> “Stormtroopers, we love
you”


Thank You!!!


Peeling back your Network Layers with Security Onion

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Peeling back your Network Layers with Security Onion

Ähnlich wie Peeling back your Network Layers with Security Onion (16)

Mehr von Mark Hillick

Mehr von Mark Hillick (8)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Peeling back your Network Layers with Security Onion