This document summarizes a presentation about the Security Onion network security monitoring distribution. Security Onion allows users to easily deploy intrusion detection and network monitoring tools. It combines tools like Snort, Suricata, Bro and OSSEC into a cohesive Linux-based distribution for collecting, analyzing, and escalating network threats. The presentation highlights how Security Onion provides an easy to use and powerful open source solution for network security monitoring.
3. SO @ IrissCon
Last Presentation - need
humour!!!
Or at least an attempt at it :)
Friday 23 November 12
4. Four Things
This talk is NOT an IDS talk!
This talk will be fairly
technical :)
And fast :)
If you don’t like Lego or Star
Wars, you might want to leave
Friday 23 November 12
5. Creator
Doug Burks - the guy is
incredible, he does not sleep :)
Grew out of SANS Gold Paper
Wanted to help make Sguil &
NSM “easier” to deploy!
Friday 23 November 12
6. So, what is it?
Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM
(Network Security Monitoring).
New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit
Old version => Xubuntu 10.04 [LTS], 32 bit only
Contains many security tools.
The easy-to-use Setup wizard allows you to build an army of distributed
sensors for your enterprise in minutes!
Open-Source : so it’s all there!!!!
Friday 23 November 12
7. Traditionally
DEFENCE-IN-DEPTH
Layers, layers & more layers:
Firewalls; IDS/IPS; WAF
Restrict inbound, allow all
outbound
Different FW tech
ACLs on Routers
But what is going on?
Friday 23 November 12
8. IDS Alert, what now?
alert ip $EXTERNAL_NET
$SHELLCODE_PORTS -> $HOME_NET any
(msg:"GPL SHELLCODE x86 inc ebx NOOP";
content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:
2101390; rev:7;)
Friday 23 November 12
9. NSM, Old-Style :(
WTF???????
Ah man, this sucks!
grep this, awk that, sed this,
pipe to cvs, scp & open excel :(
Then make pretty for
mgmt :)
Friday 23 November 12
10. State of IDS
Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg
Friday 23 November 12
11. State of IDS
Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg
Friday 23 November 12
12. NSM
NSM != IDS
Clarity!!!
“the collection, analysis, and
escalation of indications and
warnings (I&W) to detect and
respond to intrusions”
Richard Bejtlich, TaoSecurity Blog
http://taosecurity.blogspot.com/2007/04/networksecurity-
monitoring-history.html
Friday 23 November 12
24. Architecture
Server, Sensors or Both
Ultimate Analyst Workstation
Friday 23 November 12
25. Deploy, Build & Use
Aggregate or Tap
Use Cases:
Production - traditional DCs
on VM
Cloud Infrastructure
Personally: HackEire & @
home ETC
Admin - aptitude & upstart :)
Friday 23 November 12
26. Haz Tools 1
IDS: Snort or Suricata - your choice :)
Friday 23 November 12
27. Haz Tools 2
Bro: powerful
network analysis
framework with
amazingly detailed
logs
OSSEC monitors local
logs, file integrity &
rootkits
Can receive logs from
OSSEC Agents and
standard Syslog
Friday 23 November 12
29. Directory Structure
Data : /nsm
backup, bro, server data &sensor data
By sensor name “$hostname-$interface”
Config : /etc/nsm
ossec, pulledpork, securityonion
$hostname-$interface
pads, snort, suricata, barnyard etc
Logs: /var/log/nsm
Friday 23 November 12
30. NSM
sudo service nsm
restart
bro
ossec
sguil
sudo service nsm-
server restart
sudo service nsm-
sensor restart
Friday 23 November 12
62. Ah, yeah, now.......
How many clicks does it take you to get from an alert to
the packet????
Can you pivot?
Could you take a Windows Administrator off the
street???
Friday 23 November 12
64. All Wrapped Up
Thanks to Doug & the team
No more
compiling
messing with installations
sorting out pre-requisites
Significantly reduced testing
Point & Click
Friday 23 November 12
65. Conclusion
Easy Peasy
Powerful - haz tools
Nice pictures, GUIs &
graphs for
management ;-)
Open-Source is possible
& SO viable
Commodity H/W
Support - mixture!
Friday 23 November 12
66. Want to join?
Security Onion needs:
Documentation & Artwork
Web Interface
Package Maintainers
Performance Benchmarks
Me -> “GetOpts -> sosetup &
Chef”
http://code.google.com/p/security-onion/wiki/TeamMembers
Friday 23 November 12
67. Further Reading!!!
Project Home: https://code.google.com/p/
security-onion/
Blog: http://securityonion.blogspot.com
GG: https://groups.google.com/forum/?
fromgroups#!forum/security-onion
Wiki: http://code.google.com/p/security-
onion/w/list
Mailing Lists: http://code.google.com/p/
security-onion/wiki/MailingLists
IRC: #securityonion on irc.freenode.net
The Future: https://code.google.com/p/
security-onion/wiki/Roadmap
Friday 23 November 12
68. Contact Me
mark@kybeire.com
@markofu
BTW, Star Wars Fan :)
Friday 23 November 12
69. Pics Links
Onion: https://secure.flickr.com/
photos/7157427@N03/3248129452/
Star Wars Lego: http://imgur.com/a/
0XvKw (Huge thanks to Mike
Stimpson ->
www.mikestimpson.com:) )
Book -> “Stormtroopers, we love
you”
Friday 23 November 12