Streamlining Python Development: A Guide to a Modern Project Setup
Security Onion - Introduction
1. n|u / OWASP / G4H / SecurityXploded meet
Nishanth Kumar
n|u bangalore chapter member
18 Jan 2014
2. What is Security Onion?
Security Onion is a Linux distro for
Intrusion detection,
Network security monitoring, and
log management
18 Jan 2014
3. Onion Layers
• Ubuntu based OS
• Snort , Suricata
• Snorby
• Bro
• Sguil
• Squert
• ELSA
• NetworkMiner
• PADS ( Passive Attack Detection System )
• ………Many other tools .
18 Jan 2014
4. Now lets peel the onion layers
&
see what exactly each layer has ….
18 Jan 2014
5. Snort / Suricata
Snort is an open source network intrusion
detection and prevention system (IDS/IPS)
Suricata is a high performance Network IDS, IPS
and Network Security Monitoring engine .
18 Jan 2014
6. Why to use only those IDS
Engines
Highly Scalable
Protocol Identification
File Identification,
MD5 Checksums
File Extraction
18 Jan 2014
7. Snorby
Ruby on Rails Application for Network Security
Monitoring ( Web frontend )
Metrics & Reports
Classifications
Full Packet
Custom Settings
Hotkeys
18 Jan 2014
8. Bro
Bro is a powerful network analysis framework that
is much different from the typical IDS you may
know.
high-level semantic analysis at the application layer.
site-specific monitoring policies.
comprehensively logs what it sees and provides a
high-level archive of a network's activity.
18 Jan 2014
9. Features of BRO
All HTTP sessions with their requested URIs
key headers
MIME types, and server responses
DNS requests with replies
SSL certificates
key content of SMTP sessions
………….and much more.
18 Jan 2014
10. Sguil
It is an analyst console for Security Monitoring
It’s a powerful and capable solution for
Event Analysis
Coreleation and
review
Even ….
real-time events
session data
raw packet captures.
18 Jan 2014
11. Squert
A web interface to query and view Sguil event
data
and designed to supplement Sguil by providing
addition context around the events .
Squert is a visual tool
additional context to events ……
metadata,
time series representations
weighted and logically grouped result sets
18 Jan 2014
13. Enterprise-Log-Search-andArchive
Centralized syslog framework built on
Syslog-NG
MySQL
Sphinx full-text search.
Allows for event searching and visualization of all the
Log data security onion consumes , including
OSSEC
Snort / Suricata
BRO IDS
Distributed log Archive System
18 Jan 2014
14. Features of ELSA
• High-volume receiving/indexing
• Full Active Directory/LDAP integration for
•
•
•
•
authentication, authorization, email settings
Dashboards using Google Visualizations
Email alerting, scheduled reports.
Plugin architecture for web interface
Distributed architecture for clusters
18 Jan 2014
15. Network miner
Network Forensic Analysis Tool
passive network sniffer/packet capturing tool
operating systems
Sessions
Hostnames
open ports etc
18 Jan 2014
16. Sec Onion Support ……….
Alert data - HIDS alerts from OSSEC and NIDS
alerts from Snort/Suricata
Asset data from Pads and Bro
Full content data from netsniff-ng
Host data via OSSEC and syslog-ng
Session data from Argus, Pads, and Bro
Transaction data - http/ftp/dns/ssl/other logs from
Bro
18 Jan 2014