Scribd Logo
Upload

Welcome to Scribd!

  • Security Onion: Network Security Monitoring in Minutes Doug Burks

    Uploaded by

    Pape Mignane Faye
    225 views21 pages
    Securité onion

    Original Title

    Security Onion Presentation 20111106

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Securité onion

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    225 views21 pages

    Security Onion: Network Security Monitoring in Minutes Doug Burks

    Uploaded by

    Pape Mignane Faye
    Securité onion

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    Security

    Onion
    Network Security Monitoring in Minutes

    Doug Burks

    Feel the pain


    Does your tradi;onal IDS give you all the data you need?

    The Beauty of Network Security Monitoring


    l

    Mul;ple data types (not just IDS alerts)

    Sguil is the de facto reference implementa;on of NSM:


    l
    l
    l
    l

    Alert data (NIDS alerts from Snort/Suricata and HIDS alerts from OSSEC)
    Session data (SANCP)
    Transac;on data (HTTP logs from hLpry)
    Full content data (daemonlogger)

    Lots of pieces in the jigsaw puzzle

    hLp://nsmwiki.org/images/e/ea/Sguil-0.7.dfd.png

    Setup wizard puts the jigsaw puzzle


    together for you!
    Takes only 2 minutes!

    Sguil client designed by analysts for


    analysts

    Right-click Src/Dst IP and Query SANCP


    table (Session Data)

    Right-click Src/Dst IP and query Event table


    to access HTTP logs (Transac;on Data)

    Right-click Alert ID to pivot to Full Content


    (transcript in Sguil or pcap in Wireshark)

    Squert web interface

    Mul;ple Sguil sensors

    hLp://securityonion.blogspot.com/2011/04/security-onion-20110321-distributed.html

    Look for Evil User Agents


    cut -f2,10 /nsm/sensor_data/*/hLpry/`date +%Y-%m-
    %d`.log | grep -v "^# " | awk '$2 !="-"' | sort | uniq -c |
    sort nr
    Look for malicious user agents like:
    Bobs Evil Clown C&C Agent

    or just outdated and vulnerable sooware like:
    Firefox/2.0.0.20
    hLp://pauldotcom.com/2011/10/in-search-of-evil-user-
    agents.html

    Argus

    Desktop u;li;es

    Roadmap: Mid-November 2011


    l

    Update Barnyard2

    Roadmap: Early December 2011


    l

    Suricata 1.1 with AFPACKET

    Roadmap: EOY 2011


    l

    Snorby and OpenFPC

    Roadmap: January 2012


    l

    Full integra;on of Bro IDS

    Roadmap: Late 2012 and beyond


    l

    Higher performance

    64-bit

    Lubuntu 12.04

    Echidna (next gen Sguil replacement)

    One-man bands make crappy music


    Interested in joining an open source project?
    Security Onion needs:
    l

    Documenta;on

    Artwork

    Web interface

    Performance benchmarks

    Where do we go now?
    hLp://securityonion.blogspot.com is your one-stop shop for all things Security
    Onion! Updates are announced here and it also has the following links.

    Download/Install:
    hLp://code.google.com/p/security-onion/wiki/Installa;on

    FAQ:
    hLp://code.google.com/p/security-onion/wiki/FAQ

    Mailing List:
    hLp://groups.google.com/group/security-onion

    You might also like