Security Onion - Introduction

Preview:

DESCRIPTION

null Bangalore January meet

Citation preview

Nishanth Kumar

18 Jan 2014

n|u / OWASP / G4H / SecurityXploded meet

n|u bangalore chapter member

What is Security Onion?

Security Onion is a Linux distro for

Intrusion detection,

Network security monitoring, and

log management

18 Jan 2014

Onion Layers• Ubuntu based OS

• Snort , Suricata

• Snorby

• Bro

• Sguil

• Squert

• ELSA

• NetworkMiner

• PADS ( Passive Attack Detection System )

• ………Many other tools .

18 Jan 2014

Now lets peel the onion layers

&

see what exactly each layer has ….

18 Jan 2014

Snort / Suricata

Snort is an open source network intrusion

detection and prevention system (IDS/IPS)

Suricata is a high performance Network IDS, IPS

and Network Security Monitoring engine .

18 Jan 2014

Why to use only those IDS

Engines

Highly Scalable

Protocol Identification

File Identification,

MD5 Checksums

File Extraction

18 Jan 2014

Snorby

Ruby on Rails Application for Network Security

Monitoring ( Web frontend )

Metrics & Reports

Classifications

Full Packet

Custom Settings

Hotkeys

18 Jan 2014

Bro

Bro is a powerful network analysis framework that

is much different from the typical IDS you may

know.

high-level semantic analysis at the application layer.

site-specific monitoring policies.

comprehensively logs what it sees and provides a

high-level archive of a network's activity.

18 Jan 2014

Features of BRO

All HTTP sessions with their requested URIs

key headers

MIME types, and server responses

DNS requests with replies

SSL certificates

key content of SMTP sessions

………….and much more.

18 Jan 2014

Sguil

It is an analyst console for Security Monitoring

It’s a powerful and capable solution for

Event Analysis

Coreleation and

review

Even ….

real-time events

session data

raw packet captures.

18 Jan 2014

Squert

A web interface to query and view Sguil event

data

and designed to supplement Sguil by providing

addition context around the events .

Squert is a visual tool

additional context to events ……

metadata,

time series representations

weighted and logically grouped result sets

18 Jan 2014

18 Jan 2014

Enterprise-Log-Search-and-

Archive

Centralized syslog framework built on

Syslog-NG

MySQL

Sphinx full-text search.

Allows for event searching and visualization of all the

Log data security onion consumes , including

OSSEC

Snort / Suricata

BRO IDS

Distributed log Archive System18 Jan 2014

Features of ELSA

• High-volume receiving/indexing

• Full Active Directory/LDAP integration for

authentication, authorization, email settings

• Dashboards using Google Visualizations

• Email alerting, scheduled reports.

• Plugin architecture for web interface

• Distributed architecture for clusters

18 Jan 2014

Network miner

Network Forensic Analysis Tool

passive network sniffer/packet capturing tool

operating systems

Sessions

Hostnames

open ports etc

18 Jan 2014

Sec Onion Support ……….

Alert data - HIDS alerts from OSSEC and NIDS

alerts from Snort/Suricata

Asset data from Pads and Bro

Full content data from netsniff-ng

Host data via OSSEC and syslog-ng

Session data from Argus, Pads, and Bro

Transaction data - http/ftp/dns/ssl/other logs from

Bro

18 Jan 2014

Refrences

http://blog.securityonion.net/

http://www.bro.org

http://www.snort.org/

http://www.google.com

18 Jan 2014

Its time for

DEMO

18 Jan 2014

Recommended