Issue Date:

Revision:

Signature &

Session Analysis

Signature analysis

• Distinctive marks of known bad traffic ~pattern matching– virus detection, – malicious website or – malware files

• Distinctive marks include:– IP addresses – Hostnames – Offsets – for example, memory related exploit – Debug information – “Ego” strings (strings left in the code) – Header information

Signature analysis

• An example could be detecting a nmap scan of a network by flags in a packet header:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XMAS Scan Detected”; flow:stateless; flags:FPU; sid:1000002; rev:1;)

Session analysis

• Utilises the session metadata to determine what is happening during a session – which Ips (devices) are causing the traffic– the type of traffic or – what data is being transferred

• Analyses the behaviour of session(s) and looks for behaviour that is not normal.

Session analysis

• Ex:– Once a network has been compromised, DNS may be used

to exfiltrate data (obfuscation)• To stay there as long as possible without detection (triggering any

alarms)

Which technique?

• Signature analysis – can be used to create the alert; then

• Session analysis – can help investigate the alert further.

FOSS Tools

• Open source network monitoring and log management tools:– Elasticsearch– Logstash– Kibana– Snort– Suricata– Zeek (formerly Bro)– Sguil– Squert

* FOSS - Free Open Source Software

Log Management

• Logstash– used to gather data from multiple sources and transform it

for storage

• Elasticsearch– Ingest, index, and analytics engine

• Kibana– Visualisation tool for Elasticsearch and other data sets

https://www.elastic.co/products/

Intrusion Detection tools

• Snort– Intrusion detection system (IDS).

• Suricata– Intrusion detection system (IDS).

Network Monitoring

• Zeek (formerly Bro)– Network traffic analysis tool

• Sguil– collection of free software components for

• Network Security Monitoring (NSM) and event driven analysis of IDS alerts

– Provides visibility into the event data being collected and the context to validate the detection

• Squert– web interface to query and view event data stored in a Sguil

database.

Security Onion

• Linux-based open source intrusion detection, security monitoring and log management toolkit. – Can be installed as a Virtual Machine (VM) or natively

• Best practice is to use two network interfaces:1. Management Network2. Monitored Network

https://securityonion.net

Security Onion

https://securityonion.readthedocs.io/en/latest/architecture.html

How to Install

• Straight forward– Download and follow instructions

• https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Security Onion - commands

https://securityonion.readthedocs.io/en/latest/cheat-sheet.html

Command Description

sudo soup Update Security Onion (and Ubuntu)

sudo so-status Check service status

sudo sostat Generate Security Onion statistics

sudo so-startsudo so-stopsudo so-restart

Start all servicesStop all servicesRestart all services

sudo so-user-add Add user for Sguil/Squert/Kibana

sudo rule-update Update rules after modifying file

sudo so-allowsudo so-allow-view

Open ports for ufwView current firewall rules

Security Onion - files

https://securityonion.readthedocs.io/en/latest/cheat-sheet.html

Folder / Files Description

/etc/nsm/ Location of configuration files

/etc/nsm/securityonion.conf Security Onion general settings

/opt/bro/nsm/bro/logs

Location of Bro filesLocation of Bro log files

/etc/elasticsearch Location of ElasticSearch files

/etc/logstash Location of LogStash files

/etc/kibana Location of Kibana files

/var/log Location of log files

/opt/samples Example packet capture files

Security Onion - rules

https://securityonion.readthedocs.io/en/latest/cheat-sheet.html

Folder / Files Description

/etc/nsm/rules/downloaded.rules Downloaded IDS rules

/etc/nsm/rules/local.rules Custom IDS rules

/etc/nsm/rules/threshold.conf Rule thresholds

/etc/nsm/pulledpork/disabledsid.conf

Disabled rules by SID

/etc/nsm/pulledpork/modifysid.conf

Modified rules

/etc/nsm/pulledpork/pulledpork.conf

Pulled Pork Configuration

/etc/elastalert/rules Query Elasticsearch and alert on user-defined anomalous behavior

Import packet captures

https://securityonion.readthedocs.io/en/latest/pcaps.htmlhttps://securityonion.readthedocs.io/en/latest/so-import-pcap.html

Command Description

sudo tcpreplay -i ens34 -M10 fake_av.pcap

Import the packet capture as new traffic with the current date and time, using interface ens34, limiting to 10MB throughput

sudo so-replay fake_av.pcap

Import the packet capture as new traffic with the current date and time.

sudo so-import-pcapfake_av.pcap

Import the traffic, whilst keeping the timestamp the same as the original packet capture date and times.

Import packet captures

https://securityonion.readthedocs.io/en/latest/so-import-pcap.html

Command Description

capinfos {pcap file} Display statistics about the packet capture file

tshark -F pcap -r {pcapng file} -w {pcap file}

Convert packet capture Next Gen file to earlier packet capture format

Lab Exercise

19

Exercise

• Follow the lab handout: securityonion_lab.pdf

Exercise 1: Squert

• File– fake_av.pcap

• Question– What type of malicious traffic is suspected?

• Q1: What is the top source IP and destination IP– Source __________, Destination __________ .

• Q2: What is the other IP address communicating with the top source IP?

Exercise 1: Squert

Exercise 1: Squert

Exercise 2: Sguil

• File– Fake_av.pcap

• Question: What was the rule that generated the original alert?

Exercise 2: Sguil