Embed Size (px)
DESCRIPTION
null Bangalore January meet
Citation preview
Nishanth Kumar
18 Jan 2014
n|u / OWASP / G4H / SecurityXploded meet
n|u bangalore chapter member
What is Security Onion?
Security Onion is a Linux distro for
Intrusion detection,
Network security monitoring, and
log management
18 Jan 2014
Onion Layers• Ubuntu based OS
• Snort , Suricata
• Snorby
• Bro
• Sguil
• Squert
• ELSA
• NetworkMiner
• PADS ( Passive Attack Detection System )
• ………Many other tools .
18 Jan 2014
Now lets peel the onion layers
&
see what exactly each layer has ….
18 Jan 2014
Snort / Suricata
Snort is an open source network intrusion
detection and prevention system (IDS/IPS)
Suricata is a high performance Network IDS, IPS
and Network Security Monitoring engine .
18 Jan 2014
Why to use only those IDS
Engines
Highly Scalable
Protocol Identification
File Identification,
MD5 Checksums
File Extraction
18 Jan 2014
Snorby
Ruby on Rails Application for Network Security
Monitoring ( Web frontend )
Metrics & Reports
Classifications
Full Packet
Custom Settings
Hotkeys
18 Jan 2014
Bro
Bro is a powerful network analysis framework that
is much different from the typical IDS you may
know.
high-level semantic analysis at the application layer.
site-specific monitoring policies.
comprehensively logs what it sees and provides a
high-level archive of a network's activity.
18 Jan 2014
Features of BRO
All HTTP sessions with their requested URIs
key headers
MIME types, and server responses
DNS requests with replies
SSL certificates
key content of SMTP sessions
………….and much more.
18 Jan 2014
Sguil
It is an analyst console for Security Monitoring
It’s a powerful and capable solution for
Event Analysis
Coreleation and
review
Even ….
real-time events
session data
raw packet captures.
18 Jan 2014
Squert
A web interface to query and view Sguil event
data
and designed to supplement Sguil by providing
addition context around the events .
Squert is a visual tool
additional context to events ……
metadata,
time series representations
weighted and logically grouped result sets
18 Jan 2014
18 Jan 2014
Enterprise-Log-Search-and-
Archive
Centralized syslog framework built on
Syslog-NG
MySQL
Sphinx full-text search.
Allows for event searching and visualization of all the
Log data security onion consumes , including
OSSEC
Snort / Suricata
BRO IDS
Distributed log Archive System18 Jan 2014
Features of ELSA
• High-volume receiving/indexing
• Full Active Directory/LDAP integration for
authentication, authorization, email settings
• Dashboards using Google Visualizations
• Email alerting, scheduled reports.
• Plugin architecture for web interface
• Distributed architecture for clusters
18 Jan 2014
Network miner
Network Forensic Analysis Tool
passive network sniffer/packet capturing tool
operating systems
Sessions
Hostnames
open ports etc
18 Jan 2014
Sec Onion Support ……….
Alert data - HIDS alerts from OSSEC and NIDS
alerts from Snort/Suricata
Asset data from Pads and Bro
Full content data from netsniff-ng
Host data via OSSEC and syslog-ng
Session data from Argus, Pads, and Bro
Transaction data - http/ftp/dns/ssl/other logs from
Bro
18 Jan 2014
Refrences
http://blog.securityonion.net/
http://www.bro.org
http://www.snort.org/
http://www.google.com
18 Jan 2014
Its time for
DEMO
18 Jan 2014
![Module: Using Security Onion - start [APNIC TRAINING WIKI]1. Given a Virtual Machine (VM) that is already configured with Security Onion. Start the lab at Part 2. 2. Or asked to login](https://img.pdfslide.us/doc/110x75/60e8b6c4e995d76fe57edbd6/module-using-security-onion-start-apnic-training-wiki-1-given-a-virtual-machine.jpg)
![Module: Deploy Security Onion - start [APNIC TRAINING WIKI] · Objective: As part of this hands-on module, you will be installing and configuring Security Onion (Network Monitoring](https://img.pdfslide.us/doc/110x75/5ede59f1ad6a402d6669ac6e/module-deploy-security-onion-start-apnic-training-wiki-objective-as-part-of.jpg)
