Security Onion: peeling back the layers of your network in minutes

1,220 views
1,041 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,220
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Onion: peeling back the layers of your network in minutes

  1. 1. Security  Onion   Peel  Back  the  Layers  of  Your  Network  in  Minutes     Doug  Burks  
  2. 2. What  is  Security  Onion?   Security  Onion  is  a  Linux  distro  for  IDS  (Intrusion  DetecBon)  and  NSM   (Network  Security  Monitoring).  It's  based  on  Ubuntu  and  contains  Snort,   Suricata,  Bro,  Sguil,  Squert,  Snorby,  ELSA,  Xplico,  NetworkMiner,  and  many   other  security  tools.  The  easy-­‐to-­‐use  Setup  wizard  allows  you  to  build  an  army   of  distributed  sensors  for  your  enterprise  in  minutes!  
  3. 3. IDS  is  sub-­‐opBmal;  need  NSM  (mulBple   data  types)  
  4. 4. Sguil  is  the  defacto  reference   implementaBon  of  NSM  
  5. 5. Lots  of  pieces  in  the  Sguil  jigsaw  puzzle   hUp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  
  6. 6. Security  Onion:   Next,  Next,  Finish  for  NSM  
  7. 7. Big  Onions   l  Use  our  ISO  image  (based  on  Xubuntu  12.04  64-­‐bit)   OR   Start  with  your  preferred  flavor  of  Ubuntu  12.04  (Ubuntu,  Kubuntu,   Lubuntu,  Xubuntu,  or  Ubuntu  Server)  32-­‐bit  or  64-­‐bit,  add  our  PPA  and   install  our  packages     l  High  performance:     l  Snort/Suricata/Bro  running  on  PF_RING   l  Netsniff-­‐ng  uses  zero-­‐copy  for  high-­‐speed  full-­‐packet  capture   l  ELSA  (like  a  free  version  of  Splunk)  –  distributed  database  with  central  web   interface  
  8. 8. Data  Types   l  Alert  data   l  NIDS  alerts  from  Snort/Suricata   l  HIDS  alerts  from  OSSEC   l  Asset  data  from  Bro  and  PRADS   l  Session  data  from  Argus,  Bro,  and  PRADS   l  TransacBon  data  –  hUp/gp/dns/ssl/other  logs  from  Bro   l  Full  content  data  from  netsniff-­‐ng  
  9. 9. Distributed  Deployment      
  10. 10. Snorby  
  11. 11. Pivot  to  pcap  from  Snorby  
  12. 12. CapME  
  13. 13. Squert  web  interface  
  14. 14. Sguil  client  
  15. 15. Pivot  to  pcap  from  Sguil  
  16. 16. NetworkMiner   There’s  gold  in  them   thar  PCAPs!  
  17. 17. ELSA  
  18. 18. Pivot  to  pcap  from  ELSA  
  19. 19. Ooh…shiny…  
  20. 20. Bro  Flow  
  21. 21. Popular  Dst  IPs  
  22. 22. Popular  Dst  Ports  
  23. 23. Drilling  into  an  interesBng  Dst  Port  
  24. 24. What  is  that  Dst  Port?  Pivot  2  Pcap!  
  25. 25. 2013:  The  Metrics   l  Security  Onion  10.04   37,521   l  Security  Onion  12.04  (released  12/31/2012)   34,290  from  SourceForge   l  Security  Onion  12.04.1  (released  6/10/2013)   6,380  from  Sourceforge   l  Security  Onion  12.04.2  (released  7/25/2013)   737  from  Sourceforge   l  ???  From  BitTorrent   ???  Ubuntu/Kubuntu/Lubuntu  +  Security  Onion  PPA  
  26. 26. Where  do  we  go  now?   hUp://securityonion.blogspot.com       Updates  are  announced  here  and  it  also  has  the  following  links:   l  Download/Install   l  FAQ   l  Mailing  Lists   l  IRC  #securityonion  on  irc.freenode.net   l  @securityonion  

×