• Save
Security Onion: peeling back the layers of your network in minutes
Upcoming SlideShare
Loading in...5
×
 

Security Onion: peeling back the layers of your network in minutes

on

  • 829 views

 

Statistics

Views

Total Views
829
Views on SlideShare
829
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Onion: peeling back the layers of your network in minutes Security Onion: peeling back the layers of your network in minutes Presentation Transcript

  • Security  Onion   Peel  Back  the  Layers  of  Your  Network  in  Minutes     Doug  Burks  
  • What  is  Security  Onion?   Security  Onion  is  a  Linux  distro  for  IDS  (Intrusion  DetecBon)  and  NSM   (Network  Security  Monitoring).  It's  based  on  Ubuntu  and  contains  Snort,   Suricata,  Bro,  Sguil,  Squert,  Snorby,  ELSA,  Xplico,  NetworkMiner,  and  many   other  security  tools.  The  easy-­‐to-­‐use  Setup  wizard  allows  you  to  build  an  army   of  distributed  sensors  for  your  enterprise  in  minutes!  
  • IDS  is  sub-­‐opBmal;  need  NSM  (mulBple   data  types)  
  • Sguil  is  the  defacto  reference   implementaBon  of  NSM  
  • Lots  of  pieces  in  the  Sguil  jigsaw  puzzle   hUp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  
  • Security  Onion:   Next,  Next,  Finish  for  NSM  
  • Big  Onions   l  Use  our  ISO  image  (based  on  Xubuntu  12.04  64-­‐bit)   OR   Start  with  your  preferred  flavor  of  Ubuntu  12.04  (Ubuntu,  Kubuntu,   Lubuntu,  Xubuntu,  or  Ubuntu  Server)  32-­‐bit  or  64-­‐bit,  add  our  PPA  and   install  our  packages     l  High  performance:     l  Snort/Suricata/Bro  running  on  PF_RING   l  Netsniff-­‐ng  uses  zero-­‐copy  for  high-­‐speed  full-­‐packet  capture   l  ELSA  (like  a  free  version  of  Splunk)  –  distributed  database  with  central  web   interface  
  • Data  Types   l  Alert  data   l  NIDS  alerts  from  Snort/Suricata   l  HIDS  alerts  from  OSSEC   l  Asset  data  from  Bro  and  PRADS   l  Session  data  from  Argus,  Bro,  and  PRADS   l  TransacBon  data  –  hUp/gp/dns/ssl/other  logs  from  Bro   l  Full  content  data  from  netsniff-­‐ng  
  • Distributed  Deployment      
  • Snorby  
  • Pivot  to  pcap  from  Snorby  
  • CapME  
  • Squert  web  interface  
  • Sguil  client  
  • Pivot  to  pcap  from  Sguil  
  • NetworkMiner   There’s  gold  in  them   thar  PCAPs!  
  • ELSA  
  • Pivot  to  pcap  from  ELSA  
  • Ooh…shiny…  
  • Bro  Flow  
  • Popular  Dst  IPs  
  • Popular  Dst  Ports  
  • Drilling  into  an  interesBng  Dst  Port  
  • What  is  that  Dst  Port?  Pivot  2  Pcap!  
  • 2013:  The  Metrics   l  Security  Onion  10.04   37,521   l  Security  Onion  12.04  (released  12/31/2012)   34,290  from  SourceForge   l  Security  Onion  12.04.1  (released  6/10/2013)   6,380  from  Sourceforge   l  Security  Onion  12.04.2  (released  7/25/2013)   737  from  Sourceforge   l  ???  From  BitTorrent   ???  Ubuntu/Kubuntu/Lubuntu  +  Security  Onion  PPA  
  • Where  do  we  go  now?   hUp://securityonion.blogspot.com       Updates  are  announced  here  and  it  also  has  the  following  links:   l  Download/Install   l  FAQ   l  Mailing  Lists   l  IRC  #securityonion  on  irc.freenode.net   l  @securityonion