Your SlideShare is downloading. ×
Peeling back your Network Layers with Security Onion
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Peeling back your Network Layers with Security Onion

4,484
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,484
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Peeling Your Network Layers With { _id: “Mark Hillick”, “company”: “Kybeire” }Friday 23 November 12
  • 2. > db.whoam.findOne() { "contact": { "email": "mark@kybeire.com", "web": "www.hackeire.net", "twitter": "markofu" }, "work" : { "10gen" : "MongoDB" }, "cert" : { "GIAC GSE" : true }, "state" : { "Nervous" : true, "Relaxed" : false }, "tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1}, {"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ], "try-to-help" : [ { "IrissCert" : "not very well"} , {"Security Onion" : "not well enough"} ] }Friday 23 November 12
  • 3. SO @ IrissCon Last Presentation - need humour!!! Or at least an attempt at it :)Friday 23 November 12
  • 4. Four Things This talk is NOT an IDS talk! This talk will be fairly technical :) And fast :) If you don’t like Lego or Star Wars, you might want to leaveFriday 23 November 12
  • 5. Creator Doug Burks - the guy is incredible, he does not sleep :) Grew out of SANS Gold Paper Wanted to help make Sguil & NSM “easier” to deploy!Friday 23 November 12
  • 6. So, what is it? Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM (Network Security Monitoring). New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit Old version => Xubuntu 10.04 [LTS], 32 bit only Contains many security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Open-Source : so it’s all there!!!!Friday 23 November 12
  • 7. Traditionally DEFENCE-IN-DEPTH Layers, layers & more layers: Firewalls; IDS/IPS; WAF Restrict inbound, allow all outbound Different FW tech ACLs on Routers But what is going on?Friday 23 November 12
  • 8. IDS Alert, what now? alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid: 2101390; rev:7;)Friday 23 November 12
  • 9. NSM, Old-Style :( WTF??????? Ah man, this sucks! grep this, awk that, sed this, pipe to cvs, scp & open excel :( Then make pretty for mgmt :)Friday 23 November 12
  • 10. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpgFriday 23 November 12
  • 11. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpgFriday 23 November 12
  • 12. NSM NSM != IDS Clarity!!! “the collection, analysis, and escalation of indications and warnings (I&W) to detect and respond to intrusions” Richard Bejtlich, TaoSecurity Blog http://taosecurity.blogspot.com/2007/04/networksecurity- monitoring-history.htmlFriday 23 November 12
  • 13. NSM, ONION-STYLE :)Friday 23 November 12
  • 14. NSM, ONION-STYLE :)Friday 23 November 12
  • 15. NSM, ONION-STYLE :)Friday 23 November 12
  • 16. NSM, ONION-STYLE :)Friday 23 November 12
  • 17. CHILDS-PLAYFriday 23 November 12
  • 18. CHILDS-PLAYFriday 23 November 12
  • 19. CHILDS-PLAYFriday 23 November 12
  • 20. CHILDS-PLAYFriday 23 November 12
  • 21. CHILDS-PLAYFriday 23 November 12
  • 22. CHILDS-PLAYFriday 23 November 12
  • 23. CHILDS-PLAYFriday 23 November 12
  • 24. Architecture Server, Sensors or Both Ultimate Analyst WorkstationFriday 23 November 12
  • 25. Deploy, Build & Use Aggregate or Tap Use Cases: Production - traditional DCs on VM Cloud Infrastructure Personally: HackEire & @ home ETC Admin - aptitude & upstart :)Friday 23 November 12
  • 26. Haz Tools 1 IDS: Snort or Suricata - your choice :)Friday 23 November 12
  • 27. Haz Tools 2 Bro: powerful network analysis framework with amazingly detailed logs OSSEC monitors local logs, file integrity & rootkits Can receive logs from OSSEC Agents and standard SyslogFriday 23 November 12
  • 28. Haz Tools 3 Complete List: http://code.google.com/p/security-onion/wiki/ToolsFriday 23 November 12
  • 29. Directory Structure Data : /nsm backup, bro, server data &sensor data By sensor name “$hostname-$interface” Config : /etc/nsm ossec, pulledpork, securityonion $hostname-$interface pads, snort, suricata, barnyard etc Logs: /var/log/nsmFriday 23 November 12
  • 30. NSM sudo service nsm restart bro ossec sguil sudo service nsm- server restart sudo service nsm- sensor restartFriday 23 November 12
  • 31. Pivot To WiresharkFriday 23 November 12
  • 32. Pivot To WiresharkFriday 23 November 12
  • 33. Pivot To WiresharkFriday 23 November 12
  • 34. Pivot To WiresharkFriday 23 November 12
  • 35. Pivot To WiresharkFriday 23 November 12
  • 36. Attack : Client-SideFriday 23 November 12
  • 37. Attack : Client-Side InnocenceFriday 23 November 12
  • 38. Attack : Client-Side Oops, now Innocence inside!Friday 23 November 12
  • 39. Sit Back, Relax & Enjoy Upcoming Demo of Client-side attack User clicks on link Channel is created back to attackerFriday 23 November 12
  • 40. CS Attack: SguilFriday 23 November 12
  • 41. CS Attack: SguilFriday 23 November 12
  • 42. CS Attack: SguilFriday 23 November 12
  • 43. CS Attack: SguilFriday 23 November 12
  • 44. CS Attack: SnorbyFriday 23 November 12
  • 45. CS Attack: SnorbyFriday 23 November 12
  • 46. CS Attack: SnorbyFriday 23 November 12
  • 47. CS Attack: SnorbyFriday 23 November 12
  • 48. CS Attack: SnorbyFriday 23 November 12
  • 49. CS Attack: Bro 1 bash/bro scripting framework & built-in scripts /nsm/bro/logs/current http.log conn.logFriday 23 November 12
  • 50. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL......Friday 23 November 12
  • 51. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL......Friday 23 November 12
  • 52. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL......Friday 23 November 12
  • 53. CS Attack: ElsaFriday 23 November 12
  • 54. CS Attack: ElsaFriday 23 November 12
  • 55. CS Attack: ElsaFriday 23 November 12
  • 56. CS Attack: ElsaFriday 23 November 12
  • 57. CS Attack: ElsaFriday 23 November 12
  • 58. CS Attack: Network MinerFriday 23 November 12
  • 59. CS Attack: Network Miner $ ls -lart | grep 4444 -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.rawFriday 23 November 12
  • 60. CS Attack: Network Miner $ ls -lart | grep 4444 -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.rawFriday 23 November 12
  • 61. Ah, yeah, now.......Friday 23 November 12
  • 62. Ah, yeah, now....... How many clicks does it take you to get from an alert to the packet???? Can you pivot? Could you take a Windows Administrator off the street???Friday 23 November 12
  • 63. Don’t ForgetFriday 23 November 12
  • 64. All Wrapped Up Thanks to Doug & the team No more compiling messing with installations sorting out pre-requisites Significantly reduced testing Point & ClickFriday 23 November 12
  • 65. Conclusion Easy Peasy Powerful - haz tools Nice pictures, GUIs & graphs for management ;-) Open-Source is possible & SO viable Commodity H/W Support - mixture!Friday 23 November 12
  • 66. Want to join? Security Onion needs: Documentation & Artwork Web Interface Package Maintainers Performance Benchmarks Me -> “GetOpts -> sosetup & Chef” http://code.google.com/p/security-onion/wiki/TeamMembersFriday 23 November 12
  • 67. Further Reading!!! Project Home: https://code.google.com/p/ security-onion/ Blog: http://securityonion.blogspot.com GG: https://groups.google.com/forum/? fromgroups#!forum/security-onion Wiki: http://code.google.com/p/security- onion/w/list Mailing Lists: http://code.google.com/p/ security-onion/wiki/MailingLists IRC: #securityonion on irc.freenode.net The Future: https://code.google.com/p/ security-onion/wiki/RoadmapFriday 23 November 12
  • 68. Contact Me mark@kybeire.com @markofu BTW, Star Wars Fan :)Friday 23 November 12
  • 69. Pics Links Onion: https://secure.flickr.com/ photos/7157427@N03/3248129452/ Star Wars Lego: http://imgur.com/a/ 0XvKw (Huge thanks to Mike Stimpson -> www.mikestimpson.com:) ) Book -> “Stormtroopers, we love you”Friday 23 November 12
  • 70. Thank You!!!Friday 23 November 12