Peeling Your Network Layers With    { _id: “Mark Hillick”, “company”:    “Kybeire” }Friday 23 November 12
> db.whoam.findOne()          {          "contact": {                "email": "mark@kybeire.com",                "web": "w...
SO @ IrissCon           Last Presentation - need          humour!!!          Or at least an attempt at it :)Friday 23 Nove...
Four Things         This talk is NOT an IDS talk!         This talk will be fairly         technical :)         And fast :...
Creator          Doug Burks - the guy is          incredible, he does not sleep :)          Grew out of SANS Gold Paper   ...
So, what is it?                Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM                (Networ...
Traditionally         DEFENCE-IN-DEPTH         Layers, layers & more layers:               Firewalls; IDS/IPS; WAF        ...
IDS Alert, what now?          alert ip $EXTERNAL_NET          $SHELLCODE_PORTS -> $HOME_NET any          (msg:"GPL SHELLCO...
NSM, Old-Style :(          WTF???????          Ah man, this sucks!          grep this, awk that, sed this,          pipe t...
State of IDS              Source: http://img2.moonbuggy.org/imgstore/doorstop.jpgFriday 23 November 12
State of IDS              Source: http://img2.moonbuggy.org/imgstore/doorstop.jpgFriday 23 November 12
NSM          NSM != IDS          Clarity!!!          “the collection, analysis, and          escalation of indications and...
NSM, ONION-STYLE :)Friday 23 November 12
NSM, ONION-STYLE :)Friday 23 November 12
NSM, ONION-STYLE :)Friday 23 November 12
NSM, ONION-STYLE :)Friday 23 November 12
CHILDS-PLAYFriday 23 November 12
CHILDS-PLAYFriday 23 November 12
CHILDS-PLAYFriday 23 November 12
CHILDS-PLAYFriday 23 November 12
CHILDS-PLAYFriday 23 November 12
CHILDS-PLAYFriday 23 November 12
CHILDS-PLAYFriday 23 November 12
Architecture                Server, Sensors or Both                Ultimate Analyst WorkstationFriday 23 November 12
Deploy, Build & Use          Aggregate or Tap          Use Cases:                Production - traditional DCs             ...
Haz Tools 1                 IDS: Snort or Suricata - your choice :)Friday 23 November 12
Haz Tools 2                             Bro: powerful                             network analysis                        ...
Haz Tools 3                 Complete List: http://code.google.com/p/security-onion/wiki/ToolsFriday 23 November 12
Directory Structure                Data : /nsm                        backup, bro, server data &sensor data               ...
NSM                sudo service nsm                restart                        bro                        ossec        ...
Pivot To WiresharkFriday 23 November 12
Pivot To WiresharkFriday 23 November 12
Pivot To WiresharkFriday 23 November 12
Pivot To WiresharkFriday 23 November 12
Pivot To WiresharkFriday 23 November 12
Attack : Client-SideFriday 23 November 12
Attack : Client-Side           InnocenceFriday 23 November 12
Attack : Client-Side                                          Oops, now           Innocence                               ...
Sit Back, Relax & Enjoy          Upcoming Demo of Client-side attack          User clicks on link          Channel is crea...
CS Attack: SguilFriday 23 November 12
CS Attack: SguilFriday 23 November 12
CS Attack: SguilFriday 23 November 12
CS Attack: SguilFriday 23 November 12
CS Attack: SnorbyFriday 23 November 12
CS Attack: SnorbyFriday 23 November 12
CS Attack: SnorbyFriday 23 November 12
CS Attack: SnorbyFriday 23 November 12
CS Attack: SnorbyFriday 23 November 12
CS Attack: Bro 1                bash/bro scripting                framework & built-in scripts                /nsm/bro/log...
CS Attack: Bro 2                    DETAIL, DETAIL, DETAIL......Friday 23 November 12
CS Attack: Bro 2                    DETAIL, DETAIL, DETAIL......Friday 23 November 12
CS Attack: Bro 2                    DETAIL, DETAIL, DETAIL......Friday 23 November 12
CS Attack: ElsaFriday 23 November 12
CS Attack: ElsaFriday 23 November 12
CS Attack: ElsaFriday 23 November 12
CS Attack: ElsaFriday 23 November 12
CS Attack: ElsaFriday 23 November 12
CS Attack: Network                   MinerFriday 23 November 12
CS Attack: Network                   Miner          $ ls -lart | grep 4444     -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov ...
CS Attack: Network                   Miner          $ ls -lart | grep 4444     -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov ...
Ah, yeah, now.......Friday 23 November 12
Ah, yeah, now.......          How many clicks does it take you to get from an alert to          the packet????          Ca...
Don’t ForgetFriday 23 November 12
All Wrapped Up          Thanks to Doug & the team                No more                        compiling                 ...
Conclusion               Easy Peasy               Powerful - haz tools               Nice pictures, GUIs &               g...
Want to join?           Security Onion needs:                Documentation & Artwork                Web Interface         ...
Further Reading!!!               Project Home: https://code.google.com/p/               security-onion/               Blog...
Contact Me            mark@kybeire.com            @markofu            BTW, Star Wars Fan :)Friday 23 November 12
Pics Links                Onion: https://secure.flickr.com/                photos/7157427@N03/3248129452/                S...
Thank You!!!Friday 23 November 12
Upcoming SlideShare
Loading in …5
×

Peeling back your Network Layers with Security Onion

5,029
-1

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,029
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
65
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Peeling back your Network Layers with Security Onion

  1. 1. Peeling Your Network Layers With { _id: “Mark Hillick”, “company”: “Kybeire” }Friday 23 November 12
  2. 2. > db.whoam.findOne() { "contact": { "email": "mark@kybeire.com", "web": "www.hackeire.net", "twitter": "markofu" }, "work" : { "10gen" : "MongoDB" }, "cert" : { "GIAC GSE" : true }, "state" : { "Nervous" : true, "Relaxed" : false }, "tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1}, {"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ], "try-to-help" : [ { "IrissCert" : "not very well"} , {"Security Onion" : "not well enough"} ] }Friday 23 November 12
  3. 3. SO @ IrissCon Last Presentation - need humour!!! Or at least an attempt at it :)Friday 23 November 12
  4. 4. Four Things This talk is NOT an IDS talk! This talk will be fairly technical :) And fast :) If you don’t like Lego or Star Wars, you might want to leaveFriday 23 November 12
  5. 5. Creator Doug Burks - the guy is incredible, he does not sleep :) Grew out of SANS Gold Paper Wanted to help make Sguil & NSM “easier” to deploy!Friday 23 November 12
  6. 6. So, what is it? Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM (Network Security Monitoring). New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit Old version => Xubuntu 10.04 [LTS], 32 bit only Contains many security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Open-Source : so it’s all there!!!!Friday 23 November 12
  7. 7. Traditionally DEFENCE-IN-DEPTH Layers, layers & more layers: Firewalls; IDS/IPS; WAF Restrict inbound, allow all outbound Different FW tech ACLs on Routers But what is going on?Friday 23 November 12
  8. 8. IDS Alert, what now? alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid: 2101390; rev:7;)Friday 23 November 12
  9. 9. NSM, Old-Style :( WTF??????? Ah man, this sucks! grep this, awk that, sed this, pipe to cvs, scp & open excel :( Then make pretty for mgmt :)Friday 23 November 12
  10. 10. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpgFriday 23 November 12
  11. 11. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpgFriday 23 November 12
  12. 12. NSM NSM != IDS Clarity!!! “the collection, analysis, and escalation of indications and warnings (I&W) to detect and respond to intrusions” Richard Bejtlich, TaoSecurity Blog http://taosecurity.blogspot.com/2007/04/networksecurity- monitoring-history.htmlFriday 23 November 12
  13. 13. NSM, ONION-STYLE :)Friday 23 November 12
  14. 14. NSM, ONION-STYLE :)Friday 23 November 12
  15. 15. NSM, ONION-STYLE :)Friday 23 November 12
  16. 16. NSM, ONION-STYLE :)Friday 23 November 12
  17. 17. CHILDS-PLAYFriday 23 November 12
  18. 18. CHILDS-PLAYFriday 23 November 12
  19. 19. CHILDS-PLAYFriday 23 November 12
  20. 20. CHILDS-PLAYFriday 23 November 12
  21. 21. CHILDS-PLAYFriday 23 November 12
  22. 22. CHILDS-PLAYFriday 23 November 12
  23. 23. CHILDS-PLAYFriday 23 November 12
  24. 24. Architecture Server, Sensors or Both Ultimate Analyst WorkstationFriday 23 November 12
  25. 25. Deploy, Build & Use Aggregate or Tap Use Cases: Production - traditional DCs on VM Cloud Infrastructure Personally: HackEire & @ home ETC Admin - aptitude & upstart :)Friday 23 November 12
  26. 26. Haz Tools 1 IDS: Snort or Suricata - your choice :)Friday 23 November 12
  27. 27. Haz Tools 2 Bro: powerful network analysis framework with amazingly detailed logs OSSEC monitors local logs, file integrity & rootkits Can receive logs from OSSEC Agents and standard SyslogFriday 23 November 12
  28. 28. Haz Tools 3 Complete List: http://code.google.com/p/security-onion/wiki/ToolsFriday 23 November 12
  29. 29. Directory Structure Data : /nsm backup, bro, server data &sensor data By sensor name “$hostname-$interface” Config : /etc/nsm ossec, pulledpork, securityonion $hostname-$interface pads, snort, suricata, barnyard etc Logs: /var/log/nsmFriday 23 November 12
  30. 30. NSM sudo service nsm restart bro ossec sguil sudo service nsm- server restart sudo service nsm- sensor restartFriday 23 November 12
  31. 31. Pivot To WiresharkFriday 23 November 12
  32. 32. Pivot To WiresharkFriday 23 November 12
  33. 33. Pivot To WiresharkFriday 23 November 12
  34. 34. Pivot To WiresharkFriday 23 November 12
  35. 35. Pivot To WiresharkFriday 23 November 12
  36. 36. Attack : Client-SideFriday 23 November 12
  37. 37. Attack : Client-Side InnocenceFriday 23 November 12
  38. 38. Attack : Client-Side Oops, now Innocence inside!Friday 23 November 12
  39. 39. Sit Back, Relax & Enjoy Upcoming Demo of Client-side attack User clicks on link Channel is created back to attackerFriday 23 November 12
  40. 40. CS Attack: SguilFriday 23 November 12
  41. 41. CS Attack: SguilFriday 23 November 12
  42. 42. CS Attack: SguilFriday 23 November 12
  43. 43. CS Attack: SguilFriday 23 November 12
  44. 44. CS Attack: SnorbyFriday 23 November 12
  45. 45. CS Attack: SnorbyFriday 23 November 12
  46. 46. CS Attack: SnorbyFriday 23 November 12
  47. 47. CS Attack: SnorbyFriday 23 November 12
  48. 48. CS Attack: SnorbyFriday 23 November 12
  49. 49. CS Attack: Bro 1 bash/bro scripting framework & built-in scripts /nsm/bro/logs/current http.log conn.logFriday 23 November 12
  50. 50. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL......Friday 23 November 12
  51. 51. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL......Friday 23 November 12
  52. 52. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL......Friday 23 November 12
  53. 53. CS Attack: ElsaFriday 23 November 12
  54. 54. CS Attack: ElsaFriday 23 November 12
  55. 55. CS Attack: ElsaFriday 23 November 12
  56. 56. CS Attack: ElsaFriday 23 November 12
  57. 57. CS Attack: ElsaFriday 23 November 12
  58. 58. CS Attack: Network MinerFriday 23 November 12
  59. 59. CS Attack: Network Miner $ ls -lart | grep 4444 -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.rawFriday 23 November 12
  60. 60. CS Attack: Network Miner $ ls -lart | grep 4444 -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.rawFriday 23 November 12
  61. 61. Ah, yeah, now.......Friday 23 November 12
  62. 62. Ah, yeah, now....... How many clicks does it take you to get from an alert to the packet???? Can you pivot? Could you take a Windows Administrator off the street???Friday 23 November 12
  63. 63. Don’t ForgetFriday 23 November 12
  64. 64. All Wrapped Up Thanks to Doug & the team No more compiling messing with installations sorting out pre-requisites Significantly reduced testing Point & ClickFriday 23 November 12
  65. 65. Conclusion Easy Peasy Powerful - haz tools Nice pictures, GUIs & graphs for management ;-) Open-Source is possible & SO viable Commodity H/W Support - mixture!Friday 23 November 12
  66. 66. Want to join? Security Onion needs: Documentation & Artwork Web Interface Package Maintainers Performance Benchmarks Me -> “GetOpts -> sosetup & Chef” http://code.google.com/p/security-onion/wiki/TeamMembersFriday 23 November 12
  67. 67. Further Reading!!! Project Home: https://code.google.com/p/ security-onion/ Blog: http://securityonion.blogspot.com GG: https://groups.google.com/forum/? fromgroups#!forum/security-onion Wiki: http://code.google.com/p/security- onion/w/list Mailing Lists: http://code.google.com/p/ security-onion/wiki/MailingLists IRC: #securityonion on irc.freenode.net The Future: https://code.google.com/p/ security-onion/wiki/RoadmapFriday 23 November 12
  68. 68. Contact Me mark@kybeire.com @markofu BTW, Star Wars Fan :)Friday 23 November 12
  69. 69. Pics Links Onion: https://secure.flickr.com/ photos/7157427@N03/3248129452/ Star Wars Lego: http://imgur.com/a/ 0XvKw (Huge thanks to Mike Stimpson -> www.mikestimpson.com:) ) Book -> “Stormtroopers, we love you”Friday 23 November 12
  70. 70. Thank You!!!Friday 23 November 12
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×