n|u / OWASP / G4H / SecurityXploded meet

Nishanth Kumar
n|u bangalore chapter member
18 Jan 2014
What is Security Onion?
 Security Onion is a Linux distro for
 Intrusion detection,
 Network security monitoring, and

...
Onion Layers
• Ubuntu based OS
• Snort , Suricata
• Snorby
• Bro
• Sguil

• Squert
• ELSA
• NetworkMiner

• PADS ( Passive...
Now lets peel the onion layers
&
see what exactly each layer has ….
18 Jan 2014
Snort / Suricata
 Snort is an open source network intrusion

detection and prevention system (IDS/IPS)
 Suricata is a hi...
Why to use only those IDS
Engines
 Highly Scalable

 Protocol Identification
 File Identification,
 MD5 Checksums

 F...
Snorby
 Ruby on Rails Application for Network Security

Monitoring ( Web frontend )
 Metrics & Reports

 Classification...
Bro
 Bro is a powerful network analysis framework that

is much different from the typical IDS you may
know.
 high-level...
Features of BRO
 All HTTP sessions with their requested URIs

 key headers
 MIME types, and server responses
 DNS requ...
Sguil
 It is an analyst console for Security Monitoring

 It’s a powerful and capable solution for
 Event Analysis

 C...
Squert
 A web interface to query and view Sguil event

data
and designed to supplement Sguil by providing
addition contex...
18 Jan 2014
Enterprise-Log-Search-andArchive
 Centralized syslog framework built on
 Syslog-NG
 MySQL
 Sphinx full-text search.

A...
Features of ELSA
• High-volume receiving/indexing
• Full Active Directory/LDAP integration for
•

•
•
•

authentication, a...
Network miner
 Network Forensic Analysis Tool

 passive network sniffer/packet capturing tool
 operating systems
 Sess...
Sec Onion Support ……….
 Alert data - HIDS alerts from OSSEC and NIDS







alerts from Snort/Suricata
Asset data fr...
Refrences
 http://blog.securityonion.net/

 http://www.bro.org
 http://www.snort.org/
 http://www.google.com

18 Jan 2...
Its time for
DEMO

18 Jan 2014
Upcoming SlideShare
Loading in...5
×

Security Onion - Introduction

9,064

Published on

null Bangalore January meet

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,064
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
57
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Onion - Introduction

  1. 1. n|u / OWASP / G4H / SecurityXploded meet Nishanth Kumar n|u bangalore chapter member 18 Jan 2014
  2. 2. What is Security Onion?  Security Onion is a Linux distro for  Intrusion detection,  Network security monitoring, and  log management 18 Jan 2014
  3. 3. Onion Layers • Ubuntu based OS • Snort , Suricata • Snorby • Bro • Sguil • Squert • ELSA • NetworkMiner • PADS ( Passive Attack Detection System ) • ………Many other tools . 18 Jan 2014
  4. 4. Now lets peel the onion layers & see what exactly each layer has …. 18 Jan 2014
  5. 5. Snort / Suricata  Snort is an open source network intrusion detection and prevention system (IDS/IPS)  Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine . 18 Jan 2014
  6. 6. Why to use only those IDS Engines  Highly Scalable  Protocol Identification  File Identification,  MD5 Checksums  File Extraction 18 Jan 2014
  7. 7. Snorby  Ruby on Rails Application for Network Security Monitoring ( Web frontend )  Metrics & Reports  Classifications  Full Packet  Custom Settings  Hotkeys 18 Jan 2014
  8. 8. Bro  Bro is a powerful network analysis framework that is much different from the typical IDS you may know.  high-level semantic analysis at the application layer.  site-specific monitoring policies.  comprehensively logs what it sees and provides a high-level archive of a network's activity. 18 Jan 2014
  9. 9. Features of BRO  All HTTP sessions with their requested URIs  key headers  MIME types, and server responses  DNS requests with replies  SSL certificates  key content of SMTP sessions  ………….and much more. 18 Jan 2014
  10. 10. Sguil  It is an analyst console for Security Monitoring  It’s a powerful and capable solution for  Event Analysis  Coreleation and  review Even ….  real-time events  session data  raw packet captures. 18 Jan 2014
  11. 11. Squert  A web interface to query and view Sguil event data and designed to supplement Sguil by providing addition context around the events .  Squert is a visual tool  additional context to events ……  metadata,  time series representations  weighted and logically grouped result sets 18 Jan 2014
  12. 12. 18 Jan 2014
  13. 13. Enterprise-Log-Search-andArchive  Centralized syslog framework built on  Syslog-NG  MySQL  Sphinx full-text search. Allows for event searching and visualization of all the Log data security onion consumes , including    OSSEC Snort / Suricata BRO IDS Distributed log Archive System 18 Jan 2014
  14. 14. Features of ELSA • High-volume receiving/indexing • Full Active Directory/LDAP integration for • • • • authentication, authorization, email settings Dashboards using Google Visualizations Email alerting, scheduled reports. Plugin architecture for web interface Distributed architecture for clusters 18 Jan 2014
  15. 15. Network miner  Network Forensic Analysis Tool  passive network sniffer/packet capturing tool  operating systems  Sessions  Hostnames  open ports etc 18 Jan 2014
  16. 16. Sec Onion Support ……….  Alert data - HIDS alerts from OSSEC and NIDS      alerts from Snort/Suricata Asset data from Pads and Bro Full content data from netsniff-ng Host data via OSSEC and syslog-ng Session data from Argus, Pads, and Bro Transaction data - http/ftp/dns/ssl/other logs from Bro 18 Jan 2014
  17. 17. Refrences  http://blog.securityonion.net/  http://www.bro.org  http://www.snort.org/  http://www.google.com 18 Jan 2014
  18. 18. Its time for DEMO 18 Jan 2014
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×