Successfully reported this slideshow.

Intro to NSM with Security Onion - AusCERT


Published on

Published in: Technology
  • Be the first to comment

Intro to NSM with Security Onion - AusCERT

  1. 1.  Ashley Deuble (call me Ash, we’re friends nowright?) Work for Sophos (Come say hi to me at ourstand) SANS GSE #47 Twitter:Ashd_AU
  2. 2.  This may be a little technical in parts There will be a demo!! If the demo doesn’t work I will do someinterpretive dance I really hope the demo works I may have to be fast .. I hope you can keep up
  3. 3.  Security Onion is a network securitymonitoring (NSM) system that provides fullcontext and forensic visibility into the trafficit monitors Designed to make deploying complex opensource tools simple via a single package(Snort, Suricata, Sguil, Snorby etc.)
  4. 4.  Contains a truckload of security tools Easy setup wizard … even aWindows Admincan do this! Has the ability to pivot from one tool to thenext to seamlessly .. one of the most effectivecollection of network security tools availablein a single package
  5. 5.  Created by Doug Burks (cool dude .. Could bea vampire .. he doesn’t sleep) Grew out of a SANS Gold Paper He really wanted to make Sguil & NSM“easier” to deploy (mission accomplished!) He works for Mandiant
  6. 6. "Network security monitoring is thecollection, analysis, and escalation of indicationsand warnings to detect and respond tointrusions.“– Richard Bejtlich
  7. 7.  Get an alert (firewall, user etc.) Look for the alert in SIEM tool Try to correlate with other events in SIEM Oh yeah ..We haven’t added that server tothe SIEM yet – oopsies I think I can hear my Parents calling me – Ihave to go now
  8. 8.  We can take an IDS alertalert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP";content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;) And turn it into something useful!• Full traffic packet captures• Ascii transcripts of traffic• Ability to carve files (or malware) for later analysis
  9. 9. Run as a LiveCD Great way to test out Able to do the following installationsQuick Setup Automatically configures most of the applications Uses Snort and Bro to monitor all networkinterfaces by default Also configures and enables Sguil, Squert andSnorbyAdvanced Setup More control over the setup of Security Onion Install either a Sguil server, Sguil sensor, or both Select either Snort or Suricata IDS engine Selecting an IDS ruleset, EmergingThreats, SnortVRT, or both Configure network interfaces monitored by the IDS Engine and Bro
  10. 10.  Pulled Pork keeps all the IDS rules up to date Updates rules from multiple sources(Sourcefire/SnortVRT, EmergingThreats etc.) Ability to disable rules with Pulled Pork (preventcertain events from triggering an alert) Fully automated!
  11. 11. OF COURSE! Rules are written using the Snort format Rules can be added to a local rules configurationfile to ensure they are never deleted oroverwritten by the automated IDS rules updates Rules can be set to either alert or drop the traffic
  12. 12. Over 60 custom toolsSnort – Signature based IDSSguil – Security analyst consoleSquert -View HIDS/NIDS alerts and HTTP logsSnorby -View and annotate IDS alertsELSA - Search logs (IDS, Bro and syslog)Bro - Powerful network analysis framework with highlydetailed logsOSSEC - Monitors local logs, file integrity & rootkits
  13. 13.  If you want to find out more come see me at theSophos stand - #58 I’ll also make this presentation available on theinternet for you to share with your colleagues
  14. 14.  Project Home - Blog – Mailing Lists - Google Group -!forum/security-onion Wiki -