SlideShare a Scribd company logo

Security Onion: peeling back the layers of your network in minutes

B
bsidesaugusta
Technology
1 of 26
Security  Onion   Peel  Back  the  Layers  of  Your  Network  in  Minutes     Doug  Burks  
What  is  Security  Onion?   Security  Onion  is  a  Linux  distro  for  IDS  (Intrusion  DetecBon)  and  NSM   (Network  Security  Monitoring).  It's  based  on  Ubuntu  and  contains  Snort,   Suricata,  Bro,  Sguil,  Squert,  Snorby,  ELSA,  Xplico,  NetworkMiner,  and  many   other  security  tools.  The  easy-­‐to-­‐use  Setup  wizard  allows  you  to  build  an  army   of  distributed  sensors  for  your  enterprise  in  minutes!  
IDS  is  sub-­‐opBmal;  need  NSM  (mulBple   data  types)  
Sguil  is  the  defacto  reference   implementaBon  of  NSM  
Lots  of  pieces  in  the  Sguil  jigsaw  puzzle   hUp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  
Security  Onion:   Next,  Next,  Finish  for  NSM  
Big  Onions   l  Use  our  ISO  image  (based  on  Xubuntu  12.04  64-­‐bit)   OR   Start  with  your  preferred  flavor  of  Ubuntu  12.04  (Ubuntu,  Kubuntu,   Lubuntu,  Xubuntu,  or  Ubuntu  Server)  32-­‐bit  or  64-­‐bit,  add  our  PPA  and   install  our  packages     l  High  performance:     l  Snort/Suricata/Bro  running  on  PF_RING   l  Netsniff-­‐ng  uses  zero-­‐copy  for  high-­‐speed  full-­‐packet  capture   l  ELSA  (like  a  free  version  of  Splunk)  –  distributed  database  with  central  web   interface  
Data  Types   l  Alert  data   l  NIDS  alerts  from  Snort/Suricata   l  HIDS  alerts  from  OSSEC   l  Asset  data  from  Bro  and  PRADS   l  Session  data  from  Argus,  Bro,  and  PRADS   l  TransacBon  data  –  hUp/gp/dns/ssl/other  logs  from  Bro   l  Full  content  data  from  netsniff-­‐ng  
Distributed  Deployment      
Snorby  
Pivot  to  pcap  from  Snorby  
CapME  
Squert  web  interface  
Sguil  client  
Pivot  to  pcap  from  Sguil  
NetworkMiner   There’s  gold  in  them   thar  PCAPs!  
ELSA  
Pivot  to  pcap  from  ELSA  
Ooh…shiny…  
Bro  Flow  
Popular  Dst  IPs  
Popular  Dst  Ports  
Drilling  into  an  interesBng  Dst  Port  
What  is  that  Dst  Port?  Pivot  2  Pcap!  
2013:  The  Metrics   l  Security  Onion  10.04   37,521   l  Security  Onion  12.04  (released  12/31/2012)   34,290  from  SourceForge   l  Security  Onion  12.04.1  (released  6/10/2013)   6,380  from  Sourceforge   l  Security  Onion  12.04.2  (released  7/25/2013)   737  from  Sourceforge   l  ???  From  BitTorrent   ???  Ubuntu/Kubuntu/Lubuntu  +  Security  Onion  PPA  
Where  do  we  go  now?   hUp://securityonion.blogspot.com       Updates  are  announced  here  and  it  also  has  the  following  links:   l  Download/Install   l  FAQ   l  Mailing  Lists   l  IRC  #securityonion  on  irc.freenode.net   l  @securityonion  

Recommended

Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
Ashley Deuble
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
DefensiveDepth
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
n|u - The Open Security Community
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Backtrack
BacktrackBacktrack
Backtrack
n|u - The Open Security Community
 
Security onion
Security onionSecurity onion
Security onion
Kaustubh Padwad
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
mariuszantal
 

Recommended

Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
Ashley Deuble
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
DefensiveDepth
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
n|u - The Open Security Community
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Backtrack
BacktrackBacktrack
Backtrack
n|u - The Open Security Community
 
Security onion
Security onionSecurity onion
Security onion
Kaustubh Padwad
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
mariuszantal
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
DefensiveDepth
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
Ayush Goyal
 
Backtrack
BacktrackBacktrack
Backtrack
One97 Communications Limited
 
Security Onion: Watching for Leeks
Security Onion: Watching for LeeksSecurity Onion: Watching for Leeks
Security Onion: Watching for Leeks
Kory Kyzar
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
Network ssecurity toolkit
Network ssecurity toolkitNetwork ssecurity toolkit
Network ssecurity toolkit
أحلام انصارى
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
Juan Carlos Pérez Pardo
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
Dr. Jayaraj Poroor
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
Lars Gregori
 
Wireless Investigations using Xplico
Wireless Investigations using XplicoWireless Investigations using Xplico
Wireless Investigations using Xplico
Chris Harrington
 
Giga vue hb1 event rolling presentation-final-1
Giga vue hb1 event rolling presentation-final-1Giga vue hb1 event rolling presentation-final-1
Giga vue hb1 event rolling presentation-final-1
Christopher Lee
 

More Related Content

What's hot

Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 

What's hot (20)

Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
 
Backtrack
BacktrackBacktrack
Backtrack
 
Security Onion: Watching for Leeks
Security Onion: Watching for LeeksSecurity Onion: Watching for Leeks
Security Onion: Watching for Leeks
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
Network ssecurity toolkit
Network ssecurity toolkitNetwork ssecurity toolkit
Network ssecurity toolkit
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
 

Viewers also liked

Giga vue hb1 event rolling presentation-final-1
Giga vue hb1 event rolling presentation-final-1Giga vue hb1 event rolling presentation-final-1
Giga vue hb1 event rolling presentation-final-1
Christopher Lee
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
Andrew Beard
 
Optimizing your google local listing for search
Optimizing your google local listing for searchOptimizing your google local listing for search
Optimizing your google local listing for search
WebFX
 

Viewers also liked (8)

Wireless Investigations using Xplico
Wireless Investigations using XplicoWireless Investigations using Xplico
Wireless Investigations using Xplico
 
Giga vue hb1 event rolling presentation-final-1
Giga vue hb1 event rolling presentation-final-1Giga vue hb1 event rolling presentation-final-1
Giga vue hb1 event rolling presentation-final-1
 
Eyeing the Onion
Eyeing the OnionEyeing the Onion
Eyeing the Onion
 
Gigamon 1Q15 Investor Relations Presentation
Gigamon 1Q15 Investor Relations PresentationGigamon 1Q15 Investor Relations Presentation
Gigamon 1Q15 Investor Relations Presentation
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
 
Optimizing your google local listing for search
Optimizing your google local listing for searchOptimizing your google local listing for search
Optimizing your google local listing for search
 
Visibility and Automation for Enhanced Security
Visibility and Automation for Enhanced SecurityVisibility and Automation for Enhanced Security
Visibility and Automation for Enhanced Security
 
Harnessing the Power of Metadata for Security
Harnessing the Power of Metadata for SecurityHarnessing the Power of Metadata for Security
Harnessing the Power of Metadata for Security
 

Similar to Security Onion: peeling back the layers of your network in minutes

Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
Ashley Deuble
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 

Similar to Security Onion: peeling back the layers of your network in minutes (20)

Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Acid
AcidAcid
Acid
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
D4 Project Presentation
D4 Project PresentationD4 Project Presentation
D4 Project Presentation
 
A Simple Network IDS
A Simple Network IDSA Simple Network IDS
A Simple Network IDS
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Snort- Presentation.pptx
Snort- Presentation.pptxSnort- Presentation.pptx
Snort- Presentation.pptx
 
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010Router Defense - BRUcon 2010
Router Defense - BRUcon 2010
 
Gns3
Gns3Gns3
Gns3
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
IPS_3M_eng
IPS_3M_engIPS_3M_eng
IPS_3M_eng
 
Digital self defense
Digital self defenseDigital self defense
Digital self defense
 
Interview Questions
Interview QuestionsInterview Questions
Interview Questions
 
SIEM
SIEMSIEM
SIEM
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Security Onion: peeling back the layers of your network in minutes

  • 1. Security  Onion   Peel  Back  the  Layers  of  Your  Network  in  Minutes     Doug  Burks  
  • 2. What  is  Security  Onion?   Security  Onion  is  a  Linux  distro  for  IDS  (Intrusion  DetecBon)  and  NSM   (Network  Security  Monitoring).  It's  based  on  Ubuntu  and  contains  Snort,   Suricata,  Bro,  Sguil,  Squert,  Snorby,  ELSA,  Xplico,  NetworkMiner,  and  many   other  security  tools.  The  easy-­‐to-­‐use  Setup  wizard  allows  you  to  build  an  army   of  distributed  sensors  for  your  enterprise  in  minutes!  
  • 3. IDS  is  sub-­‐opBmal;  need  NSM  (mulBple   data  types)  
  • 4. Sguil  is  the  defacto  reference   implementaBon  of  NSM  
  • 5. Lots  of  pieces  in  the  Sguil  jigsaw  puzzle   hUp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  
  • 6. Security  Onion:   Next,  Next,  Finish  for  NSM  
  • 7. Big  Onions   l  Use  our  ISO  image  (based  on  Xubuntu  12.04  64-­‐bit)   OR   Start  with  your  preferred  flavor  of  Ubuntu  12.04  (Ubuntu,  Kubuntu,   Lubuntu,  Xubuntu,  or  Ubuntu  Server)  32-­‐bit  or  64-­‐bit,  add  our  PPA  and   install  our  packages     l  High  performance:     l  Snort/Suricata/Bro  running  on  PF_RING   l  Netsniff-­‐ng  uses  zero-­‐copy  for  high-­‐speed  full-­‐packet  capture   l  ELSA  (like  a  free  version  of  Splunk)  –  distributed  database  with  central  web   interface  
  • 8. Data  Types   l  Alert  data   l  NIDS  alerts  from  Snort/Suricata   l  HIDS  alerts  from  OSSEC   l  Asset  data  from  Bro  and  PRADS   l  Session  data  from  Argus,  Bro,  and  PRADS   l  TransacBon  data  –  hUp/gp/dns/ssl/other  logs  from  Bro   l  Full  content  data  from  netsniff-­‐ng  
  • 11. Pivot  to  pcap  from  Snorby  
  • 15. Pivot  to  pcap  from  Sguil  
  • 16. NetworkMiner   There’s  gold  in  them   thar  PCAPs!  
  • 18. Pivot  to  pcap  from  ELSA  
  • 23. Drilling  into  an  interesBng  Dst  Port  
  • 24. What  is  that  Dst  Port?  Pivot  2  Pcap!  
  • 25. 2013:  The  Metrics   l  Security  Onion  10.04   37,521   l  Security  Onion  12.04  (released  12/31/2012)   34,290  from  SourceForge   l  Security  Onion  12.04.1  (released  6/10/2013)   6,380  from  Sourceforge   l  Security  Onion  12.04.2  (released  7/25/2013)   737  from  Sourceforge   l  ???  From  BitTorrent   ???  Ubuntu/Kubuntu/Lubuntu  +  Security  Onion  PPA  
  • 26. Where  do  we  go  now?   hUp://securityonion.blogspot.com       Updates  are  announced  here  and  it  also  has  the  following  links:   l  Download/Install   l  FAQ   l  Mailing  Lists   l  IRC  #securityonion  on  irc.freenode.net   l  @securityonion