Security Onion


Published on

null Bangalore Chapter - March 2014 Meet

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Onion

  1. 1. Network Monitoring using Security Onion
  2. 2. Shubham Mittal (Security Consultant) Areas of interest: Mobile Security, OSINT and network monitoring. Sudhanshu Chauhan (Security Consultant) Areas of interest: OSINT, Social Network Analysis and Competitive Intelligence. About Us
  3. 3. Security Onion Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools.
  4. 4. Core Functions: • Full packet capture • Network-based and Host-based intrusion detection systems • Analysis tools
  5. 5. Intrusion Detection System (IDS) A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
  6. 6. Network Security Monitoring Monitoring your network for security related events. It might be proactive, when used to identify vulnerabilities or expiring SSL certificates, or it might be reactive, such as in incident response and network forensics. NSM provides context, intelligence and situational awareness of your network
  7. 7. Log Management To collect all logs, software activity, user events, and network traffic.
  8. 8. Snorby: Ruby On Rails Application For Network Security Monitoring. Integrates with intrusion detection systems like Snort, Suricata and Sagan.
  9. 9. Squert: Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). It attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets.
  10. 10. Sguil: Sguil is a Network Security Monitoring tool (not browser based). It's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.
  11. 11. ELSA (Enterprise Log search and archive): ELSA is a centralized syslog framework built on Syslog- NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web.
  12. 12. OSSEC: Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
  13. 13. BRO: Bro is a Network analysis framework. It provides a comprehensive platform for more general network traffic analysis.
  14. 14. Deployment Scenarios: • Standalone: A single physical or virtual machine running both the server and sensor components and related processes. • Server-sensor: A single machine running the server component with one or more separate machines running the sensor component and reporting back to the server. • Hybrid: A hybrid installation consists of a standalone installation that also has one or more separate sensors reporting back to the server component of the it.
  15. 15. Thank You