This document provides an overview and demonstration of Security Onion, an open-source Linux distribution for intrusion detection and network security monitoring. It describes Security Onion's tools like Snort, Sguil, Pulled Pork, Snorby and Daemonlogger. The document demonstrates how to install Security Onion, use its tools to analyze network traffic, view alerts and raw packet captures. It also provides challenges for users to further explore Security Onion's capabilities.

1. Security Onion
Packet Party
Nova Labs - Oct 12
John deGruyter
@johndegruyter

2. Purpose of this talk
• Get us all up and running with Security Onion
• Give a better understanding of the tools
• Evaluate SO as a tool for Packet Parties
– All your traffic analysis tools in one VM
– Easy get new users up and running
• What it is not:
– How to deploy an IDS at your company
– How to tune an IDS

3. Agenda
Talk should be about 30 minutes or less.
• Overview
• Installation
• Tools / Demos
Stay and do some challenges.

4. About Security Onion
• A Linux distribution for Intrusion Detection
and Network Security Monitoring
• Great video(s) by the author Doug Burks
– http://securityonion.blogspot.com/
• Started in 2008. Gained momentum in 2011.
• Version 12.04 was released this past weekend
– Now available in 64 bit
– Ability to install from apt repository

5. IDS vs NSM
• Intrusion Detection Systems traditionally deal
with getting the alert
• Network Security Monitoring involves getting
additional context along with the alert
– alerts
– session data
– full packet capture
• Security Onion is an NSM image

6. Why is Security Onion awesome?
• Getting all of this setup is hard.
– Some of my blog posts from 2008 (deadshell.org)
• Installing sguil client on debian
• Installing SGUIL is a pain. (part 1)
• Most of the tools you need are on here
– What are you missing?
• You can be up and running in about 20 minutes
• Easy to deploy multiple sensors with a single dashboard
– DMZ
– Server VLAN
– Client gateway
• Excellent support from both community (see wiki) and
developers

7. Installation (2 methods)
• Bootable CD image
– Download the .iso
– Run it as a live distro
– Install it to disk (why not?)
• Get it from an apt repository
– Instructions here
• http://code.google.com/p/security-onion/wiki/Beta
– I tried this with Ubuntu desktop (worked great)

8. Post installation
• Resolution does not scale properly
• If you are running VMware:
1. Start the VM
2. Click “Virtual Machine” / “Install VMware Tools”
3. Open a command prompt in your VM,
4. switch to root (sudo –i)
5. <enter your password when prompted>
6. cp /media/Vmware ToolsVMareTools<tab> /usr/local/src
7. cd /usr/local/src
8. tar xzvf VM<tab>
9. cd vm<tab>
10. ./vmware-installer.pl
11. (follow instructions, you can use default settings)

9. Demo – Installation from apt
• Take a snapshot if you are running a VM
• Follow instructions here:
• http://code.google.com/p/security-onion/wiki/Beta
• I used Ubuntu desktop 12.04
• You can connect to the https://<ip of the server> to get links
to the tools

10. Tools
Things we’ll look at Additional awesomeness
• Daemonlogger • Suricata
• Snort • Argus
• Pulled pork
• Elsa
• Snorby
• Sguil • Prads
• Barnyard • OSSEC
• Tcpreplay • …
• Wireshark/Network Miner
• Squert
• Bro

11. Daemonlogger
• Listens on a network interface
• Captures and saves your packets to disk. The
structure on how these files are saved can be
configured.
• You can set filters on what you want to
capture (BPF – Berkeley Packet Filters)
• You set a limit on how much disk space you
want to use. It will delete the oldest data as
needed.

12. Daemonlogger - Demo
• Look at the file structure
• Change the disk threshold
• Modify the BPF so that it does not collect
ICMP packets

13. Snort
• An open source intrusion detection system
developed by Sourcefire
• Configuration file (snort.conf) ties everything
together
• Will check packets passing through an interface
against “signature” or “rule” files
• Alerts generated by rules can be sent to different
output types
– Security Onion uses the unified option
• Does a lot more. This is just a basic overview.

14. Snort Rule
Header Options
• action • msg
• protocol • content
• source ip / port • nocase
• direction • depth
• destination ip / port • flags
• flow
• fragbits
• much more…
alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)

15. Snort Rule (2)

16. Snort - Demo
• Find the running instance by running $ps aux
• Look over snort.conf file
• Write a simple rule

17. Pulled Pork
• Scripts for updating your rules. It will
periodically pull down new signatures (rules)
and add them into Snort.
• You have a couple of choices where to pull
rules from.
• You can get an “oinkcode” by registering with
Sourcefire’s VRT through the snort website.
Paid for versions get you the rules faster. This
will need to be added to your configuration.

18. Snorby
• Pretty interface for looking at Snort / Suricata
alerts. You can see:
– IPs
– Time
– Raw data
– Rule
– Statistics
• Not much you can do to follow up on an alert but
has a lot of potential for growth. This is more of
an IDS rather than an NSM.
• Pain to set this up without Security Onion.

19. Sguil
• “Sguil's main component is an intuitive GUI
that provides access to real time
events, session data, and raw packet
captures.”
• “built by network security analysts for security
analysts”

20. Sguil (2)
• Written by Bamm Visscher in TCL/TK
• Client (sguil.tk) / Server (sguild) architecture, not a web service.
You need a client to connect to the server.
• Stores data in a mysql database
• Connects to different “agents”
– snort (alerts)
– pcap (full packet captures)
– sanscp (sessions)
– prads (asset detection)
• These agents can run on different systems known as sensors. You
can have multiple sensors talking to an agent. Note: Client is
different from a sensor. Client connects to the sguil frontend for
analysis.
• It is a PAIN to setup
• It is a PAIN to setup! (Thank you Security Onion)

21. http://www.gamelinux.org/?p=66

22. tcpreplay
• Allows you to take a packet capture (.pcap) and
resend all of its packets onto a given interface
• For demo purposes, we can replay existing
attacks to see if they trigger alerts
• You need to be root
• Demo
• #tcpreplay –t –i eth0 <pcap file>

23. Sguil - Demo
• Check agents
• Replay TFTP attack
• View alert / signature / raw packet
• DNS/whois lookup
• Deal with alert resolution
• Send to wireshark / network miner
– Packets for the session are pulled from the sensor
to the server and viewed in wireshark

24. Squert
• Reporting service for Sguil
• Pulls from mysql database on sguild server
• Pretty pictures for the managements
• Demo
– View interface / pivot through data
– Use geoIP to view country data

25. Issues
• Tuning
– IDS can be VERY noisy right out of the box
– “Do a little bit each day.”
• Space
– Determine what you want to capture
• Adjust Daemonlogger’s filter if necessary
– Disk is cheap

26. References
http://securityonion.blogspot.com/
video, downloads, documentation, wiki
@securityonion
Security Onion reference page from the wiki:
http://code.google.com/p/security-onion/wiki/Links
Richard Bejtlich’s blog (NSM and more):
http://taosecurity.blogspot.com/
Me:
@johndegruyter (DeBuG)

27. Challenges
1. Install Security Onion on a virtual machine
2. Create a snort rule to detect DNS requests to 208.67.220.220 –
You can test this with:
snort –Tc <your rule file>
3. Find out where the snort instance is getting its rule files from and
add your rule to one of the rule files. Test this by viewing it in
Snorby or Sguil.
4. Modify Daemonlogger so that you will only use up to 80% of the
disk (default is 90%)
5. Modify Daemonlogger so that you do not capture ARP packets –
you can use a BPF for this
6. Set up a second Sguil sensor to connect to your original server.
Ensure that you can see alerts from each sensor. You can generate
some alerts by scanning the sensor.
7. Use squert to map network traffic to different locations