security)onion) - george mason universityastavrou/courses/isa_674_f12/security onion... ·...
TRANSCRIPT
![Page 1: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/1.jpg)
Security Onion Network Security Monitoring in Minutes
Doug Burks
![Page 2: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/2.jpg)
Feel the pain Does your tradi;onal IDS give you all the data you need?
![Page 3: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/3.jpg)
The Beauty of Network Security Monitoring l Mul;ple data types (not just IDS alerts)
l Sguil is the de facto reference implementa;on of NSM: l Alert data (NIDS alerts from Snort/Suricata and HIDS alerts from OSSEC) l Session data (SANCP) l Transac;on data (HTTP logs from Bro) l Full content data (daemonlogger)
![Page 4: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/4.jpg)
Lots of pieces in the jigsaw puzzle
hNp://nsmwiki.org/images/e/ea/Sguil-‐0.7.dfd.png
![Page 5: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/5.jpg)
Setup wizard puts the jigsaw puzzle together for you! Takes only 2 minutes!
![Page 6: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/6.jpg)
Snorby Web interface • Web 2.0 • AJAX • Ruby on Rails • Buzzword compliant!
![Page 7: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/7.jpg)
Squert web interface
![Page 8: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/8.jpg)
The Ul;mate Analyst Worksta;on l Security Onion in a VM on your Desktop
l Sguil client connects to Sguil server
l Pull pcaps back to your VM for extended analysis
![Page 9: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/9.jpg)
Sguil client designed by analysts for analysts
![Page 10: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/10.jpg)
Right-‐click Src/Dst IP and Query SANCP table (Session Data)
![Page 11: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/11.jpg)
Right-‐click Src/Dst IP and query Event table to access HTTP logs (Transac;on Data)
![Page 12: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/12.jpg)
Right-‐click Alert ID to pivot to Full Content (transcript in Sguil or pcap in Wireshark)
![Page 13: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/13.jpg)
PCAP Tools We haz them
![Page 14: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/14.jpg)
NetworkMiner There’s gold in them thar PCAPs!
![Page 15: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/15.jpg)
Mul;ple Sguil sensors
hNp://securityonion.blogspot.com/2011/04/security-‐onion-‐20110321-‐distributed.html
![Page 16: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/16.jpg)
Bro IDS Bro records a tremendous amount of ac;onable intelligence about your network traffic. The logs can be found in: /nsm/bro/logs
![Page 17: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/17.jpg)
Hunt for Evil User Agents zcat /nsm/bro/logs/*/hNp* |bro-‐cut -‐d user_agent |sort |uniq -‐c |sort -‐nr
Look for malicious user agents like: Bob’s Evil Clown C&C Agent or just outdated and vulnerable sohware like: zcat /nsm/bro/logs/*/soh* |bro-‐cut -‐d name version.major |grep Firefox |grep -‐v 12 |sort |uniq -‐c |sort –nr
110 Firefox 3 71 Firefox 11 53 Firefox 10
hNp://pauldotcom.com/2011/10/in-‐search-‐of-‐evil-‐user-‐agents.html
![Page 18: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/18.jpg)
Argus
![Page 19: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/19.jpg)
NIDS is great, but what about HIDS? l OSSEC monitors local logs and can receive logs from OSSEC Agents and standard Syslog
l OSSEC alerts are stored in /var/ossec/logs/alerts/
l Sguil OSSEC Agent transmits those alerts to the Sguil server
![Page 20: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/20.jpg)
One-‐man bands make crappy music Interested in joining an open source project?
Security Onion needs:
l Documenta;on
l Artwork
l Web interface
l Performance benchmarks
l Package maintainers
hNp://code.google.com/p/security-‐onion/wiki/TeamMembers
![Page 21: Security)Onion) - George Mason Universityastavrou/courses/ISA_674_F12/Security Onion... · Feel)the)pain) Does)your)tradi;onal)IDS)give)you)all)the)datayou)need?)](https://reader031.vdocuments.us/reader031/viewer/2022030423/5aab7f937f8b9a9c2e8bfac6/html5/thumbnails/21.jpg)
Where do we go now? hNp://securityonion.blogspot.com
Updates are announced here and it also has the following links:
l Download/Install l FAQ l Mailing List
l IRC #securityonion on irc.freenode.net