Scribd
Upload
392 views21 pages

Security Onion: Network Security Monitoring in Minutes Doug Burks

This document discusses Security Onion, an open source network security monitoring platform. Security Onion allows collecting and correlating multiple types of network data in one place using the Sguil analysis interface. It can be set up in minutes using a wizard and provides analysts various tools to investigate alerts and potential threats. The document outlines Security Onion's features and roadmap for continued improvements such as higher performance and integration with additional security tools. It encourages participation in the open source project for tasks like documentation, artwork, and benchmarks.

Uploaded by

Pape Mignane Faye
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
392 views21 pages

Security Onion: Network Security Monitoring in Minutes Doug Burks

This document discusses Security Onion, an open source network security monitoring platform. Security Onion allows collecting and correlating multiple types of network data in one place using the Sguil analysis interface. It can be set up in minutes using a wizard and provides analysts various tools to investigate alerts and potential threats. The document outlines Security Onion's features and roadmap for continued improvements such as higher performance and integration with additional security tools. It encourages participation in the open source project for tasks like documentation, artwork, and benchmarks.

Uploaded by

Pape Mignane Faye
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Security

Onion
Network Security Monitoring in Minutes

Doug Burks

Feel the pain


Does your tradi;onal IDS give you all the data you need?

The Beauty of Network Security Monitoring


l

Mul;ple data types (not just IDS alerts)

Sguil is the de facto reference implementa;on of NSM:


l
l
l
l

Alert data (NIDS alerts from Snort/Suricata and HIDS alerts from OSSEC)
Session data (SANCP)
Transac;on data (HTTP logs from hLpry)
Full content data (daemonlogger)

Lots of pieces in the jigsaw puzzle

hLp://nsmwiki.org/images/e/ea/Sguil-0.7.dfd.png

Setup wizard puts the jigsaw puzzle


together for you!
Takes only 2 minutes!

Sguil client designed by analysts for


analysts

Right-click Src/Dst IP and Query SANCP


table (Session Data)

Right-click Src/Dst IP and query Event table


to access HTTP logs (Transac;on Data)

Right-click Alert ID to pivot to Full Content


(transcript in Sguil or pcap in Wireshark)

Squert web interface

Mul;ple Sguil sensors

hLp://securityonion.blogspot.com/2011/04/security-onion-20110321-distributed.html

Look for Evil User Agents


cut -f2,10 /nsm/sensor_data/*/hLpry/`date +%Y-%m-
%d`.log | grep -v "^# " | awk '$2 !="-"' | sort | uniq -c |
sort nr
Look for malicious user agents like:
Bobs Evil Clown C&C Agent

or just outdated and vulnerable sooware like:
Firefox/2.0.0.20
hLp://pauldotcom.com/2011/10/in-search-of-evil-user-
agents.html

Argus

Desktop u;li;es

Roadmap: Mid-November 2011


l

Update Barnyard2

Roadmap: Early December 2011


l

Suricata 1.1 with AFPACKET

Roadmap: EOY 2011


l

Snorby and OpenFPC

Roadmap: January 2012


l

Full integra;on of Bro IDS

Roadmap: Late 2012 and beyond


l

Higher performance

64-bit

Lubuntu 12.04

Echidna (next gen Sguil replacement)

One-man bands make crappy music


Interested in joining an open source project?
Security Onion needs:
l

Documenta;on

Artwork

Web interface

Performance benchmarks

Where do we go now?
hLp://securityonion.blogspot.com is your one-stop shop for all things Security
Onion! Updates are announced here and it also has the following links.

Download/Install:
hLp://code.google.com/p/security-onion/wiki/Installa;on

FAQ:
hLp://code.google.com/p/security-onion/wiki/FAQ

Mailing List:
hLp://groups.google.com/group/security-onion

You might also like