This was a hour talk on how to plan and test using Security Onion. Missing the live demo, but the links should provide enough information to go out duplicate my post build tests before placing Security Onion in to a live environment.
2. 1.Plan (think, design and dream)
2.Install, Update
3.Configure
4.Test
5.Review
Road Map: Just like Incident Response
3. • Quick overview of the Security
Onion and NSM for those new to it
• Suggestions on how to set up
• Demo (if the Security Onion Demo gods are kind)
• Questions/Discussion
What’s happen tonight
4. "Network security monitoring is the
collection, analysis, and escalation of
indications and warnings to detect and
respond to intrusions.“
– Richard Bejtlich
Network Security Monitoring?
(@taosecurity)
5. Security Onion is a network security monitoring (NSM) system that provides
full context and forensic visibility into the traffic it monitors
It’s a prebuilt environment of fantastic open source security tools all in one
place designed for defenders .
Like Backtrack, everything just works
And those tools work together
Linux Guru-ness not needed, very basic Linux and that’s it
Security Onion?
6. Over 60 custom tools
Snort – Signature based IDS
Sguil – Security analyst console
Squert - View HIDS/NIDS alerts and HTTP logs
Snorby - View and annotate IDS alerts
ELSA - Search logs (IDS, Bro and syslog)
Bro - Powerful network analysis framework with highly
detailed logs
OSSEC - Monitors local logs, file integrity & rootkits
What in the Onion?
7. Created and mantained by Doug Burks @dougburks
The security community are steadily supporting it
“He really wanted to make Sguil & NSM “easier” to deploy -mission
accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013
Built by One, support by Many
8. What does your network look like?
What and how are you trying to protect?
How much traffic travels over it each day/week/month?
Do you have the right hardware:
Router, switch, Security Onion system?
Has to fitYOUR needs, fitYOUR environment and
requirements not some random guide from the Intertubes
Planning
9. Installation – It’s Quick and Easy
Stop!Test Rig Check!
Physical orVirtual?
• Minimum of 2GB of RAM
• 2 Interfaces:
• 1 Management
• 1 Sensor
• Plenty of Disk
10. Get used to SO interfaces Sguil is the first stop
1. Setup Metaspolitable 2
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
2. Setup an Attacker (Backtrack or your SANS LinuxVM)
3. Launch attacks to trigger alerts
4. OWASP top 10 as the infrastructure attacks
5. Execute copies of Drive-by download attacks for users
(e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP)
Test, test,TEST!
11. Rules are written using the Snort format:
Rules added to /etc/nsm/rules/local.rules
file won’t changed by the automated IDS rules updates
alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again";
reference: https://code.google.com/p/security-
onion/wiki/AddingLocalRules;
content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1)
$ sudo rule-update
WritingYour Own Rules
12. # Craft the layer 2 information.
# The ip addresses can be random, but I would suggest sticking to RFC1918
ip = IP()
ip.dst = "192.168.200.4“ – this should be your IP range!
ip.src = "192.168.100.3"
# Craft the layer 3 information.
# Since we specified port 7789 in our snort rule,
tcp = TCP()
tcp.dport = 7789
tcp.sport = 1234
# Set the playload
payload = “SeCrEtS"
# Use the / operator to compose our packet and transfer it with the send() method.
send(ip/tcp/payload, iface=“eht0”)
https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee
http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference
How to test? Scapy to the rescue!
13. Steady.
PCAPs of the live network (Permission is a must)
TCP relay and unleash those PCAPs on the test network
Why?
Baseline
Understand what’s on the network
What alerts are likely to kick off
What the consoles looks like
Release the Hounds! Well, sort of…
14. Find they noisy rule(s) by any method:
• Snorby
• Squert
• Squil
• even From the Command Line!
Is it a real problem that should be fix?
Should I Disable the sid?
Read the whole story:
https://code.google.com/p/security-onion/wiki/ManagingAlerts
- Scott Runnels
Now it’s too noisy or FineTunning
15. To the Intertubes!
Find Challenges, start with the easy ones with answers:
http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTr
aces.zip
http://www.honeynet.org/challenges
Then try your own -
Dump your own home networks & use tcpreplay to run controlled blocks
Need more traffic?
17. Project Home http://code.google.com/p/security-onion/
Blog http://securityonion.blogspot.com
Mailing Lists http://code.google.com/p/security-
onion/wiki/MailingLists
Google Group
https://groups.google.com/forum/?fromgroups#!forum/s
ecurity-onion
Wiki http://code.google.com/p/security-onion/w/list
Additional Reading
18. Thanks to :
Ash Deuble (@ashd_au)
And have a look at his: intro to using Security Onion video
http://security.crudtastic.com/?p=674
Worth checking out to the Star Wars Lego crazed Mark
Hillick (@markofu):
http://www.slideshare.net/markofu/peeling-back-your-
network-layers-with-security-onion
Discussion time