23 0 3MB
Security Onion Network Security Monitoring in Minutes Doug Burks
Feel the pain Does your tradi;onal IDS give you all the data you need?
The Beauty of Network Security Monitoring l
Mul;ple data types (not just IDS alerts)
l
Sguil is the de facto reference implementa;on of NSM: l l l l
Alert data (NIDS alerts from Snort/Suricata and HIDS alerts from OSSEC) Session data (SANCP) Transac;on data (HTTP logs from hLpry) Full content data (daemonlogger)
Lots of pieces in the jigsaw puzzle
hLp://nsmwiki.org/images/e/ea/Sguil-‐0.7.dfd.png
Setup wizard puts the jigsaw puzzle together for you! Takes only 2 minutes!
Sguil client designed by analysts for analysts
Right-‐click Src/Dst IP and Query SANCP table (Session Data)
Right-‐click Src/Dst IP and query Event table to access HTTP logs (Transac;on Data)
Right-‐click Alert ID to pivot to Full Content (transcript in Sguil or pcap in Wireshark)
Squert web interface
Mul;ple Sguil sensors
hLp://securityonion.blogspot.com/2011/04/security-‐onion-‐20110321-‐distributed.html
Look for Evil User Agents cut -‐f2,10 /nsm/sensor_data/*/hLpry/`date +%Y-‐%m-‐ %d`.log | grep -‐v "^# " | awk '$2 !="-‐"' | sort | uniq -‐c | sort –nr Look for malicious user agents like: Bob’s Evil Clown C&C Agent or just outdated and vulnerable sooware like: Firefox/2.0.0.20 hLp://pauldotcom.com/2011/10/in-‐search-‐of-‐evil-‐user-‐ agents.html
Argus
Desktop u;li;es
Roadmap: Mid-‐November 2011 l
Update Barnyard2
Roadmap: Early December 2011 l
Suricata 1.1 with AFPACKET
Roadmap: EOY 2011 l
Snorby and OpenFPC
Roadmap: January 2012 l
Full integra;on of Bro IDS
Roadmap: Late 2012 and beyond l
Higher performance
l
64-‐bit
l
Lubuntu 12.04
l
Echidna (next gen Sguil replacement)
One-‐man bands make crappy music Interested in joining an open source project? Security Onion needs: l
Documenta;on
l
Artwork
l
Web interface
l
Performance benchmarks
Where do we go now? hLp://securityonion.blogspot.com is your one-‐stop shop for all things Security Onion! Updates are announced here and it also has the following links. Download/Install: hLp://code.google.com/p/security-‐onion/wiki/Installa;on FAQ: hLp://code.google.com/p/security-‐onion/wiki/FAQ Mailing List: hLp://groups.google.com/group/security-‐onion