Security Onion Presentation 20111106 [PDF]

Security  Onion   Network  Security  Monitoring  in  Minutes     Doug  Burks   Feel  the  pain   Does  your  tradi;ona

22 0 3MB

Report DMCA / Copyright

DOWNLOAD PDF FILE

Papiere empfehlen
Software security : building security in 0321356705, 9780321356703
Software security : building security in 0321356705, 9780321356703

103 56 16MB Read more

Financial Onion Links
Financial Onion Links

0 0 217KB Read more

700 Sites Onion
700 Sites Onion

2 0 71KB Read more

Computer Security
Computer Security

0 0 82KB Read more

Presentation Marjane
Presentation Marjane

0 0 58KB Read more

Presentation BIM
Presentation BIM

0 0 997KB Read more

Presentation Negociation
Presentation Negociation

0 0 779KB Read more

Appunti Cyber-Security
Appunti Cyber-Security

0 0 23KB Read more

Additional Security Engineer Materials
Additional Security Engineer Materials

0 0 6MB Read more

Temporary Security Fence
Temporary Security Fence

1 0 622KB Read more

Security Onion Presentation 20111106 [PDF]

  • 0 0 0
  • Gefällt Ihnen dieses papier und der download? Sie können Ihre eigene PDF-Datei in wenigen Minuten kostenlos online veröffentlichen! Anmelden
Datei wird geladen, bitte warten...
Zitiervorschau

Security  Onion   Network  Security  Monitoring  in  Minutes     Doug  Burks  

Feel  the  pain   Does  your  tradi;onal  IDS  give  you  all  the  data  you  need?  

The  Beauty  of  Network  Security  Monitoring   l 

Mul;ple  data  types  (not  just  IDS  alerts)  

l 

Sguil  is  the  de  facto  reference  implementa;on  of  NSM:   l  l  l  l 

Alert  data  (NIDS  alerts  from  Snort/Suricata  and  HIDS  alerts  from  OSSEC)   Session  data  (SANCP)   Transac;on  data  (HTTP  logs  from  hLpry)   Full  content  data  (daemonlogger)  

Lots  of  pieces  in  the  jigsaw  puzzle  

hLp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  

Setup  wizard  puts  the  jigsaw  puzzle   together  for  you!   Takes  only  2  minutes!  

Sguil  client  designed  by  analysts  for   analysts  

Right-­‐click  Src/Dst  IP  and  Query  SANCP   table  (Session  Data)  

Right-­‐click  Src/Dst  IP  and  query  Event  table   to  access  HTTP  logs  (Transac;on  Data)  

Right-­‐click  Alert  ID  to  pivot  to  Full  Content   (transcript  in  Sguil  or  pcap  in  Wireshark)  

Squert  web  interface  

Mul;ple  Sguil  sensors  

hLp://securityonion.blogspot.com/2011/04/security-­‐onion-­‐20110321-­‐distributed.html  

Look  for  Evil  User  Agents   cut  -­‐f2,10  /nsm/sensor_data/*/hLpry/`date  +%Y-­‐%m-­‐ %d`.log  |  grep  -­‐v  "^#  "  |  awk  '$2  !="-­‐"'  |  sort  |  uniq  -­‐c  | sort  –nr   Look  for  malicious  user  agents  like:   Bob’s  Evil  Clown  C&C  Agent     or  just  outdated  and  vulnerable  sooware  like:   Firefox/2.0.0.20   hLp://pauldotcom.com/2011/10/in-­‐search-­‐of-­‐evil-­‐user-­‐ agents.html  

Argus  

Desktop  u;li;es  

Roadmap:  Mid-­‐November  2011   l 

Update  Barnyard2  

Roadmap:  Early  December  2011   l 

Suricata  1.1  with  AFPACKET  

Roadmap:  EOY  2011   l 

Snorby  and  OpenFPC  

Roadmap:  January  2012   l 

Full  integra;on  of  Bro  IDS  

Roadmap:  Late  2012  and  beyond   l 

Higher  performance  

l 

64-­‐bit  

l 

Lubuntu  12.04  

l 

Echidna  (next  gen  Sguil  replacement)  

One-­‐man  bands  make  crappy  music   Interested  in  joining  an  open  source  project?   Security  Onion  needs:   l 

Documenta;on  

l 

Artwork  

l 

Web  interface  

l 

Performance  benchmarks  

Where  do  we  go  now?   hLp://securityonion.blogspot.com  is  your  one-­‐stop  shop  for  all  things  Security   Onion!    Updates  are  announced  here  and  it  also  has  the  following  links.     Download/Install:   hLp://code.google.com/p/security-­‐onion/wiki/Installa;on     FAQ:   hLp://code.google.com/p/security-­‐onion/wiki/FAQ     Mailing  List:   hLp://groups.google.com/group/security-­‐onion    

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree Cookies