Security Onion: Installed and now what?

Chris Mohan@Chris_mohan

1.Plan (think, design and dream)

2.Install, Update

3.Configure

4.Test

5.Review

Road Map: Just like Incident Response

• Quick overview of the Security Onion and NSM for those new to it

• Suggestions on how to set up

• Demo (if the Security Onion Demo gods are kind)

• Questions/Discussion

What’s happen tonight

"Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.“

– Richard Bejtlich

Network Security Monitoring?

(@taosecurity)

Security Onion is a network security monitoring (NSM) system that provides full context and forensic visibility into the traffic it monitors

It’s a prebuilt environment of fantastic open source security tools all in one place designed for defenders .

Like Backtrack, everything just works

And those tools work together

Linux Guru-ness not needed, very basic Linux and that’s it

Security Onion?

Over 60 custom tools

Snort – Signature based IDS

Sguil – Security analyst console

Squert - View HIDS/NIDS alerts and HTTP logs

Snorby - View and annotate IDS alerts

ELSA - Search logs (IDS, Bro and syslog)

Bro - Powerful network analysis framework with highly detailed logs

OSSEC - Monitors local logs, file integrity & rootkits

What in the Onion?

Created and mantained by Doug Burks @dougburks

The security community are steadily supporting it

“He really wanted to make Sguil & NSM “easier” to deploy -mission accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013

Built by One, support by Many

What does your network look like?

What and how are you trying to protect?

How much traffic travels over it each day/week/month?

Do you have the right hardware:

Router, switch, Security Onion system?

Has to fit YOUR needs, fit YOUR environment and requirements not some random guide from the

Intertubes

Planning

Installation – It’s Quick and Easy

Stop! Test Rig Check!

Physical or Virtual?• Minimum of 2GB of RAM

• 2 Interfaces:• 1 Management

• 1 Sensor

• Plenty of Disk

Get used to SO interfaces Sguil is the first stop

1. Setup Metaspolitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

2. Setup an Attacker (Backtrack or your SANS Linux VM)

3. Launch attacks to trigger alerts

4. OWASP top 10 as the infrastructure attacks

5. Execute copies of Drive-by download attacks for users (e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP)

Test, test, TEST!

Rules are written using the Snort format:

Rules added to /etc/nsm/rules/local.rules

file won’t changed by the automated IDS rules updates

alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again"; reference: https://code.google.com/p/security-onion/wiki/AddingLocalRules; content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1)

$ sudo rule-update

Writing Your Own Rules

# Craft the layer 2 information.# The ip addresses can be random, but I would suggest sticking to RFC1918ip = IP()ip.dst = "192.168.200.4“ – this should be your IP range!ip.src = "192.168.100.3"

# Craft the layer 3 information.# Since we specified port 7789 in our snort rule, tcp = TCP()tcp.dport = 7789tcp.sport = 1234

# Set the playloadpayload = “SeCrEtS"

# Use the / operator to compose our packet and transfer it with the send() method.

send(ip/tcp/payload, iface=“eht0”)

https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee

http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference

How to test? Scapy to the rescue!

Steady.

PCAPs of the live network (Permission is a must)

TCP relay and unleash those PCAPs on the test network

Why?

Baseline

Understand what’s on the network

What alerts are likely to kick off

What the consoles looks like

Release the Hounds! Well, sort of…

Find they noisy rule(s) by any method:• Snorby

• Squert

• Squil

• even From the Command Line!

Is it a real problem that should be fix?

Should I Disable the sid?Read the whole story:

https://code.google.com/p/security-onion/wiki/ManagingAlerts

- Scott Runnels

Now it’s too noisy or Fine Tunning

To the Intertubes!Find Challenges, start with the easy ones with answers:

http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTraces.zip

http://www.honeynet.org/challenges

Then try your own -Dump your own home networks & use tcpreplay to run controlled blocks

Need more traffic?

Demo*

Project Home http://code.google.com/p/security-onion/

Blog http://securityonion.blogspot.com

Mailing Lists http://code.google.com/p/security-onion/wiki/MailingLists

Google Group https://groups.google.com/forum/?fromgroups#!forum/security-onion

Wiki http://code.google.com/p/security-onion/w/list

Additional Reading

Thanks to :

Ash Deuble (@ashd_au)

And have a look at his: intro to using Security Onion video

http://security.crudtastic.com/?p=674

Worth checking out to the Star Wars Lego crazed Mark Hillick (@markofu):

http://www.slideshare.net/markofu/peeling-back-your-network-layers-with-security-onion

Discussion time