Security Onion talk in Singapore July 2013
-
Upload
chris-mohan -
Category
Technology
-
view
371 -
download
4
description
Transcript of Security Onion talk in Singapore July 2013
Security Onion: Installed and now what?
Chris Mohan@Chris_mohan
1.Plan (think, design and dream)
2.Install, Update
3.Configure
4.Test
5.Review
Road Map: Just like Incident Response
• Quick overview of the Security Onion and NSM for those new to it
• Suggestions on how to set up
• Demo (if the Security Onion Demo gods are kind)
• Questions/Discussion
What’s happen tonight
"Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.“
– Richard Bejtlich
Network Security Monitoring?
(@taosecurity)
Security Onion is a network security monitoring (NSM) system that provides full context and forensic visibility into the traffic it monitors
It’s a prebuilt environment of fantastic open source security tools all in one place designed for defenders .
Like Backtrack, everything just works
And those tools work together
Linux Guru-ness not needed, very basic Linux and that’s it
Security Onion?
Over 60 custom tools
Snort – Signature based IDS
Sguil – Security analyst console
Squert - View HIDS/NIDS alerts and HTTP logs
Snorby - View and annotate IDS alerts
ELSA - Search logs (IDS, Bro and syslog)
Bro - Powerful network analysis framework with highly detailed logs
OSSEC - Monitors local logs, file integrity & rootkits
What in the Onion?
Created and mantained by Doug Burks @dougburks
The security community are steadily supporting it
“He really wanted to make Sguil & NSM “easier” to deploy -mission accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013
Built by One, support by Many
What does your network look like?
What and how are you trying to protect?
How much traffic travels over it each day/week/month?
Do you have the right hardware:
Router, switch, Security Onion system?
Has to fit YOUR needs, fit YOUR environment and requirements not some random guide from the
Intertubes
Planning
Installation – It’s Quick and Easy
Stop! Test Rig Check!
Physical or Virtual?• Minimum of 2GB of RAM
• 2 Interfaces:• 1 Management
• 1 Sensor
• Plenty of Disk
Get used to SO interfaces Sguil is the first stop
1. Setup Metaspolitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
2. Setup an Attacker (Backtrack or your SANS Linux VM)
3. Launch attacks to trigger alerts
4. OWASP top 10 as the infrastructure attacks
5. Execute copies of Drive-by download attacks for users (e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP)
Test, test, TEST!
Rules are written using the Snort format:
Rules added to /etc/nsm/rules/local.rules
file won’t changed by the automated IDS rules updates
alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again"; reference: https://code.google.com/p/security-onion/wiki/AddingLocalRules; content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1)
$ sudo rule-update
Writing Your Own Rules
# Craft the layer 2 information.# The ip addresses can be random, but I would suggest sticking to RFC1918ip = IP()ip.dst = "192.168.200.4“ – this should be your IP range!ip.src = "192.168.100.3"
# Craft the layer 3 information.# Since we specified port 7789 in our snort rule, tcp = TCP()tcp.dport = 7789tcp.sport = 1234
# Set the playloadpayload = “SeCrEtS"
# Use the / operator to compose our packet and transfer it with the send() method.
send(ip/tcp/payload, iface=“eht0”)
https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee
http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference
How to test? Scapy to the rescue!
Steady.
PCAPs of the live network (Permission is a must)
TCP relay and unleash those PCAPs on the test network
Why?
Baseline
Understand what’s on the network
What alerts are likely to kick off
What the consoles looks like
Release the Hounds! Well, sort of…
Find they noisy rule(s) by any method:• Snorby
• Squert
• Squil
• even From the Command Line!
Is it a real problem that should be fix?
Should I Disable the sid?Read the whole story:
https://code.google.com/p/security-onion/wiki/ManagingAlerts
- Scott Runnels
Now it’s too noisy or Fine Tunning
To the Intertubes!Find Challenges, start with the easy ones with answers:
http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTraces.zip
http://www.honeynet.org/challenges
Then try your own -Dump your own home networks & use tcpreplay to run controlled blocks
Need more traffic?
Demo*
Project Home http://code.google.com/p/security-onion/
Blog http://securityonion.blogspot.com
Mailing Lists http://code.google.com/p/security-onion/wiki/MailingLists
Google Group https://groups.google.com/forum/?fromgroups#!forum/security-onion
Wiki http://code.google.com/p/security-onion/w/list
Additional Reading
Thanks to :
Ash Deuble (@ashd_au)
And have a look at his: intro to using Security Onion video
http://security.crudtastic.com/?p=674
Worth checking out to the Star Wars Lego crazed Mark Hillick (@markofu):
http://www.slideshare.net/markofu/peeling-back-your-network-layers-with-security-onion
Discussion time