Security Onion. Peel Back the Layers of Your Network in Minutes. Doug Burks



Similar documents
Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Network Security Monitoring

S N O R T I D S B L A S T C O U R S E

USE HONEYPOTS TO KNOW YOUR ENEMIES

Berkley Packet Filters and Open Source Tools. a tranched approach to packet capture analysis at today s network speeds

Missing the Obvious: Network Security Monitoring for ICS

Network Security Monitoring

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Network Intrusion Analysis (Hands-on)

What happens when you use nmap or a fuzzer on an ICS?

Compliance Solu.ons with a Budget in Mind

Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment

Dynamic Rule Based Traffic Analysis in NIDS

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

When prevention FAILS: Extending IR and Digital Forensics to the corporate network. Ismael Valenzuela

Wireshark Deep packet inspection with Wireshark

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

CSCE 465 Computer & Network Security

EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Network/Internet Forensic and Intrusion Log Analysis

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Network Security Monitoring: Beyond Intrusion Detection. By: rewtninja

IDS / IPS. James E. Thiel S.W.A.T.

Network Security Monitoring

INTRUSION DETECTION SYSTEM

Intrusion Detection Architecture Utilizing Graphics Processors

Intelligence Driven Intrusion Detection

How To Protect A Network From Attack From A Hacker (Hbss)

Snort. A practical NIDS

Bro at 10 Gps: Current Testing and Plans

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Indexing Full Packet Capture Data With Flow

Early warning for security attacks

Intrusion Detection in AlienVault

Applied Detection and Analysis Using Network Flow Data

Network Monitoring for Cyber Security

THE PRACTICE OF NETWORK SECURITY MONITORING

Network Monitoring using MMT:

COUNTERSNIPE

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

The principle of Network Security Monitoring[NSM]

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Introduction of Intrusion Detection Systems

Some Tools for Computer Security Incident Response Team (CSIRT)

Traffic Monitoring : Experience

Security Power Tools

Vuurmuur - iptables manager

The Ultra-Secure Network Architecture

How To Protect Your Network From Attack From A Hacker On A University Server

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Security Monitoring and Architectures for Security Logging

APPLICATION NOTE. How to build pylon applications for ARM

An Overview of the Bro Intrusion Detection System

UNMASKCONTENT: THE CASE STUDY

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

6.0. Getting Started Guide

Linux Network Security

Intrusion Detection Systems

Network Security Monitoring Theory and Practice

Exploratory Data Analysis of Network Traffic in Industrial Control Systems

Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems

Building a Security Operations Center Lessons Learned. active threat protection

Network Monitoring & Management Log Management

The Security Onion Cloud Client

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Open Source Network Security Monitoring With Sguil

Lab 1: Network Devices and Technologies - Capturing Network Traffic

OSSEC. Intrusion detection and response System and log analysis of Drupal sites and servers

INTRUSION DETECTION SYSTEMS and Network Security

A Comparison of Four Intrusion Detection Systems for Secure E-Business

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Building the Next Generation of Computer Security Professionals. Chris Simpson

Open Source Software for Cyber Operations:

Security: Best Practice and Monitoring

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

SECURITY ADVISORY FROM PATTON ELECTRONICS

Suricata Performance White Paper

Intrusion Detection Systems (IDS)

The Bro Network Intrusion Detection System

OSSEC & OSSIM Unified Open Source Security. san8ago@alienvault.com

The HoneyNet Project Scan Of The Month Scan 27

Monitoring Anything and Everything with Nagios. Chris Burgess

Architecture Overview

Signature Based Intrusion Detection System Using SNORT

Using cyber intelligence to detect and localize botnets. ENRICO BRANCA Botconf' December 2013, Nantes, France.

Transcription:

Security Onion Peel Back the Layers of Your Network in Minutes Doug Burks

tcpdump -nnai eth1 -s0 grep -A5 "Doug Burks" About Doug Burks: Christian, husband, father Corporate Incident Handler for Mandiant SANS GSE and Community Instructor President of Greater Augusta ISSA Founder and lead developer of Security Onion

What is Security Onion? Security Onion is a FREE Linux distro for: intrusion detection network security monitoring log management

What data does it give me? Flow data from Argus, Bro, and PRADS Alert data NIDS alerts from Snort/Suricata HIDS alerts from OSSEC Syslog data received by syslog-ng or sniffed by Bro Asset data from Bro and PRADS Transaction data http/ftp/dns/ssl/other logs from Bro Full content data from netsniff-ng

Does it scale? Big Onions 64-bit Big Traffic PF_RING Big Data ELSA

How many Security Onion users are there? Over 100,000 ISO downloads from Sourceforge! Security Onion 10.04 ISO (based on Ubuntu 10.04) - 37,777 Security Onion 12.04 ISO (released 12/31/2012) - 34,573 Security Onion 12.04.1 ISO (released 6/10/2013) - 7,511 Security Onion 12.04.2 ISO (released 7/25/2013) - 6,396 Security Onion 12.04.3 ISO (released 9/14/2013) - 15,824???? From BitTorrent???? Ubuntu/Kubuntu/Lubuntu + Security Onion PPA

What has changed since last FloCon? Updated just about every piece of software, including: Snort, Suricata, Bro, PF_RING, PRADS, ELSA, Snorby, Squert, CapMe, NetworkMiner Fixed lots o bugs! Moved to a standard argus.conf to allow more Argus customization Added more knobs for tuning: Enable/disable sensor processes Adjustable netsniff-ng (full packet capture) settings Adjustable log purge threshold Added OnionSalt to manage lots o onions

What does it look like?

Answer a few simple questions

Snorby

Pivot to pcap from Snorby

CapME

Squert web interface

Sguil client

Pivot to pcap from Sguil

NetworkMiner There s gold in them thar PCAPs!

ELSA

Pivot to pcap from ELSA

Ooh shiny

Case Study Was an EXE downloaded? Was it executed? Was the computer compromised? Was there any data exfil?

Bro Flow

Who did this IP talk to?

And over what ports?

What all do we know about the source?

Found an EXE

IP address in EXE

Traffic to hardcoded IP address

Interesting FTP Activity

Interesting FTP Activity

Interesting FTP Activity - RAR

Extract the RAR

What s in the RAR?

Future of Security Onion More documentation Best practices Tuning Web interface for administration More/better integration with Argus? Add Silk? Others?

Where do we go now? http://securityonion.net Updates are announced here and it also has the following links: Download/Install FAQ Mailing Lists IRC #securityonion on irc.freenode.net @securityonion Security Onion classes throughout 2014!