IDS, NSM, and Log Management with Security Onion 12.04.3
This is a "guest diary" submitted by Doug Burks. We will gladly forward any responses or please use our comment/forum section to comment publicly.
I recently announced the new Security Onion 12.04.3:
What is Security Onion?
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Can I see it in action?
The video and slides from my recent BSidesAugusta presentation are available:
I also just published a series of walkthrough videos as well:
How do I get it?
Download our ISO image (based on Xubuntu 12.04 64-bit) OR start with your preferred flavor of Ubuntu 12.04 (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server) 32-bit or 64-bit, add our PPA and install our packages. Please see our Installation guide for further details:
Lots o' Logs
If you connect Security Onion to a tap or span port, it will generate lots of logs out of the box:
- NIDS alerts from Snort or Suricata
- Bro conn.log (session data)
- Bro dns.log - all DNS transactions seen on your network
- Bro http.log - all HTTP transactions seen on your network
- Bro notice.log - events of interest
- Bro ssl.log - SSL cert details
- and many more!
In addition, you can install OSSEC agents on other boxes on your network and point them to the OSSEC Server that's already running on Security Onion. You'll then get the raw logs from those OSSEC agents and you'll also get HIDS alerts as the OSSEC Server analyzes those logs. For those devices that can't run an OSSEC agent, you can point their syslog to the syslog-ng collector on Security Onion.
How do we manage all those logs?
ELSA is a great tool for hunting through your logs. Martin Holste, the author of ELSA, describes it like this:
"ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web."
Take a look at the following ELSA video to see how you can slice and dice your logs very quickly and easily:
----
Doug Burks
Want to learn more about Log Management? Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th!
http://www.sans.org/community/event/sec434-memphis-16oct2013-doug-burks Discount Code "ISC-Memphis"
ISC StormCast for Tuesday, September 24th 2013 http://isc.sans.edu/podcastdetail.html?id=3557
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago