SlideShare una empresa de Scribd logo

Security Onion talk in Singapore July 2013

Descargar como PPTX, PDF
C
Chris-Mohan

This was a hour talk on how to plan and test using Security Onion. Missing the live demo, but the links should provide enough information to go out duplicate my post build tests before placing Security Onion in to a live environment.

Tecnología
1 de 18
Chris Mohan @Chris_mohan
1.Plan (think, design and dream) 2.Install, Update 3.Configure 4.Test 5.Review Road Map: Just like Incident Response
• Quick overview of the Security Onion and NSM for those new to it • Suggestions on how to set up • Demo (if the Security Onion Demo gods are kind) • Questions/Discussion What’s happen tonight
"Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.“ – Richard Bejtlich Network Security Monitoring? (@taosecurity)
Security Onion is a network security monitoring (NSM) system that provides full context and forensic visibility into the traffic it monitors It’s a prebuilt environment of fantastic open source security tools all in one place designed for defenders . Like Backtrack, everything just works And those tools work together Linux Guru-ness not needed, very basic Linux and that’s it Security Onion?
Over 60 custom tools Snort – Signature based IDS Sguil – Security analyst console Squert - View HIDS/NIDS alerts and HTTP logs Snorby - View and annotate IDS alerts ELSA - Search logs (IDS, Bro and syslog) Bro - Powerful network analysis framework with highly detailed logs OSSEC - Monitors local logs, file integrity & rootkits What in the Onion?
Created and mantained by Doug Burks @dougburks The security community are steadily supporting it “He really wanted to make Sguil & NSM “easier” to deploy -mission accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013 Built by One, support by Many
What does your network look like? What and how are you trying to protect? How much traffic travels over it each day/week/month? Do you have the right hardware: Router, switch, Security Onion system? Has to fitYOUR needs, fitYOUR environment and requirements not some random guide from the Intertubes Planning
Installation – It’s Quick and Easy Stop!Test Rig Check! Physical orVirtual? • Minimum of 2GB of RAM • 2 Interfaces: • 1 Management • 1 Sensor • Plenty of Disk
Get used to SO interfaces Sguil is the first stop 1. Setup Metaspolitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 2. Setup an Attacker (Backtrack or your SANS LinuxVM) 3. Launch attacks to trigger alerts 4. OWASP top 10 as the infrastructure attacks 5. Execute copies of Drive-by download attacks for users (e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP) Test, test,TEST!
Rules are written using the Snort format: Rules added to /etc/nsm/rules/local.rules file won’t changed by the automated IDS rules updates alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again"; reference: https://code.google.com/p/security- onion/wiki/AddingLocalRules; content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1) $ sudo rule-update WritingYour Own Rules
# Craft the layer 2 information. # The ip addresses can be random, but I would suggest sticking to RFC1918 ip = IP() ip.dst = "192.168.200.4“ – this should be your IP range! ip.src = "192.168.100.3" # Craft the layer 3 information. # Since we specified port 7789 in our snort rule, tcp = TCP() tcp.dport = 7789 tcp.sport = 1234 # Set the playload payload = “SeCrEtS" # Use the / operator to compose our packet and transfer it with the send() method. send(ip/tcp/payload, iface=“eht0”) https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference How to test? Scapy to the rescue!
Steady. PCAPs of the live network (Permission is a must) TCP relay and unleash those PCAPs on the test network Why? Baseline Understand what’s on the network What alerts are likely to kick off What the consoles looks like Release the Hounds! Well, sort of…
Find they noisy rule(s) by any method: • Snorby • Squert • Squil • even From the Command Line! Is it a real problem that should be fix? Should I Disable the sid? Read the whole story: https://code.google.com/p/security-onion/wiki/ManagingAlerts - Scott Runnels Now it’s too noisy or FineTunning
To the Intertubes! Find Challenges, start with the easy ones with answers: http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTr aces.zip http://www.honeynet.org/challenges Then try your own - Dump your own home networks & use tcpreplay to run controlled blocks Need more traffic?
Demo*
Project Home http://code.google.com/p/security-onion/ Blog http://securityonion.blogspot.com Mailing Lists http://code.google.com/p/security- onion/wiki/MailingLists Google Group https://groups.google.com/forum/?fromgroups#!forum/s ecurity-onion Wiki http://code.google.com/p/security-onion/w/list Additional Reading
Thanks to : Ash Deuble (@ashd_au) And have a look at his: intro to using Security Onion video http://security.crudtastic.com/?p=674 Worth checking out to the Star Wars Lego crazed Mark Hillick (@markofu): http://www.slideshare.net/markofu/peeling-back-your- network-layers-with-security-onion Discussion time

Recomendados

Dacs snort
Dacs snortDacs snort
Dacs snort
ntphong2702
 
Báo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt NghiệpBáo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt Nghiệp
HoHoangKha
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
n|u - The Open Security Community
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
Tiki.vn
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 

Recomendados

Dacs snort
Dacs snortDacs snort
Dacs snort
ntphong2702
 
Báo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt NghiệpBáo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt Nghiệp
HoHoangKha
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
n|u - The Open Security Community
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
Tiki.vn
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 

Más contenido relacionado

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Destacado

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Destacado (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 

Security Onion talk in Singapore July 2013

  • 2. 1.Plan (think, design and dream) 2.Install, Update 3.Configure 4.Test 5.Review Road Map: Just like Incident Response
  • 3. • Quick overview of the Security Onion and NSM for those new to it • Suggestions on how to set up • Demo (if the Security Onion Demo gods are kind) • Questions/Discussion What’s happen tonight
  • 4. "Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.“ – Richard Bejtlich Network Security Monitoring? (@taosecurity)
  • 5. Security Onion is a network security monitoring (NSM) system that provides full context and forensic visibility into the traffic it monitors It’s a prebuilt environment of fantastic open source security tools all in one place designed for defenders . Like Backtrack, everything just works And those tools work together Linux Guru-ness not needed, very basic Linux and that’s it Security Onion?
  • 6. Over 60 custom tools Snort – Signature based IDS Sguil – Security analyst console Squert - View HIDS/NIDS alerts and HTTP logs Snorby - View and annotate IDS alerts ELSA - Search logs (IDS, Bro and syslog) Bro - Powerful network analysis framework with highly detailed logs OSSEC - Monitors local logs, file integrity & rootkits What in the Onion?
  • 7. Created and mantained by Doug Burks @dougburks The security community are steadily supporting it “He really wanted to make Sguil & NSM “easier” to deploy -mission accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013 Built by One, support by Many
  • 8. What does your network look like? What and how are you trying to protect? How much traffic travels over it each day/week/month? Do you have the right hardware: Router, switch, Security Onion system? Has to fitYOUR needs, fitYOUR environment and requirements not some random guide from the Intertubes Planning
  • 9. Installation – It’s Quick and Easy Stop!Test Rig Check! Physical orVirtual? • Minimum of 2GB of RAM • 2 Interfaces: • 1 Management • 1 Sensor • Plenty of Disk
  • 10. Get used to SO interfaces Sguil is the first stop 1. Setup Metaspolitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 2. Setup an Attacker (Backtrack or your SANS LinuxVM) 3. Launch attacks to trigger alerts 4. OWASP top 10 as the infrastructure attacks 5. Execute copies of Drive-by download attacks for users (e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP) Test, test,TEST!
  • 11. Rules are written using the Snort format: Rules added to /etc/nsm/rules/local.rules file won’t changed by the automated IDS rules updates alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again"; reference: https://code.google.com/p/security- onion/wiki/AddingLocalRules; content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1) $ sudo rule-update WritingYour Own Rules
  • 12. # Craft the layer 2 information. # The ip addresses can be random, but I would suggest sticking to RFC1918 ip = IP() ip.dst = "192.168.200.4“ – this should be your IP range! ip.src = "192.168.100.3" # Craft the layer 3 information. # Since we specified port 7789 in our snort rule, tcp = TCP() tcp.dport = 7789 tcp.sport = 1234 # Set the playload payload = “SeCrEtS" # Use the / operator to compose our packet and transfer it with the send() method. send(ip/tcp/payload, iface=“eht0”) https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference How to test? Scapy to the rescue!
  • 13. Steady. PCAPs of the live network (Permission is a must) TCP relay and unleash those PCAPs on the test network Why? Baseline Understand what’s on the network What alerts are likely to kick off What the consoles looks like Release the Hounds! Well, sort of…
  • 14. Find they noisy rule(s) by any method: • Snorby • Squert • Squil • even From the Command Line! Is it a real problem that should be fix? Should I Disable the sid? Read the whole story: https://code.google.com/p/security-onion/wiki/ManagingAlerts - Scott Runnels Now it’s too noisy or FineTunning
  • 15. To the Intertubes! Find Challenges, start with the easy ones with answers: http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTr aces.zip http://www.honeynet.org/challenges Then try your own - Dump your own home networks & use tcpreplay to run controlled blocks Need more traffic?
  • 16. Demo*
  • 17. Project Home http://code.google.com/p/security-onion/ Blog http://securityonion.blogspot.com Mailing Lists http://code.google.com/p/security- onion/wiki/MailingLists Google Group https://groups.google.com/forum/?fromgroups#!forum/s ecurity-onion Wiki http://code.google.com/p/security-onion/w/list Additional Reading
  • 18. Thanks to : Ash Deuble (@ashd_au) And have a look at his: intro to using Security Onion video http://security.crudtastic.com/?p=674 Worth checking out to the Star Wars Lego crazed Mark Hillick (@markofu): http://www.slideshare.net/markofu/peeling-back-your- network-layers-with-security-onion Discussion time