SlideShare a Scribd company logo

Security Onion talk in Singapore July 2013

Download as PPTX, PDF
C
Chris-Mohan

This was a hour talk on how to plan and test using Security Onion. Missing the live demo, but the links should provide enough information to go out duplicate my post build tests before placing Security Onion in to a live environment.

Technology
1 of 18
Chris Mohan @Chris_mohan
1.Plan (think, design and dream) 2.Install, Update 3.Configure 4.Test 5.Review Road Map: Just like Incident Response
• Quick overview of the Security Onion and NSM for those new to it • Suggestions on how to set up • Demo (if the Security Onion Demo gods are kind) • Questions/Discussion What’s happen tonight
"Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.“ – Richard Bejtlich Network Security Monitoring? (@taosecurity)
Security Onion is a network security monitoring (NSM) system that provides full context and forensic visibility into the traffic it monitors It’s a prebuilt environment of fantastic open source security tools all in one place designed for defenders . Like Backtrack, everything just works And those tools work together Linux Guru-ness not needed, very basic Linux and that’s it Security Onion?
Over 60 custom tools Snort – Signature based IDS Sguil – Security analyst console Squert - View HIDS/NIDS alerts and HTTP logs Snorby - View and annotate IDS alerts ELSA - Search logs (IDS, Bro and syslog) Bro - Powerful network analysis framework with highly detailed logs OSSEC - Monitors local logs, file integrity & rootkits What in the Onion?
Created and mantained by Doug Burks @dougburks The security community are steadily supporting it “He really wanted to make Sguil & NSM “easier” to deploy -mission accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013 Built by One, support by Many
What does your network look like? What and how are you trying to protect? How much traffic travels over it each day/week/month? Do you have the right hardware: Router, switch, Security Onion system? Has to fitYOUR needs, fitYOUR environment and requirements not some random guide from the Intertubes Planning
Installation – It’s Quick and Easy Stop!Test Rig Check! Physical orVirtual? • Minimum of 2GB of RAM • 2 Interfaces: • 1 Management • 1 Sensor • Plenty of Disk
Get used to SO interfaces Sguil is the first stop 1. Setup Metaspolitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 2. Setup an Attacker (Backtrack or your SANS LinuxVM) 3. Launch attacks to trigger alerts 4. OWASP top 10 as the infrastructure attacks 5. Execute copies of Drive-by download attacks for users (e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP) Test, test,TEST!
Rules are written using the Snort format: Rules added to /etc/nsm/rules/local.rules file won’t changed by the automated IDS rules updates alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again"; reference: https://code.google.com/p/security- onion/wiki/AddingLocalRules; content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1) $ sudo rule-update WritingYour Own Rules
# Craft the layer 2 information. # The ip addresses can be random, but I would suggest sticking to RFC1918 ip = IP() ip.dst = "192.168.200.4“ – this should be your IP range! ip.src = "192.168.100.3" # Craft the layer 3 information. # Since we specified port 7789 in our snort rule, tcp = TCP() tcp.dport = 7789 tcp.sport = 1234 # Set the playload payload = “SeCrEtS" # Use the / operator to compose our packet and transfer it with the send() method. send(ip/tcp/payload, iface=“eht0”) https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference How to test? Scapy to the rescue!
Steady. PCAPs of the live network (Permission is a must) TCP relay and unleash those PCAPs on the test network Why? Baseline Understand what’s on the network What alerts are likely to kick off What the consoles looks like Release the Hounds! Well, sort of…
Find they noisy rule(s) by any method: • Snorby • Squert • Squil • even From the Command Line! Is it a real problem that should be fix? Should I Disable the sid? Read the whole story: https://code.google.com/p/security-onion/wiki/ManagingAlerts - Scott Runnels Now it’s too noisy or FineTunning
To the Intertubes! Find Challenges, start with the easy ones with answers: http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTr aces.zip http://www.honeynet.org/challenges Then try your own - Dump your own home networks & use tcpreplay to run controlled blocks Need more traffic?
Demo*
Project Home http://code.google.com/p/security-onion/ Blog http://securityonion.blogspot.com Mailing Lists http://code.google.com/p/security- onion/wiki/MailingLists Google Group https://groups.google.com/forum/?fromgroups#!forum/s ecurity-onion Wiki http://code.google.com/p/security-onion/w/list Additional Reading
Thanks to : Ash Deuble (@ashd_au) And have a look at his: intro to using Security Onion video http://security.crudtastic.com/?p=674 Worth checking out to the Star Wars Lego crazed Mark Hillick (@markofu): http://www.slideshare.net/markofu/peeling-back-your- network-layers-with-security-onion Discussion time

Recommended

Dacs snort
Dacs snortDacs snort
Dacs snortntphong2702
 
Báo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt NghiệpBáo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt NghiệpHoHoangKha
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introductionn|u - The Open Security Community
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSamTiki.vn
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

Recommended

Dacs snort
Dacs snortDacs snort
Dacs snortntphong2702
 
Báo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt NghiệpBáo cáo Luận Văn Tốt Nghiệp
Báo cáo Luận Văn Tốt NghiệpHoHoangKha
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introductionn|u - The Open Security Community
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSamTiki.vn
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024TopCSSGallery
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 

More Related Content

Recently uploaded

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024TopCSSGallery
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 

Recently uploaded (20)

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 

Security Onion talk in Singapore July 2013

  • 2. 1.Plan (think, design and dream) 2.Install, Update 3.Configure 4.Test 5.Review Road Map: Just like Incident Response
  • 3. • Quick overview of the Security Onion and NSM for those new to it • Suggestions on how to set up • Demo (if the Security Onion Demo gods are kind) • Questions/Discussion What’s happen tonight
  • 4. "Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.“ – Richard Bejtlich Network Security Monitoring? (@taosecurity)
  • 5. Security Onion is a network security monitoring (NSM) system that provides full context and forensic visibility into the traffic it monitors It’s a prebuilt environment of fantastic open source security tools all in one place designed for defenders . Like Backtrack, everything just works And those tools work together Linux Guru-ness not needed, very basic Linux and that’s it Security Onion?
  • 6. Over 60 custom tools Snort – Signature based IDS Sguil – Security analyst console Squert - View HIDS/NIDS alerts and HTTP logs Snorby - View and annotate IDS alerts ELSA - Search logs (IDS, Bro and syslog) Bro - Powerful network analysis framework with highly detailed logs OSSEC - Monitors local logs, file integrity & rootkits What in the Onion?
  • 7. Created and mantained by Doug Burks @dougburks The security community are steadily supporting it “He really wanted to make Sguil & NSM “easier” to deploy -mission accomplished!” Ash Deuble, live Interpretive dance winner AusCERT 2013 Built by One, support by Many
  • 8. What does your network look like? What and how are you trying to protect? How much traffic travels over it each day/week/month? Do you have the right hardware: Router, switch, Security Onion system? Has to fitYOUR needs, fitYOUR environment and requirements not some random guide from the Intertubes Planning
  • 9. Installation – It’s Quick and Easy Stop!Test Rig Check! Physical orVirtual? • Minimum of 2GB of RAM • 2 Interfaces: • 1 Management • 1 Sensor • Plenty of Disk
  • 10. Get used to SO interfaces Sguil is the first stop 1. Setup Metaspolitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 2. Setup an Attacker (Backtrack or your SANS LinuxVM) 3. Launch attacks to trigger alerts 4. OWASP top 10 as the infrastructure attacks 5. Execute copies of Drive-by download attacks for users (e.g. visit sites in malwaredomains.com with a sacrificial windows XP machine and save the PCAP) Test, test,TEST!
  • 11. Rules are written using the Snort format: Rules added to /etc/nsm/rules/local.rules file won’t changed by the automated IDS rules updates alert tcp any any -> $HOME_NET 56561 (msg: “Eak! Snowden’s at it again"; reference: https://code.google.com/p/security- onion/wiki/AddingLocalRules; content: “secrets"; flow:to_server; nocase; sid:9101666; rev:1) $ sudo rule-update WritingYour Own Rules
  • 12. # Craft the layer 2 information. # The ip addresses can be random, but I would suggest sticking to RFC1918 ip = IP() ip.dst = "192.168.200.4“ – this should be your IP range! ip.src = "192.168.100.3" # Craft the layer 3 information. # Since we specified port 7789 in our snort rule, tcp = TCP() tcp.dport = 7789 tcp.sport = 1234 # Set the playload payload = “SeCrEtS" # Use the / operator to compose our packet and transfer it with the send() method. send(ip/tcp/payload, iface=“eht0”) https://code.google.com/p/security-onion/wiki/AddingLocalRules - Russ McRee http://media.packetlife.net/media/library/36/scapy.pdf - Quick Scapy reference How to test? Scapy to the rescue!
  • 13. Steady. PCAPs of the live network (Permission is a must) TCP relay and unleash those PCAPs on the test network Why? Baseline Understand what’s on the network What alerts are likely to kick off What the consoles looks like Release the Hounds! Well, sort of…
  • 14. Find they noisy rule(s) by any method: • Snorby • Squert • Squil • even From the Command Line! Is it a real problem that should be fix? Should I Disable the sid? Read the whole story: https://code.google.com/p/security-onion/wiki/ManagingAlerts - Scott Runnels Now it’s too noisy or FineTunning
  • 15. To the Intertubes! Find Challenges, start with the easy ones with answers: http://www.wiresharktraining.com/sharkfest2013/Sharkfest2013ChallengeTr aces.zip http://www.honeynet.org/challenges Then try your own - Dump your own home networks & use tcpreplay to run controlled blocks Need more traffic?
  • 16. Demo*
  • 17. Project Home http://code.google.com/p/security-onion/ Blog http://securityonion.blogspot.com Mailing Lists http://code.google.com/p/security- onion/wiki/MailingLists Google Group https://groups.google.com/forum/?fromgroups#!forum/s ecurity-onion Wiki http://code.google.com/p/security-onion/w/list Additional Reading
  • 18. Thanks to : Ash Deuble (@ashd_au) And have a look at his: intro to using Security Onion video http://security.crudtastic.com/?p=674 Worth checking out to the Star Wars Lego crazed Mark Hillick (@markofu): http://www.slideshare.net/markofu/peeling-back-your- network-layers-with-security-onion Discussion time