SlideShare a Scribd company logo

Security Onion - Part 1

N
Nishanth Kumar Pathi

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Technology
1 of 18
n|u / OWASP / G4H / SecurityXploded meet Nishanth Kumar n|u bangalore chapter member 18 Jan 2014
What is Security Onion?  Security Onion is a Linux distro for  Intrusion detection,  Network security monitoring, and  log management 18 Jan 2014
Onion Layers • Ubuntu based OS • Snort , Suricata • Snorby • Bro • Sguil • Squert • ELSA • NetworkMiner • PADS ( Passive Attack Detection System ) • ………Many other tools . 18 Jan 2014
Now lets peel the onion layers & see what exactly each layer has …. 18 Jan 2014
Snort / Suricata  Snort is an open source network intrusion detection and prevention system (IDS/IPS)  Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine . 18 Jan 2014
Why to use only those IDS Engines  Highly Scalable  Protocol Identification  File Identification,  MD5 Checksums  File Extraction 18 Jan 2014
Snorby  Ruby on Rails Application for Network Security Monitoring ( Web frontend )  Metrics & Reports  Classifications  Full Packet  Custom Settings  Hotkeys 18 Jan 2014
Bro  Bro is a powerful network analysis framework that is much different from the typical IDS you may know.  high-level semantic analysis at the application layer.  site-specific monitoring policies.  comprehensively logs what it sees and provides a high-level archive of a network's activity. 18 Jan 2014
Features of BRO  All HTTP sessions with their requested URIs  key headers  MIME types, and server responses  DNS requests with replies  SSL certificates  key content of SMTP sessions  ………….and much more. 18 Jan 2014
Sguil  It is an analyst console for Security Monitoring  It’s a powerful and capable solution for  Event Analysis  Coreleation and  review Even ….  real-time events  session data  raw packet captures. 18 Jan 2014
Squert  A web interface to query and view Sguil event data and designed to supplement Sguil by providing addition context around the events .  Squert is a visual tool  additional context to events ……  metadata,  time series representations  weighted and logically grouped result sets 18 Jan 2014
18 Jan 2014
Enterprise-Log-Search-andArchive  Centralized syslog framework built on  Syslog-NG  MySQL  Sphinx full-text search. Allows for event searching and visualization of all the Log data security onion consumes , including    OSSEC Snort / Suricata BRO IDS Distributed log Archive System 18 Jan 2014
Features of ELSA • High-volume receiving/indexing • Full Active Directory/LDAP integration for • • • • authentication, authorization, email settings Dashboards using Google Visualizations Email alerting, scheduled reports. Plugin architecture for web interface Distributed architecture for clusters 18 Jan 2014
Network miner  Network Forensic Analysis Tool  passive network sniffer/packet capturing tool  operating systems  Sessions  Hostnames  open ports etc 18 Jan 2014
Sec Onion Support ……….  Alert data - HIDS alerts from OSSEC and NIDS      alerts from Snort/Suricata Asset data from Pads and Bro Full content data from netsniff-ng Host data via OSSEC and syslog-ng Session data from Argus, Pads, and Bro Transaction data - http/ftp/dns/ssl/other logs from Bro 18 Jan 2014
Refrences  http://blog.securityonion.net/  http://www.bro.org  http://www.snort.org/  http://www.google.com 18 Jan 2014
Its time for DEMO 18 Jan 2014

Recommended

Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
n|u - The Open Security Community
 
Defensive information warfare on open platforms
Defensive information warfare on open platformsDefensive information warfare on open platforms
Defensive information warfare on open platforms
Ben Tullis
 
Security Onion
Security OnionSecurity Onion
Security Onion
n|u - The Open Security Community
 
Security Onion: Watching for Leeks
Security Onion: Watching for LeeksSecurity Onion: Watching for Leeks
Security Onion: Watching for Leeks
Kory Kyzar
 
Security onion
Security onionSecurity onion
Security onion
Kaustubh Padwad
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
Ashley Deuble
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
Ashley Deuble
 

Recommended

Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
n|u - The Open Security Community
 
Defensive information warfare on open platforms
Defensive information warfare on open platformsDefensive information warfare on open platforms
Defensive information warfare on open platforms
Ben Tullis
 
Security Onion
Security OnionSecurity Onion
Security Onion
n|u - The Open Security Community
 
Security Onion: Watching for Leeks
Security Onion: Watching for LeeksSecurity Onion: Watching for Leeks
Security Onion: Watching for Leeks
Kory Kyzar
 
Security onion
Security onionSecurity onion
Security onion
Kaustubh Padwad
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
Ashley Deuble
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
Ashley Deuble
 
Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Linux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsxLinux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsx
BrenoMeister
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Eagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slidesEagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slides
Manjunath M Gowda
 
Eagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slidesEagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slides
Manjunath M Gowda
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Georg Knon
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
Splunk
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
An introduction to the prpl foundation
An introduction to the prpl foundationAn introduction to the prpl foundation
An introduction to the prpl foundation
Imagination Technologies
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
nitinscribd
 
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
Piyush Kumar
 
Capacity Planning Free Solution
Capacity Planning Free SolutionCapacity Planning Free Solution
Capacity Planning Free Solution
luanrjesus
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
NSConclave
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
Splunk
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
SolarWinds
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
Michele Chubirka
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

More Related Content

Similar to Security Onion - Part 1

Eagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slidesEagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slides
Manjunath M Gowda
 
Eagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slidesEagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slides
Manjunath M Gowda
 
Capacity Planning Free Solution
Capacity Planning Free SolutionCapacity Planning Free Solution
Capacity Planning Free Solution
luanrjesus
 

Similar to Security Onion - Part 1 (20)

Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?
 
Linux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsxLinux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsx
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Eagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slidesEagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slides
 
Eagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slidesEagle eye presentation ver 2.0 slides
Eagle eye presentation ver 2.0 slides
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
 
An introduction to the prpl foundation
An introduction to the prpl foundationAn introduction to the prpl foundation
An introduction to the prpl foundation
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
 
Capacity Planning Free Solution
Capacity Planning Free SolutionCapacity Planning Free Solution
Capacity Planning Free Solution
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Security Onion - Part 1

  • 1. n|u / OWASP / G4H / SecurityXploded meet Nishanth Kumar n|u bangalore chapter member 18 Jan 2014
  • 2. What is Security Onion?  Security Onion is a Linux distro for  Intrusion detection,  Network security monitoring, and  log management 18 Jan 2014
  • 3. Onion Layers • Ubuntu based OS • Snort , Suricata • Snorby • Bro • Sguil • Squert • ELSA • NetworkMiner • PADS ( Passive Attack Detection System ) • ………Many other tools . 18 Jan 2014
  • 4. Now lets peel the onion layers & see what exactly each layer has …. 18 Jan 2014
  • 5. Snort / Suricata  Snort is an open source network intrusion detection and prevention system (IDS/IPS)  Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine . 18 Jan 2014
  • 6. Why to use only those IDS Engines  Highly Scalable  Protocol Identification  File Identification,  MD5 Checksums  File Extraction 18 Jan 2014
  • 7. Snorby  Ruby on Rails Application for Network Security Monitoring ( Web frontend )  Metrics & Reports  Classifications  Full Packet  Custom Settings  Hotkeys 18 Jan 2014
  • 8. Bro  Bro is a powerful network analysis framework that is much different from the typical IDS you may know.  high-level semantic analysis at the application layer.  site-specific monitoring policies.  comprehensively logs what it sees and provides a high-level archive of a network's activity. 18 Jan 2014
  • 9. Features of BRO  All HTTP sessions with their requested URIs  key headers  MIME types, and server responses  DNS requests with replies  SSL certificates  key content of SMTP sessions  ………….and much more. 18 Jan 2014
  • 10. Sguil  It is an analyst console for Security Monitoring  It’s a powerful and capable solution for  Event Analysis  Coreleation and  review Even ….  real-time events  session data  raw packet captures. 18 Jan 2014
  • 11. Squert  A web interface to query and view Sguil event data and designed to supplement Sguil by providing addition context around the events .  Squert is a visual tool  additional context to events ……  metadata,  time series representations  weighted and logically grouped result sets 18 Jan 2014
  • 13. Enterprise-Log-Search-andArchive  Centralized syslog framework built on  Syslog-NG  MySQL  Sphinx full-text search. Allows for event searching and visualization of all the Log data security onion consumes , including    OSSEC Snort / Suricata BRO IDS Distributed log Archive System 18 Jan 2014
  • 14. Features of ELSA • High-volume receiving/indexing • Full Active Directory/LDAP integration for • • • • authentication, authorization, email settings Dashboards using Google Visualizations Email alerting, scheduled reports. Plugin architecture for web interface Distributed architecture for clusters 18 Jan 2014
  • 15. Network miner  Network Forensic Analysis Tool  passive network sniffer/packet capturing tool  operating systems  Sessions  Hostnames  open ports etc 18 Jan 2014
  • 16. Sec Onion Support ……….  Alert data - HIDS alerts from OSSEC and NIDS      alerts from Snort/Suricata Asset data from Pads and Bro Full content data from netsniff-ng Host data via OSSEC and syslog-ng Session data from Argus, Pads, and Bro Transaction data - http/ftp/dns/ssl/other logs from Bro 18 Jan 2014
  • 17. Refrences  http://blog.securityonion.net/  http://www.bro.org  http://www.snort.org/  http://www.google.com 18 Jan 2014