Open Source NSMWith

Security Onion

S3CuriTy B3a$t

What is NSM

S3CuriTy B3a$t

Network Security Monitoring is the collection, analysis, and escalation of

indications and warnings to detect and respond to intrusions.

Source: Google

For Me Its Simple IPS/IDS + any Network analysis tool :-)

Why IDS/IPS if I have a firewall ?

Firewall - A device or application that analyzes packet headers and enforces policy based on protocol

type, source address, destination address, source port, and/or destination port. Packets that do not

match policy are rejected.

Intrusion Detection System - A device or application that analyzes whole packets, both header and

payload, looking for known events. When a known event is detected a log message is generated

detailing the event.

Intrusion Prevention System - A device or application that analyzes whole packets, both header

and payload, looking for known events. When a known event is detected the packet is rejected.

S3CuriTy B3a$t

The Intrusion Detection System (IDS) provides the network with a level of preventive security against any suspicious activity. The IDS achieves this objective through early warnings aimed at systems administrators. However, unlike IPS, it is not designed to block attacks.

An Intrusion Prevention System (IPS) is a device that controls access to IT networks in order to protect systems from attack and abuse. It is designed to inspect attack data and take the corresponding action, blocking it as it is developing and before it succeeds, creating a series of rules in the corporate firewall.

Source: pandasecurity.com

Simply,

IDS :- Detect the attack and alert to the administrator

IPS :- Prevent from the attacks

Difference Between IPS AND IDS

S3CuriTy B3a$t

What IDS/IPS Can

Can :- ● Detect when your system Is under attack● Trace user activity from point of entry to point of

impact● Automate the task of monitoring the internet

searching for the latest Attack

S3CuriTy B3a$t

What IPS Can Not

Can Not :- ● Compensate of weakness in network

protocol● Investigate attacks without human

interaction

S3CuriTy B3a$t

Where do I put IPS/IDS?

● Between your network and extranet● In the DMZ, before the firewall, to identify

attacks on servers in DMZ● Between the servers and internal user to

identify internal attacks ● On intranet FTP and database environment

S3CuriTy B3a$t

● About and Purpose● Developers● Demo

Introduction to Security Onion

S3CuriTy B3a$t

Features of Security Onion

● Intrusion detection● Network security monitoring● Log management

S3CuriTy B3a$t

Packages

Xubuntu based● Snort, Suricata (IDS)● Bro, ELSA (Network Security analysis)● OSSEC (HIDS)● Squirt, Snorby, Sguil(NSM)● Xplico (Network forensic tool)…..many other security tools.

Who Is Behind Security Onion

Originally created and maintained by Doug Burks https://twitter.com/@dougburks

He really want to make SGUIL & NSN “easier” to deploy “mission accomplished” Ash deublehttps://twitter.com/ashd_au

...Open Source :-)

S3CuriTy B3a$t

Demonstration

● Setup ‘SO’ in our environment● Quick and advance setup ● Configuration review● Attacks and detection

S3CuriTy B3a$t

Not covered

● Installation - similar to any linux distro● Update - steps available on their blog● Writing Snort rules (maybe future sessions)● Advance Packet analysis

S3CuriTy B3a$t

DEMO

S3CuriTy B3a$t

Questions?

S3CuriTy B3a$t

Thank You

Contact Details:Twitter: @kingkaustubhpBlog: breakthesec.comEmail: kingkaustubh@me.com

S3CuriTy B3a$t