Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - IDS, NSM, and Log Management with Security Onion 12.04.3 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IDS, NSM, and Log Management with Security Onion 12.04.3

Published: 2013-09-24
Last Updated: 2013-09-24 19:11:56 UTC
by Tom Webb (Version: 1)
0 comment(s)

This is a "guest diary" submitted by Doug Burks. We will gladly forward any responses or please use our comment/forum section to comment publicly.

I recently announced the new Security Onion 12.04.3:
What is Security Onion?
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Can I see it in action?
The video and slides from my recent BSidesAugusta presentation are available:
I also just published a series of walkthrough videos as well:
How do I get it?
Download our ISO image (based on Xubuntu 12.04 64-bit) OR start with your preferred flavor of Ubuntu 12.04 (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server) 32-bit or 64-bit, add our PPA and install our packages.  Please see our Installation guide for further details:
Lots o' Logs
If you connect Security Onion to a tap or span port, it will generate lots of logs out of the box:
- NIDS alerts from Snort or Suricata
- Bro conn.log (session data)
- Bro dns.log - all DNS transactions seen on your network
- Bro http.log - all HTTP transactions seen on your network
- Bro notice.log - events of interest
- Bro ssl.log - SSL cert details
- and many more!
In addition, you can install OSSEC agents on other boxes on your network and point them to the OSSEC Server that's already running on Security Onion.  You'll then get the raw logs from those OSSEC agents and you'll also get HIDS alerts as the OSSEC Server analyzes those logs.  For those devices that can't run an OSSEC agent, you can point their syslog to the syslog-ng collector on Security Onion.
How do we manage all those logs?
ELSA is a great tool for hunting through your logs.  Martin Holste, the author of ELSA, describes it like this:
"ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web."
Take a look at the following ELSA video to see how you can slice and dice your logs very quickly and easily:
Doug Burks
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! 


0 comment(s)
Diary Archives