Monday, December 31, 2012

Security Onion 12.04 is now available!


Introduction

New to Security Onion?  Here's a short FAQ from Brad Shoop:

What is Security Onion?

Security Onion is a network security monitoring system that provides full context and forensic visibility into the traffic it monitors. At it's heart it is designed to make deploying multiple complex open source tools simple via a single package, reducing what would normally take days to weeks of work to minutes. Featuring Bro IDS, your choice of Snort or Suricata, Sguil analyst console, ELSA, Squert, Snorby and capME web interfaces, and the ability to pivot from one tool to the next seamlessly provides the most effective collection of network security tools available in a single package.  

What can it do for you?

  • Signature-based detection - Whether you choose Snort or Suricata for signature-based detection, you'll have Snort and/or Emerging Threats signatures available for use.
  • Context - Bro IDS provides visibility into the haystack, while signature-based detection targets the needle. Now you can know not only what signature-based events occurred, but you can have full context of all activity detected from the host involved. What domains a host queries, SSL certificates it's used, files downloaded, FTP/SMTP/IRC activity? All contextual questions that can help determine whether a signature-based alert is an event or an incident.
  • Evidence - Full packet capture means you can know exactly what a host did. Sguil and its integration with other tools in Security Onion, such as Network Miner and Wireshark in addition to ELSA, Squert and Snorby via capME, allow an analyst to look at the evidence of a network attack frame by frame exactly as it happened, all with a click of a mouse.
  • Tools - Security Onion is loaded with tools to monitor your network efficiently and effectively. Sguil provides the best security analyst console available in terms of function and utility. Squert and Snorby provide visibility into Sguil and Snort respectively, and ELSA provides a Splunk-like interface to the vast wealth of log data Security Onion will harvest from Bro, OSSEC and more.
  • Save Money - It's free, well except for the hardware. But it will help you save a lot of money you might otherwise throw at commercial solutions and you could maybe spend some of that money so your analysts can become better.

What can't it do for you?

Security Onion is a network monitoring and detection system. It will not block an attack, nor is it designed to. It will however act as a video camera for your network for every connection it sees, not just the one's that it thinks are bad. In a world where detection rates are unpredictable, evidence like this can save you a lot of money.

Changes

No major changes since we announced RC1 and the ISO image, just a few small bug fixes:

  • Setup no longer disables NIC offloading features on management interface
  • Setup now disables the IPv6 stack on sniffing interfaces (can still sniff IPv6, though)
  • if running Quick Setup, netsniff-ng is started with "-c" option to disable scatter/gather mode and force traffic to be written to disk instantly

Instructions

For full instructions on installing Security Onion 12.04, please see the installation page on our Wiki.

Screenshots

Booting ISO image


Booted into Live desktop, starting Xubuntu installer

Started Xubuntu installer
Completed Xubuntu installer, ready to reboot into new installation

Rebooted into new installation, ready to run Setup
Started Setup Wizard

Configuring /etc/network/interfaces
Selecting management interface

Selecting DHCP for this test VM
Selecting sniffing interfaces

Confirming network interface configuration, ready to reboot
Rebooted and ready to do the second phase of Setup
Started Setup Wizard

Setup detects that network interfaces have already been configured

Choosing Quick Setup for this test VM
Selecting interface to run sniffing processes on

Setting username for Sguil/Squert/ELSA
Setting email address for Snorby
Setting password for Sguil/Squert/Snorby/ELSA

Confirming password
Optionally enabling ELSA

Confirming selections
Setup wizard performs all configuration automatically

Setup Complete #1

Setup Complete #2
Setup Complete #3
Replaying sample pcaps to simulate network traffic

Logging into Snorby

Snorby Dashboard
Pivoting from IDS alert in Snorby to Full Transcript

Viewing full transcript in CapME
Logging into Squert

Squert Dashboard

Squert Signature Statistics
Squert GeoIP

Squert events

Logging into Sguil
Sguil RealTime Console

Sguil pivoting from IDS alert to full transcript
Logging into ELSA
ELSA query for Bro Notices
ELSA pivoting from Bro notice to full transcript
Full transcript in CapME

Thursday, December 20, 2012

Need help testing Security Onion 12.04 RC1 ISO image

We now have an official Security Onion 12.04 RC1 ISO image!

It's based on Xubuntu 12.04 64-bit and contains all of our Security Onion packages.  The RC1 page has been updated with instructions for downloading and installing the ISO:
http://code.google.com/p/security-onion/wiki/RC1

Please test this ISO image *thoroughly* and verify the following:
  • hardware compatibility (VM and bare metal)
  • run through several variations of Setup (Quick, Advanced, Standalone, Distributed)
  • all features work as advertised (sniffers, Sguil, Squert, Snorby, ELSA)
  • no glaring security holes
  • no personal artifacts I forgot to remove
Please send your feedback (good or bad) to our security-onion-testing mailing list:

Thanks for your help!

Sunday, December 16, 2012

Security Onion 12.04 RC1 Available Now!

Introduction

New to Security Onion?  Here's a short FAQ from Brad Shoop:

What is Security Onion?

Security Onion is a network security monitoring system that provides full context and forensic visibility into the traffic it monitors. At it's heart it is designed to make deploying multiple complex open source tools simple via a single package, reducing what would normally take days to weeks of work to minutes. Featuring Bro IDS, your choice of Snort or Suricata, Sguil analyst console, ELSA, Squert, Snorby and capME web interfaces, and the ability to pivot from one tool to the next seamlessly provides the most effective collection of network security tools available in a single package.  

What can it do for you?

  • Signature-based detection - Whether you choose Snort or Suricata for signature-based detection, you'll have Snort and/or Emerging Threats signatures available for use.
  • Context - Bro IDS provides visibility into the haystack, while signature-based detection targets the needle. Now you can know not only what signature-based events occurred, but you can have full context of all activity detected from the host involved. What domains a host queries, SSL certificates it's used, files downloaded, FTP/SMTP/IRC activity? All contextual questions that can help determine whether a signature-based alert is an event or an incident.
  • Evidence - Full packet capture means you can know exactly what a host did. Sguil and its integration with other tools in Security Onion, such as Network Miner and Wireshark in addition to ELSA, Squert and Snorby via capME, allow an analyst to look at the evidence of a network attack frame by frame exactly as it happened, all with a click of a mouse.
  • Tools - Security Onion is loaded with tools to monitor your network efficiently and effectively. Sguil provides the best security analyst console available in terms of function and utility. Squert and Snorby provide visibility into Sguil and Snort respectively, and ELSA provides a Splunk-like interface to the vast wealth of log data Security Onion will harvest from Bro, OSSEC and more.
  • Save Money - It's free, well except for the hardware. But it will help you save a lot of money you might otherwise throw at commercial solutions and you could maybe spend some of that money so your analysts can become better.

What can't it do for you?

Security Onion is a network monitoring and detection system. It will not block an attack, nor is it designed to. It will however act as a video camera for your network for every connection it sees, not just the one's that it thinks are bad. In a world where detection rates are unpredictable, evidence like this can save you a lot of money.

Changes

We've made lots of improvements since we announced our Beta release.  Here are some quick highlights:

  • added CapME, an OpenFPC-like web interface for pcap transcripts
  • updated Setup script to automatically configure Snorby and ELSA to integrate with CapME
  • enhanced Setup script to automatically configure network interfaces and disable NIC offloading
  • updated many packages including ELSA, Suricata, and PF_RING
  • included some sample pcaps from OpenPacket.org
  • replaced daemonlogger with netsniff-ng
  • lots of bug fixes

Instructions

For full instructions on installing RC1, please see the RC1 page on our Wiki.

Screenshots

The following screenshot starts out with a typical IDS alert in Snorby.  Wanting to investigate further, we click "Packet Capture Options" and then "Custom" which results in the "Packet Capture Builder" popup window.  Clicking "Fetch Packet" will result in a CapME query to display the transcript of the entire conversation as shown in the final screenshot.
Pivoting from Snorby to CapME pcap transcript

In the following screenshot, we've queried ELSA for Bro notices of type "HTTP::Malware_Hash_Registry_Match".  (Did you know that Bro automatically creates an MD5 sum of every file it sees transferred over HTTP and compares those MD5 sums to Team Cymru's Malware Hash Registry?)  After finding some matches, we click the "Info" link on the left which results in an Info popup window.  Here we click the Plugin dropdown box and select "getPcap" to send a request to CapME as shown in the final screenshot.
Pivoting from ELSA to CapME pcap transcript

CapME pcap transcript
Can your IDS/SIEM do that?  If not, get Security Onion today!

Thanks

Thanks to everyone who has helped us get this far!  Thanks to all of our testers for finding and reporting issues and HUGE thanks to the following for their tireless efforts over the last few weeks on building CapME and getting it fully integrated:
Paul Halliday
Martin Holste
Scott Runnels

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive