![Page 1: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/1.jpg)
Security Onion Peel Back the Layers of Your Network in Minutes
Doug Burks
![Page 2: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/2.jpg)
What is Security Onion? Security Onion is a Linux distro for IDS (Intrusion DetecBon) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-‐to-‐use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
![Page 3: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/3.jpg)
IDS is sub-‐opBmal; need NSM (mulBple data types)
![Page 4: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/4.jpg)
Sguil is the defacto reference implementaBon of NSM
![Page 5: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/5.jpg)
Lots of pieces in the Sguil jigsaw puzzle
hUp://nsmwiki.org/images/e/ea/Sguil-‐0.7.dfd.png
![Page 6: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/6.jpg)
Security Onion: Next, Next, Finish for NSM
![Page 7: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/7.jpg)
Big Onions l Use our ISO image (based on Xubuntu 12.04 64-‐bit) OR Start with your preferred flavor of Ubuntu 12.04 (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server) 32-‐bit or 64-‐bit, add our PPA and install our packages
l High performance: l Snort/Suricata/Bro running on PF_RING l Netsniff-‐ng uses zero-‐copy for high-‐speed full-‐packet capture
l ELSA (like a free version of Splunk) – distributed database with central web interface
![Page 8: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/8.jpg)
Data Types l Alert data
l NIDS alerts from Snort/Suricata l HIDS alerts from OSSEC
l Asset data from Bro and PRADS l Session data from Argus, Bro, and PRADS l TransacBon data – hUp/gp/dns/ssl/other logs from Bro l Full content data from netsniff-‐ng
![Page 9: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/9.jpg)
Distributed Deployment
![Page 10: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/10.jpg)
Snorby
![Page 11: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/11.jpg)
Pivot to pcap from Snorby
![Page 12: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/12.jpg)
CapME
![Page 13: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/13.jpg)
Squert web interface
![Page 14: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/14.jpg)
Sguil client
![Page 15: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/15.jpg)
Pivot to pcap from Sguil
![Page 16: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/16.jpg)
NetworkMiner There’s gold in them thar PCAPs!
![Page 17: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/17.jpg)
ELSA
![Page 18: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/18.jpg)
Pivot to pcap from ELSA
![Page 19: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/19.jpg)
Ooh…shiny…
![Page 20: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/20.jpg)
Bro Flow
![Page 21: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/21.jpg)
Popular Dst IPs
![Page 22: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/22.jpg)
Popular Dst Ports
![Page 23: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/23.jpg)
Drilling into an interesBng Dst Port
![Page 24: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/24.jpg)
What is that Dst Port? Pivot 2 Pcap!
![Page 25: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/25.jpg)
2013: The Metrics l Security Onion 10.04
37,521
l Security Onion 12.04 (released 12/31/2012) 34,290 from SourceForge
l Security Onion 12.04.1 (released 6/10/2013) 6,380 from Sourceforge
l Security Onion 12.04.2 (released 7/25/2013) 737 from Sourceforge
l ??? From BitTorrent ??? Ubuntu/Kubuntu/Lubuntu + Security Onion PPA
![Page 26: Security Onion: Peel Back the Layers of Your Network in Minutes](https://reader034.vdocument.in/reader034/viewer/2022051816/54533ac4b1af9f76248b57b5/html5/thumbnails/26.jpg)
Where do we go now? hUp://securityonion.blogspot.com
Updates are announced here and it also has the following links: l Download/Install
l FAQ l Mailing Lists l IRC #securityonion on irc.freenode.net
l @securityonion