security onion
DESCRIPTION
Security Onion overview given at Packet Party on 10/4/12.TRANSCRIPT
Security Onion
Packet Party Nova Labs - Oct 12
John deGruyter @johndegruyter
Purpose of this talk
• Get us all up and running with Security Onion• Give a better understanding of the tools• Evaluate SO as a tool for Packet Parties– All your traffic analysis tools in one VM– Easy get new users up and running
• What it is not:– How to deploy an IDS at your company– How to tune an IDS
Agenda
Talk should be about 30 minutes or less.
• Overview• Installation• Tools / Demos
Stay and do some challenges.
About Security Onion
• A Linux distribution for Intrusion Detection and Network Security Monitoring
• Great video(s) by the author Doug Burks– http://securityonion.blogspot.com/
• Started in 2008. Gained momentum in 2011.• Version 12.04 was released this past weekend– Now available in 64 bit– Ability to install from apt repository
IDS vs NSM
• Intrusion Detection Systems traditionally deal with getting the alert
• Network Security Monitoring involves getting additional context along with the alert– alerts– session data– full packet capture
• Security Onion is an NSM image
Why is Security Onion awesome?• Getting all of this setup is hard.
– Some of my blog posts from 2008 (deadshell.org)• Installing sguil client on debian• Installing SGUIL is a pain. (part 1)
• Most of the tools you need are on here– What are you missing?
• You can be up and running in about 20 minutes• Easy to deploy multiple sensors with a single dashboard
– DMZ– Server VLAN– Client gateway
• Excellent support from both community (see wiki) and developers
Installation (2 methods)
• Bootable CD image– Download the .iso – Run it as a live distro– Install it to disk (why not?)
• Get it from an apt repository– Instructions here• http://code.google.com/p/security-onion/wiki/Beta
– I tried this with Ubuntu desktop (worked great)
Post installation
• Resolution does not scale properly• If you are running VMware:
1. Start the VM2. Click “Virtual Machine” / “Install VMware Tools”3. Open a command prompt in your VM, 4. switch to root (sudo –i)5. <enter your password when prompted>6. cp /media/Vmware\ Tools\VMareTools<tab> /usr/local/src7. cd /usr/local/src8. tar xzvf VM<tab>9. cd vm<tab>10. ./vmware-installer.pl11. (follow instructions, you can use default settings)
Demo – Installation from apt
• Take a snapshot if you are running a VM• Follow instructions here:• http://code.google.com/p/security-onion/wiki/Beta
• I used Ubuntu desktop 12.04• You can connect to the https://<ip of the server> to get links
to the tools
Tools
Things we’ll look at• Daemonlogger• Snort• Pulled pork• Snorby• Sguil• Barnyard• Tcpreplay• Wireshark/Network Miner• Squert• Bro
Additional awesomeness• Suricata• Argus• Elsa• Prads• OSSEC• …
Daemonlogger
• Listens on a network interface• Captures and saves your packets to disk. The
structure on how these files are saved can be configured.
• You can set filters on what you want to capture (BPF – Berkeley Packet Filters)
• You set a limit on how much disk space you want to use. It will delete the oldest data as needed.
Daemonlogger - Demo
• Look at the file structure• Change the disk threshold• Modify the BPF so that it does not collect
ICMP packets
Snort
• An open source intrusion detection system developed by Sourcefire
• Configuration file (snort.conf) ties everything together
• Will check packets passing through an interface against “signature” or “rule” files
• Alerts generated by rules can be sent to different output types– Security Onion uses the unified option
• Does a lot more. This is just a basic overview.
Snort Rule
Header• action• protocol • source ip / port• direction• destination ip / port
Options• msg• content• nocase• depth• flags• flow• fragbits• much more…
alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)
Snort Rule (2)
Snort - Demo
• Find the running instance by running $ps aux• Look over snort.conf file• Write a simple rule
Pulled Pork
• Scripts for updating your rules. It will periodically pull down new signatures (rules) and add them into Snort.
• You have a couple of choices where to pull rules from.
• You can get an “oinkcode” by registering with Sourcefire’s VRT through the snort website. Paid for versions get you the rules faster. This will need to be added to your configuration.
Snorby
• Pretty interface for looking at Snort / Suricata alerts. You can see:– IPs – Time– Raw data– Rule– Statistics
• Not much you can do to follow up on an alert but has a lot of potential for growth. This is more of an IDS rather than an NSM.
• Pain to set this up without Security Onion.
Sguil
• “Sguil's main component is an intuitive GUI that provides access to real time events, session data, and raw packet captures.”
• “built by network security analysts for security analysts”
Sguil (2)• Written by Bamm Visscher in TCL/TK• Client (sguil.tk) / Server (sguild) architecture, not a web service. You
need a client to connect to the server.• Stores data in a mysql database• Connects to different “agents”
– snort (alerts)– pcap (full packet captures)– sanscp (sessions)– prads (asset detection)
• These agents can run on different systems known as sensors. You can have multiple sensors talking to an agent. Note: Client is different from a sensor. Client connects to the sguil frontend for analysis.
• It is a PAIN to setup• It is a PAIN to setup! (Thank you Security Onion)
http://www.gamelinux.org/?p=66
tcpreplay
• Allows you to take a packet capture (.pcap) and resend all of its packets onto a given interface
• For demo purposes, we can replay existing attacks to see if they trigger alerts
• You need to be root
• Demo• #tcpreplay –t –i eth0 <pcap file>
Sguil - Demo
• Check agents• Replay TFTP attack• View alert / signature / raw packet• DNS/whois lookup• Deal with alert resolution• Send to wireshark / network miner– Packets for the session are pulled from the sensor
to the server and viewed in wireshark
Squert
• Reporting service for Sguil• Pulls from mysql database on sguild server• Pretty pictures for the managements
• Demo– View interface / pivot through data– Use geoIP to view country data
Issues
• Tuning– IDS can be VERY noisy right out of the box– “Do a little bit each day.”
• Space– Determine what you want to capture• Adjust Daemonlogger’s filter if necessary
– Disk is cheap
Referenceshttp://securityonion.blogspot.com/ video, downloads, documentation, wiki@securityonion
Security Onion reference page from the wiki:http://code.google.com/p/security-onion/wiki/Links
Richard Bejtlich’s blog (NSM and more):http://taosecurity.blogspot.com/
Me:@johndegruyter (DeBuG)
Challenges1. Install Security Onion on a virtual machine2. Create a snort rule to detect DNS requests to 208.67.220.220 – You can
test this with: snort –Tc <your rule file>
3. Find out where the snort instance is getting its rule files from and add your rule to one of the rule files. Test this by viewing it in Snorby or Sguil.
4. Modify Daemonlogger so that you will only use up to 80% of the disk (default is 90%)
5. Modify Daemonlogger so that you do not capture ARP packets – you can use a BPF for this
6. Set up a second Sguil sensor to connect to your original server. Ensure that you can see alerts from each sensor. You can generate some alerts by scanning the sensor.
7. Use squert to map network traffic to different locations