SlideShare a Scribd company logo

Security Onion: peeling back the layers of your network in minutes

B
bsidesaugusta

Security Onion is a Linux distribution for intrusion detection and network security monitoring. It contains tools like Snort, Suricata, Bro, Sguil and more. The easy setup wizard allows users to quickly build a distributed sensor network. It provides alerts, asset data, network sessions and full packet captures from multiple data sources in a centralized interface for analysis and pivoting to packet captures. The project has seen over 30,000 downloads and provides ongoing support through its website and mailing lists.

Technology
1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Security  Onion   Peel  Back  the  Layers  of  Your  Network  in  Minutes     Doug  Burks  
What  is  Security  Onion?   Security  Onion  is  a  Linux  distro  for  IDS  (Intrusion  DetecBon)  and  NSM   (Network  Security  Monitoring).  It's  based  on  Ubuntu  and  contains  Snort,   Suricata,  Bro,  Sguil,  Squert,  Snorby,  ELSA,  Xplico,  NetworkMiner,  and  many   other  security  tools.  The  easy-­‐to-­‐use  Setup  wizard  allows  you  to  build  an  army   of  distributed  sensors  for  your  enterprise  in  minutes!  
IDS  is  sub-­‐opBmal;  need  NSM  (mulBple   data  types)  
Sguil  is  the  defacto  reference   implementaBon  of  NSM  
Lots  of  pieces  in  the  Sguil  jigsaw  puzzle   hUp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  
Security  Onion:   Next,  Next,  Finish  for  NSM  
Big  Onions   l  Use  our  ISO  image  (based  on  Xubuntu  12.04  64-­‐bit)   OR   Start  with  your  preferred  flavor  of  Ubuntu  12.04  (Ubuntu,  Kubuntu,   Lubuntu,  Xubuntu,  or  Ubuntu  Server)  32-­‐bit  or  64-­‐bit,  add  our  PPA  and   install  our  packages     l  High  performance:     l  Snort/Suricata/Bro  running  on  PF_RING   l  Netsniff-­‐ng  uses  zero-­‐copy  for  high-­‐speed  full-­‐packet  capture   l  ELSA  (like  a  free  version  of  Splunk)  –  distributed  database  with  central  web   interface  
Data  Types   l  Alert  data   l  NIDS  alerts  from  Snort/Suricata   l  HIDS  alerts  from  OSSEC   l  Asset  data  from  Bro  and  PRADS   l  Session  data  from  Argus,  Bro,  and  PRADS   l  TransacBon  data  –  hUp/gp/dns/ssl/other  logs  from  Bro   l  Full  content  data  from  netsniff-­‐ng  
Distributed  Deployment      
Snorby  
Pivot  to  pcap  from  Snorby  
CapME  
Squert  web  interface  
Sguil  client  
Pivot  to  pcap  from  Sguil  
NetworkMiner   There’s  gold  in  them   thar  PCAPs!  
ELSA  
Pivot  to  pcap  from  ELSA  
Ooh…shiny…  
Bro  Flow  
Popular  Dst  IPs  
Popular  Dst  Ports  
Drilling  into  an  interesBng  Dst  Port  
What  is  that  Dst  Port?  Pivot  2  Pcap!  
2013:  The  Metrics   l  Security  Onion  10.04   37,521   l  Security  Onion  12.04  (released  12/31/2012)   34,290  from  SourceForge   l  Security  Onion  12.04.1  (released  6/10/2013)   6,380  from  Sourceforge   l  Security  Onion  12.04.2  (released  7/25/2013)   737  from  Sourceforge   l  ???  From  BitTorrent   ???  Ubuntu/Kubuntu/Lubuntu  +  Security  Onion  PPA  
Where  do  we  go  now?   hUp://securityonion.blogspot.com       Updates  are  announced  here  and  it  also  has  the  following  links:   l  Download/Install   l  FAQ   l  Mailing  Lists   l  IRC  #securityonion  on  irc.freenode.net   l  @securityonion  

More Related Content

PPTX
Security Onion - Brief
Ashley Deuble
 
PPTX
Security Onion Conference - 2016
DefensiveDepth
 
PPTX
2014 Security Onion Conference
DefensiveDepth
 
PDF
Security Onion - Introduction
n|u - The Open Security Community
 
PDF
Suricata
tex_morgan
 
PPTX
Backtrack
n|u - The Open Security Community
 
PPTX
Security onion
Kaustubh Padwad
 
PPTX
BackTrack5 - Linux
mariuszantal
 
Security Onion - Brief
Ashley Deuble
 
Security Onion Conference - 2016
DefensiveDepth
 
2014 Security Onion Conference
DefensiveDepth
 
Security Onion - Introduction
n|u - The Open Security Community
 
Suricata
tex_morgan
 
Backtrack
n|u - The Open Security Community
 
Security onion
Kaustubh Padwad
 
BackTrack5 - Linux
mariuszantal
 

What's hot (20)

PPTX
Security Onion Conference - 2015
DefensiveDepth
 
PPT
Backtrack os 5
Ayush Goyal
 
PPTX
Backtrack
One97 Communications Limited
 
PDF
Security Onion: Watching for Leeks
Kory Kyzar
 
PDF
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
PPTX
Telehack: May the Command Line Live Forever
Gregory Hanis
 
ODP
Introduction To Linux Security
Michael Boman
 
PDF
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
ODP
Linux Network Security
Amr Ali
 
PPT
Network ssecurity toolkit
أحلام انصارى
 
PDF
Snort-IPS-Tutorial
Vladimir Koychev
 
PPT
Linux Security
nayakslideshare
 
PPT
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
PPT
Unix Security
replay21
 
PPT
Security and Linux Security
Rizky Ariestiyansyah
 
PPT
Basic Linux Security
pankaj009
 
PPTX
Essential security for linux servers
Juan Carlos Pérez Pardo
 
PDF
Kali tools list with short description
Jose Moruno Cadima
 
PPT
Linux security-fosster-09
Dr. Jayaraj Poroor
 
PDF
IoT mit Rust programmieren
Lars Gregori
 
Security Onion Conference - 2015
DefensiveDepth
 
Backtrack os 5
Ayush Goyal
 
Backtrack
One97 Communications Limited
 
Security Onion: Watching for Leeks
Kory Kyzar
 
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Telehack: May the Command Line Live Forever
Gregory Hanis
 
Introduction To Linux Security
Michael Boman
 
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
Linux Network Security
Amr Ali
 
Network ssecurity toolkit
أحلام انصارى
 
Snort-IPS-Tutorial
Vladimir Koychev
 
Linux Security
nayakslideshare
 
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Unix Security
replay21
 
Security and Linux Security
Rizky Ariestiyansyah
 
Basic Linux Security
pankaj009
 
Essential security for linux servers
Juan Carlos Pérez Pardo
 
Kali tools list with short description
Jose Moruno Cadima
 
Linux security-fosster-09
Dr. Jayaraj Poroor
 
IoT mit Rust programmieren
Lars Gregori
 
Ad

Viewers also liked (8)

PPTX
Wireless Investigations using Xplico
Chris Harrington
 
PPTX
Giga vue hb1 event rolling presentation-final-1
Christopher Lee
 
PPTX
Eyeing the Onion
bsidesaugusta
 
PDF
Gigamon 1Q15 Investor Relations Presentation
InvestorRelations
 
PPTX
Detecting Malicious SSL Certificates Using Bro
Andrew Beard
 
PPTX
Optimizing your google local listing for search
WebFX
 
PDF
Visibility and Automation for Enhanced Security
patmisasi
 
PPTX
Harnessing the Power of Metadata for Security
John Pollack
 
Wireless Investigations using Xplico
Chris Harrington
 
Giga vue hb1 event rolling presentation-final-1
Christopher Lee
 
Eyeing the Onion
bsidesaugusta
 
Gigamon 1Q15 Investor Relations Presentation
InvestorRelations
 
Detecting Malicious SSL Certificates Using Bro
Andrew Beard
 
Optimizing your google local listing for search
WebFX
 
Visibility and Automation for Enhanced Security
patmisasi
 
Harnessing the Power of Metadata for Security
John Pollack
 
Ad

Similar to Security Onion: peeling back the layers of your network in minutes (18)

PDF
Security Onion - Part 1
Nishanth Kumar Pathi
 
PDF
Securing the infrastructure using IDS
Ruban Deventhiran
 
PPTX
Intro to NSM with Security Onion - AusCERT
Ashley Deuble
 
PPTX
Security Onion
johndegruyter
 
PDF
Boni Yeamin Thesis final_report.pdf
Boni Yeamin
 
PDF
Security Onion
n|u - The Open Security Community
 
PPTX
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Deepak Mishra
 
PPTX
security onion
Boni Yeamin
 
PPT
snort.ppt
Senthil Vit
 
PPTX
Enterprise Security Monitoring, And Log Management.
Boni Yeamin
 
PDF
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Deepak Mishra
 
PPT
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
abanehkahalif123
 
ODP
Sguil
Michael Boman
 
PDF
Peeling back your Network Layers with Security Onion
Mark Hillick
 
PDF
An analysis of Network Intrusion Detection System using SNORT
ijsrd.com
 
PPT
Network Intrusion Detection System Using Snort
Disha Bedi
 
PPTX
Intrusion detection and prevention system
Nikhil Raj
 
PDF
IDS Research
Yehan Gunaratne
 
Security Onion - Part 1
Nishanth Kumar Pathi
 
Securing the infrastructure using IDS
Ruban Deventhiran
 
Intro to NSM with Security Onion - AusCERT
Ashley Deuble
 
Security Onion
johndegruyter
 
Boni Yeamin Thesis final_report.pdf
Boni Yeamin
 
Security Onion
n|u - The Open Security Community
 
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Deepak Mishra
 
security onion
Boni Yeamin
 
snort.ppt
Senthil Vit
 
Enterprise Security Monitoring, And Log Management.
Boni Yeamin
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Deepak Mishra
 
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
abanehkahalif123
 
Sguil
Michael Boman
 
Peeling back your Network Layers with Security Onion
Mark Hillick
 
An analysis of Network Intrusion Detection System using SNORT
ijsrd.com
 
Network Intrusion Detection System Using Snort
Disha Bedi
 
Intrusion detection and prevention system
Nikhil Raj
 
IDS Research
Yehan Gunaratne
 

Recently uploaded (20)

PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
August Patch Tuesday
Ivanti
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 

Security Onion: peeling back the layers of your network in minutes

  • 1. Security  Onion   Peel  Back  the  Layers  of  Your  Network  in  Minutes     Doug  Burks  
  • 2. What  is  Security  Onion?   Security  Onion  is  a  Linux  distro  for  IDS  (Intrusion  DetecBon)  and  NSM   (Network  Security  Monitoring).  It's  based  on  Ubuntu  and  contains  Snort,   Suricata,  Bro,  Sguil,  Squert,  Snorby,  ELSA,  Xplico,  NetworkMiner,  and  many   other  security  tools.  The  easy-­‐to-­‐use  Setup  wizard  allows  you  to  build  an  army   of  distributed  sensors  for  your  enterprise  in  minutes!  
  • 3. IDS  is  sub-­‐opBmal;  need  NSM  (mulBple   data  types)  
  • 4. Sguil  is  the  defacto  reference   implementaBon  of  NSM  
  • 5. Lots  of  pieces  in  the  Sguil  jigsaw  puzzle   hUp://nsmwiki.org/images/e/ea/Sguil-­‐0.7.dfd.png  
  • 6. Security  Onion:   Next,  Next,  Finish  for  NSM  
  • 7. Big  Onions   l  Use  our  ISO  image  (based  on  Xubuntu  12.04  64-­‐bit)   OR   Start  with  your  preferred  flavor  of  Ubuntu  12.04  (Ubuntu,  Kubuntu,   Lubuntu,  Xubuntu,  or  Ubuntu  Server)  32-­‐bit  or  64-­‐bit,  add  our  PPA  and   install  our  packages     l  High  performance:     l  Snort/Suricata/Bro  running  on  PF_RING   l  Netsniff-­‐ng  uses  zero-­‐copy  for  high-­‐speed  full-­‐packet  capture   l  ELSA  (like  a  free  version  of  Splunk)  –  distributed  database  with  central  web   interface  
  • 8. Data  Types   l  Alert  data   l  NIDS  alerts  from  Snort/Suricata   l  HIDS  alerts  from  OSSEC   l  Asset  data  from  Bro  and  PRADS   l  Session  data  from  Argus,  Bro,  and  PRADS   l  TransacBon  data  –  hUp/gp/dns/ssl/other  logs  from  Bro   l  Full  content  data  from  netsniff-­‐ng  
  • 11. Pivot  to  pcap  from  Snorby  
  • 15. Pivot  to  pcap  from  Sguil  
  • 16. NetworkMiner   There’s  gold  in  them   thar  PCAPs!  
  • 18. Pivot  to  pcap  from  ELSA  
  • 23. Drilling  into  an  interesBng  Dst  Port  
  • 24. What  is  that  Dst  Port?  Pivot  2  Pcap!  
  • 25. 2013:  The  Metrics   l  Security  Onion  10.04   37,521   l  Security  Onion  12.04  (released  12/31/2012)   34,290  from  SourceForge   l  Security  Onion  12.04.1  (released  6/10/2013)   6,380  from  Sourceforge   l  Security  Onion  12.04.2  (released  7/25/2013)   737  from  Sourceforge   l  ???  From  BitTorrent   ???  Ubuntu/Kubuntu/Lubuntu  +  Security  Onion  PPA  
  • 26. Where  do  we  go  now?   hUp://securityonion.blogspot.com       Updates  are  announced  here  and  it  also  has  the  following  links:   l  Download/Install   l  FAQ   l  Mailing  Lists   l  IRC  #securityonion  on  irc.freenode.net   l  @securityonion