Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peeling back your Network Layers with Security Onion

3cd879f19f6b33bb923cdd710440b512?s=47 Mark Hillick
November 23, 2012
950

Peeling back your Network Layers with Security Onion

Presentation on how Security Onion provides clarity and vision into the ongoings of your Network. We walk through the set-up, available tools and then show how we can troubleshoot a real attack.

3cd879f19f6b33bb923cdd710440b512?s=128

Mark Hillick

November 23, 2012
Tweet

Transcript

  1. Peeling Your Network Layers With { _id: “Mark Hillick”, “company”:

    “Kybeire” } Friday 23 November 12
  2. > db.whoam.findOne() { "contact": { "email": "mark@kybeire.com", "web": "www.hackeire.net", "twitter":

    "markofu" }, "work" : { "10gen" : "MongoDB" }, "cert" : { "GIAC GSE" : true }, "state" : { "Nervous" : true, "Relaxed" : false }, "tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1}, {"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ], "try-to-help" : [ { "IrissCert" : "not very well"} , {"Security Onion" : "not well enough"} ] } Friday 23 November 12
  3. Last Presentation - need humour!!! Or at least an attempt

    at it :) SO @ IrissCon Friday 23 November 12
  4. Four Things This talk is NOT an IDS talk! This

    talk will be fairly technical :) And fast :) If you don’t like Lego or Star Wars, you might want to leave Friday 23 November 12
  5. Creator Doug Burks - the guy is incredible, he does

    not sleep :) Grew out of SANS Gold Paper Wanted to help make Sguil & NSM “easier” to deploy! Friday 23 November 12
  6. Security Onion is a Linux distro for IDS (Intrusion Detection)

    & NSM (Network Security Monitoring). New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit Old version => Xubuntu 10.04 [LTS], 32 bit only Contains many security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Open-Source : so it’s all there!!!! So, what is it? Friday 23 November 12
  7. Traditionally DEFENCE-IN-DEPTH Layers, layers & more layers: Firewalls; IDS/IPS; WAF

    Restrict inbound, allow all outbound Different FW tech ACLs on Routers But what is going on? Friday 23 November 12
  8. alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86

    inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid: 2101390; rev:7;) IDS Alert, what now? Friday 23 November 12
  9. NSM, Old-Style :( WTF??????? Ah man, this sucks! grep this,

    awk that, sed this, pipe to cvs, scp & open excel :( Then make pretty for mgmt :) Friday 23 November 12
  10. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg Friday 23 November 12

  11. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg Friday 23 November 12

  12. NSM != IDS Clarity!!! “the collection, analysis, and escalation of

    indications and warnings (I&W) to detect and respond to intrusions” Richard Bejtlich, TaoSecurity Blog http://taosecurity.blogspot.com/2007/04/networksecurity- monitoring-history.html NSM Friday 23 November 12
  13. NSM, ONION-STYLE :) Friday 23 November 12

  14. NSM, ONION-STYLE :) Friday 23 November 12

  15. NSM, ONION-STYLE :) Friday 23 November 12

  16. NSM, ONION-STYLE :) Friday 23 November 12

  17. CHILDS-PLAY Friday 23 November 12

  18. CHILDS-PLAY Friday 23 November 12

  19. CHILDS-PLAY Friday 23 November 12

  20. CHILDS-PLAY Friday 23 November 12

  21. CHILDS-PLAY Friday 23 November 12

  22. CHILDS-PLAY Friday 23 November 12

  23. CHILDS-PLAY Friday 23 November 12

  24. Architecture Server, Sensors or Both Ultimate Analyst Workstation Friday 23

    November 12
  25. Deploy, Build & Use Aggregate or Tap Use Cases: Production

    - traditional DCs on VM Cloud Infrastructure Personally: HackEire & @ home ETC Admin - aptitude & upstart :) Friday 23 November 12
  26. Haz Tools 1 IDS: Snort or Suricata - your choice

    :) Friday 23 November 12
  27. Bro: powerful network analysis framework with amazingly detailed logs Haz

    Tools 2 OSSEC monitors local logs, file integrity & rootkits Can receive logs from OSSEC Agents and standard Syslog Friday 23 November 12
  28. Haz Tools 3 Complete List: http://code.google.com/p/security-onion/wiki/Tools Friday 23 November 12

  29. Directory Structure Data : /nsm backup, bro, server data &sensor

    data By sensor name “$hostname-$interface” Config : /etc/nsm ossec, pulledpork, securityonion $hostname-$interface pads, snort, suricata, barnyard etc Logs: /var/log/nsm Friday 23 November 12
  30. NSM sudo service nsm restart bro ossec sguil sudo service

    nsm- server restart sudo service nsm- sensor restart Friday 23 November 12
  31. Pivot To Wireshark Friday 23 November 12

  32. Pivot To Wireshark Friday 23 November 12

  33. Pivot To Wireshark Friday 23 November 12

  34. Pivot To Wireshark Friday 23 November 12

  35. Pivot To Wireshark Friday 23 November 12

  36. Attack : Client-Side Friday 23 November 12

  37. Innocence Attack : Client-Side Friday 23 November 12

  38. Oops, now inside! Innocence Attack : Client-Side Friday 23 November

    12
  39. Sit Back, Relax & Enjoy Upcoming Demo of Client-side attack

    User clicks on link Channel is created back to attacker Friday 23 November 12
  40. CS Attack: Sguil Friday 23 November 12

  41. CS Attack: Sguil Friday 23 November 12

  42. CS Attack: Sguil Friday 23 November 12

  43. CS Attack: Sguil Friday 23 November 12

  44. CS Attack: Snorby Friday 23 November 12

  45. CS Attack: Snorby Friday 23 November 12

  46. CS Attack: Snorby Friday 23 November 12

  47. CS Attack: Snorby Friday 23 November 12

  48. CS Attack: Snorby Friday 23 November 12

  49. bash/bro scripting framework & built-in scripts /nsm/bro/logs/current http.log conn.log CS

    Attack: Bro 1 Friday 23 November 12
  50. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL...... Friday 23 November

    12
  51. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL...... Friday 23 November

    12
  52. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL...... Friday 23 November

    12
  53. CS Attack: Elsa Friday 23 November 12

  54. CS Attack: Elsa Friday 23 November 12

  55. CS Attack: Elsa Friday 23 November 12

  56. CS Attack: Elsa Friday 23 November 12

  57. CS Attack: Elsa Friday 23 November 12

  58. CS Attack: Network Miner Friday 23 November 12

  59. CS Attack: Network Miner $ ls -lart | grep 4444

    -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.raw Friday 23 November 12
  60. CS Attack: Network Miner $ ls -lart | grep 4444

    -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.raw Friday 23 November 12
  61. Ah, yeah, now....... Friday 23 November 12

  62. Ah, yeah, now....... How many clicks does it take you

    to get from an alert to the packet???? Can you pivot? Could you take a Windows Administrator off the street??? Friday 23 November 12
  63. Don’t Forget Friday 23 November 12

  64. All Wrapped Up Thanks to Doug & the team No

    more compiling messing with installations sorting out pre-requisites Significantly reduced testing Point & Click Friday 23 November 12
  65. Conclusion Easy Peasy Powerful - haz tools Nice pictures, GUIs

    & graphs for management ;-) Open-Source is possible & SO viable Commodity H/W Support - mixture! Friday 23 November 12
  66. Want to join? Security Onion needs: Documentation & Artwork Web

    Interface Package Maintainers Performance Benchmarks Me -> “GetOpts -> sosetup & Chef” http://code.google.com/p/security-onion/wiki/TeamMembers Friday 23 November 12
  67. Further Reading!!! Project Home: https://code.google.com/p/ security-onion/ Blog: http://securityonion.blogspot.com GG: https://groups.google.com/forum/?

    fromgroups#!forum/security-onion Wiki: http://code.google.com/p/security- onion/w/list Mailing Lists: http://code.google.com/p/ security-onion/wiki/MailingLists IRC: #securityonion on irc.freenode.net The Future: https://code.google.com/p/ security-onion/wiki/Roadmap Friday 23 November 12
  68. Contact Me mark@kybeire.com @markofu BTW, Star Wars Fan :) Friday

    23 November 12
  69. Pics Links Onion: https://secure.flickr.com/ photos/7157427@N03/3248129452/ Star Wars Lego: http://imgur.com/a/ 0XvKw

    (Huge thanks to Mike Stimpson -> www.mikestimpson.com:) ) Book -> “Stormtroopers, we love you” Friday 23 November 12
  70. Thank You!!! Friday 23 November 12