Peeling back your Network Layers with Security Onion

Transcript

1. Peeling Your Network Layers With { _id: “Mark Hillick”, “company”:

   “Kybeire” } Friday 23 November 12

2. > db.whoam.findOne() { "contact": { "email": "[email protected]", "web": "www.hackeire.net", "twitter":

   "markofu" }, "work" : { "10gen" : "MongoDB" }, "cert" : { "GIAC GSE" : true }, "state" : { "Nervous" : true, "Relaxed" : false }, "tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1}, {"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ], "try-to-help" : [ { "IrissCert" : "not very well"} , {"Security Onion" : "not well enough"} ] } Friday 23 November 12

3. Last Presentation - need humour!!! Or at least an attempt

   at it :) SO @ IrissCon Friday 23 November 12

4. Four Things This talk is NOT an IDS talk! This

   talk will be fairly technical :) And fast :) If you don’t like Lego or Star Wars, you might want to leave Friday 23 November 12

5. Creator Doug Burks - the guy is incredible, he does

   not sleep :) Grew out of SANS Gold Paper Wanted to help make Sguil & NSM “easier” to deploy! Friday 23 November 12

6. Security Onion is a Linux distro for IDS (Intrusion Detection)

   & NSM (Network Security Monitoring). New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit Old version => Xubuntu 10.04 [LTS], 32 bit only Contains many security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Open-Source : so it’s all there!!!! So, what is it? Friday 23 November 12

7. Traditionally DEFENCE-IN-DEPTH Layers, layers & more layers: Firewalls; IDS/IPS; WAF

   Restrict inbound, allow all outbound Different FW tech ACLs on Routers But what is going on? Friday 23 November 12

8. alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86

   inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid: 2101390; rev:7;) IDS Alert, what now? Friday 23 November 12

9. NSM, Old-Style :( WTF??????? Ah man, this sucks! grep this,

   awk that, sed this, pipe to cvs, scp & open excel :( Then make pretty for mgmt :) Friday 23 November 12

10. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg Friday 23 November 12

11. State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg Friday 23 November 12

12. NSM != IDS Clarity!!! “the collection, analysis, and escalation of

    indications and warnings (I&W) to detect and respond to intrusions” Richard Bejtlich, TaoSecurity Blog http://taosecurity.blogspot.com/2007/04/networksecurity- monitoring-history.html NSM Friday 23 November 12

13. NSM, ONION-STYLE :) Friday 23 November 12

14. NSM, ONION-STYLE :) Friday 23 November 12

15. NSM, ONION-STYLE :) Friday 23 November 12

16. NSM, ONION-STYLE :) Friday 23 November 12

17. CHILDS-PLAY Friday 23 November 12

18. CHILDS-PLAY Friday 23 November 12

19. CHILDS-PLAY Friday 23 November 12

20. CHILDS-PLAY Friday 23 November 12

21. CHILDS-PLAY Friday 23 November 12

22. CHILDS-PLAY Friday 23 November 12

23. CHILDS-PLAY Friday 23 November 12

24. Architecture Server, Sensors or Both Ultimate Analyst Workstation Friday 23

    November 12

25. Deploy, Build & Use Aggregate or Tap Use Cases: Production

    - traditional DCs on VM Cloud Infrastructure Personally: HackEire & @ home ETC Admin - aptitude & upstart :) Friday 23 November 12

26. Haz Tools 1 IDS: Snort or Suricata - your choice

    :) Friday 23 November 12

27. Bro: powerful network analysis framework with amazingly detailed logs Haz

    Tools 2 OSSEC monitors local logs, file integrity & rootkits Can receive logs from OSSEC Agents and standard Syslog Friday 23 November 12

28. Haz Tools 3 Complete List: http://code.google.com/p/security-onion/wiki/Tools Friday 23 November 12

29. Directory Structure Data : /nsm backup, bro, server data &sensor

    data By sensor name “$hostname-$interface” Config : /etc/nsm ossec, pulledpork, securityonion $hostname-$interface pads, snort, suricata, barnyard etc Logs: /var/log/nsm Friday 23 November 12

30. NSM sudo service nsm restart bro ossec sguil sudo service

    nsm- server restart sudo service nsm- sensor restart Friday 23 November 12

31. Pivot To Wireshark Friday 23 November 12

32. Pivot To Wireshark Friday 23 November 12

33. Pivot To Wireshark Friday 23 November 12

34. Pivot To Wireshark Friday 23 November 12

35. Pivot To Wireshark Friday 23 November 12

36. Attack : Client-Side Friday 23 November 12

37. Innocence Attack : Client-Side Friday 23 November 12

38. Oops, now inside! Innocence Attack : Client-Side Friday 23 November

    12

39. Sit Back, Relax & Enjoy Upcoming Demo of Client-side attack

    User clicks on link Channel is created back to attacker Friday 23 November 12

40. CS Attack: Sguil Friday 23 November 12

41. CS Attack: Sguil Friday 23 November 12

42. CS Attack: Sguil Friday 23 November 12

43. CS Attack: Sguil Friday 23 November 12

44. CS Attack: Snorby Friday 23 November 12

45. CS Attack: Snorby Friday 23 November 12

46. CS Attack: Snorby Friday 23 November 12

47. CS Attack: Snorby Friday 23 November 12

48. CS Attack: Snorby Friday 23 November 12

49. bash/bro scripting framework & built-in scripts /nsm/bro/logs/current http.log conn.log CS

    Attack: Bro 1 Friday 23 November 12

50. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL...... Friday 23 November

    12

51. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL...... Friday 23 November

    12

52. CS Attack: Bro 2 DETAIL, DETAIL, DETAIL...... Friday 23 November

    12

53. CS Attack: Elsa Friday 23 November 12

54. CS Attack: Elsa Friday 23 November 12

55. CS Attack: Elsa Friday 23 November 12

56. CS Attack: Elsa Friday 23 November 12

57. CS Attack: Elsa Friday 23 November 12

58. CS Attack: Network Miner Friday 23 November 12

59. CS Attack: Network Miner $ ls -lart | grep 4444

    -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.raw Friday 23 November 12

60. CS Attack: Network Miner $ ls -lart | grep 4444

    -rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.raw Friday 23 November 12

61. Ah, yeah, now....... Friday 23 November 12

62. Ah, yeah, now....... How many clicks does it take you

    to get from an alert to the packet???? Can you pivot? Could you take a Windows Administrator off the street??? Friday 23 November 12

63. Don’t Forget Friday 23 November 12

64. All Wrapped Up Thanks to Doug & the team No

    more compiling messing with installations sorting out pre-requisites Significantly reduced testing Point & Click Friday 23 November 12

65. Conclusion Easy Peasy Powerful - haz tools Nice pictures, GUIs

    & graphs for management ;-) Open-Source is possible & SO viable Commodity H/W Support - mixture! Friday 23 November 12

66. Want to join? Security Onion needs: Documentation & Artwork Web

    Interface Package Maintainers Performance Benchmarks Me -> “GetOpts -> sosetup & Chef” http://code.google.com/p/security-onion/wiki/TeamMembers Friday 23 November 12

67. Further Reading!!! Project Home: https://code.google.com/p/ security-onion/ Blog: http://securityonion.blogspot.com GG: https://groups.google.com/forum/?

    fromgroups#!forum/security-onion Wiki: http://code.google.com/p/security- onion/w/list Mailing Lists: http://code.google.com/p/ security-onion/wiki/MailingLists IRC: #securityonion on irc.freenode.net The Future: https://code.google.com/p/ security-onion/wiki/Roadmap Friday 23 November 12

68. Contact Me [email protected] @markofu BTW, Star Wars Fan :) Friday

    23 November 12

69. Pics Links Onion: https://secure.flickr.com/ photos/7157427@N03/3248129452/ Star Wars Lego: http://imgur.com/a/ 0XvKw

    (Huge thanks to Mike Stimpson -> www.mikestimpson.com:) ) Book -> “Stormtroopers, we love you” Friday 23 November 12

70. Thank You!!! Friday 23 November 12