Peeling back your Network Layers with Security Onion

Peeling Your Network Layers With
{ _id: “Mark Hillick”, “company”:
“Kybeire” }
Friday 23 November 12

View Slide

> db.whoam.findOne()
{
"contact": {
"email": "[email protected]",
"web": "www.hackeire.net",
"twitter": "markofu"
},
"work" : { "10gen" : "MongoDB" },
"cert" : { "GIAC GSE" : true },
"state" : { "Nervous" : true, "Relaxed" : false },
"tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1},
{"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ],
"try-to-help" : [ { "IrissCert" : "not very well"} , {"Security
Onion" : "not well enough"} ]
}

View Slide

Last Presentation - need
humour!!!
Or at least an attempt at it :)
SO @ IrissCon

View Slide

Four Things
This talk is NOT an IDS talk!
This talk will be fairly
technical :)
And fast :)
If you don’t like Lego or Star
Wars, you might want to leave

View Slide

Creator
Doug Burks - the guy is
incredible, he does not sleep :)
Grew out of SANS Gold Paper
Wanted to help make Sguil &
NSM “easier” to deploy!

View Slide

Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM
(Network Security Monitoring).
New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit
Old version => Xubuntu 10.04 [LTS], 32 bit only
Contains many security tools.
The easy-to-use Setup wizard allows you to build an army of distributed
sensors for your enterprise in minutes!
Open-Source : so it’s all there!!!!
So, what is it?

View Slide

Traditionally
DEFENCE-IN-DEPTH
Layers, layers & more layers:
Firewalls; IDS/IPS; WAF
Restrict inbound, allow all
outbound
Different FW tech
ACLs on Routers
But what is going on?

View Slide

alert ip $EXTERNAL_NET
$SHELLCODE_PORTS -> $HOME_NET any
(msg:"GPL SHELLCODE x86 inc ebx NOOP";
content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:
2101390; rev:7;)
IDS Alert, what now?

View Slide

NSM, Old-Style :(
WTF???????
Ah man, this sucks!
grep this, awk that, sed this,
pipe to cvs, scp & open excel :(
Then make pretty for
mgmt :)

View Slide

State of IDS
Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg

View Slide

NSM != IDS
Clarity!!!
“the collection, analysis, and
escalation of indications and
warnings (I&W) to detect and
respond to intrusions”
Richard Bejtlich, TaoSecurity Blog
http://taosecurity.blogspot.com/2007/04/networksecurity-
monitoring-history.html
NSM

View Slide

NSM, ONION-STYLE :)

View Slide

CHILDS-PLAY

View Slide

Architecture
Server, Sensors or Both
Ultimate Analyst Workstation

View Slide

Deploy, Build & Use
Aggregate or Tap
Use Cases:
Production - traditional DCs
on VM
Cloud Infrastructure
Personally: HackEire & @
home ETC
Admin - aptitude & upstart :)

View Slide

Haz Tools 1
IDS: Snort or Suricata - your choice :)

View Slide

Bro: powerful
network analysis
framework with
amazingly detailed
logs
Haz Tools 2
OSSEC monitors local
logs, file integrity &
rootkits
Can receive logs from
OSSEC Agents and
standard Syslog

View Slide

Haz Tools 3
Complete List: http://code.google.com/p/security-onion/wiki/Tools

View Slide

Directory Structure
Data : /nsm
backup, bro, server data &sensor data
By sensor name “$hostname-$interface”
Config : /etc/nsm
ossec, pulledpork, securityonion
$hostname-$interface
pads, snort, suricata, barnyard etc
Logs: /var/log/nsm

View Slide

NSM
sudo service nsm
restart
bro
ossec
sguil
sudo service nsm-
server restart
sudo service nsm-
sensor restart

View Slide

Pivot To Wireshark

View Slide

Attack : Client-Side

View Slide

Innocence

View Slide

Oops, now
inside!
Innocence

View Slide

Sit Back, Relax & Enjoy
Upcoming Demo of Client-side attack
User clicks on link
Channel is created back to attacker

View Slide

CS Attack: Sguil

View Slide

CS Attack: Snorby

View Slide

bash/bro scripting
framework & built-in scripts
/nsm/bro/logs/current
http.log
conn.log
CS Attack: Bro 1

View Slide

CS Attack: Bro 2
DETAIL, DETAIL, DETAIL......

View Slide

CS Attack: Elsa

View Slide

CS Attack: Network
Miner

View Slide

CS Attack: Network
Miner
$ ls -lart | grep 4444
-rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22
10.20.0.111:4444_10.20.0.165:1804-6.raw

View Slide

Ah, yeah, now.......

View Slide

Ah, yeah, now.......
How many clicks does it take you to get from an alert to
the packet????
Can you pivot?
Could you take a Windows Administrator off the
street???

View Slide

Don’t Forget

View Slide

All Wrapped Up
Thanks to Doug & the team
No more
compiling
messing with installations
sorting out pre-requisites
Significantly reduced testing
Point & Click

View Slide

Conclusion
Easy Peasy
Powerful - haz tools
Nice pictures, GUIs &
graphs for
management ;-)
Open-Source is possible
& SO viable
Commodity H/W
Support - mixture!

View Slide

Want to join?
Security Onion needs:
Documentation & Artwork
Web Interface
Package Maintainers
Performance Benchmarks
Me -> “GetOpts -> sosetup &
Chef”
http://code.google.com/p/security-onion/wiki/TeamMembers

View Slide

Further Reading!!!
Project Home: https://code.google.com/p/
security-onion/
Blog: http://securityonion.blogspot.com
GG: https://groups.google.com/forum/?
fromgroups#!forum/security-onion
Wiki: http://code.google.com/p/security-
onion/w/list
Mailing Lists: http://code.google.com/p/
security-onion/wiki/MailingLists
IRC: #securityonion on irc.freenode.net
The Future: https://code.google.com/p/
security-onion/wiki/Roadmap

View Slide

Contact Me
[email protected]
@markofu
BTW, Star Wars Fan :)

View Slide

Pics Links
Onion: https://secure.flickr.com/
photos/[email protected]/3248129452/
Star Wars Lego: http://imgur.com/a/
0XvKw (Huge thanks to Mike
Stimpson ->
www.mikestimpson.com:) )
Book -> “Stormtroopers, we love
you”

View Slide

Thank You!!!

View Slide

Peeling back your Network Layers with Security Onion

Peeling back your Network Layers with Security Onion

Mark Hillick

More Decks by Mark Hillick

Featured

Transcript