DOCSLIB.ORG

Security Onion Documentation Release 2.3

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Onion Documentation Release 2.3 Security Onion Documentation Release 2.3 Sep 27, 2021 Table of Contents 1 About 1 1.1 Security Onion..............................................1 1.2 Security Onion Solutions, LLC.....................................2 1.3 Documentation..............................................2 2 Introduction 5 2.1 Network Security Monitoring......................................7 2.2 Enterprise Security Monitoring.....................................7 2.3 Analysis Tools..............................................8 2.4 Deployment Scenarios.......................................... 12 2.5 Conclusion................................................ 12 3 License 13 4 First Time Users 15 5 Getting Started 39 5.1 Architecture............................................... 40 5.2 Hardware Requirements......................................... 48 5.3 Partitioning................................................ 53 5.4 Download................................................. 55 5.5 VMware................................................. 55 5.6 VirtualBox................................................ 57 5.7 Booting Issues.............................................. 58 5.8 Installation................................................ 58 5.9 AWS Cloud AMI............................................. 60 5.10 Azure Cloud Image............................................ 66 5.11 Configuration............................................... 71 5.12 Machine Learning............................................ 72 5.13 After Installation............................................. 73 6 Security Onion Console (SOC) 75 6.1 Alerts................................................... 79 6.2 Hunt................................................... 86 6.3 PCAP................................................... 94 6.4 Grid.................................................... 98 6.5 Downloads................................................ 98 i 6.6 Administration.............................................. 99 6.7 Kibana.................................................. 99 6.8 Grafana.................................................. 103 6.9 CyberChef................................................ 105 6.10 Playbook................................................. 109 6.11 Fleet................................................... 114 6.12 TheHive................................................. 115 6.13 ATT&CK Navigator........................................... 117 7 Analyst VM 119 7.1 NetworkMiner.............................................. 120 7.2 Wireshark................................................. 123 8 Network Visibility 129 8.1 AF-PACKET............................................... 130 8.2 Stenographer............................................... 131 8.3 Suricata.................................................. 133 8.4 Zeek................................................... 136 8.5 Strelka.................................................. 144 9 Host Visibility 149 9.1 osquery.................................................. 149 9.2 Beats................................................... 151 9.3 Wazuh.................................................. 153 9.4 Syslog.................................................. 156 9.5 Sysmon.................................................. 156 9.6 Autoruns................................................. 158 10 Logs 159 10.1 Ingest................................................... 159 10.2 Filebeat.................................................. 161 10.3 Logstash................................................. 177 10.4 Redis................................................... 182 10.5 Elasticsearch............................................... 183 10.6 ElastAlert................................................. 190 10.7 Curator.................................................. 193 10.8 Data Fields................................................ 195 10.9 Alert Data Fields............................................. 195 10.10 Elastalert Fields............................................. 196 10.11 Zeek Fields................................................ 197 10.12 Community ID.............................................. 197 10.13 Re-Indexing............................................... 198 11 Updating 199 11.1 soup.................................................... 199 11.2 Airgap.................................................. 202 11.3 End Of Life................................................ 203 12 Accounts 205 12.1 Passwords................................................ 205 12.2 Adding Accounts............................................. 206 12.3 Listing Accounts............................................. 207 12.4 Disabling Accounts........................................... 208 12.5 Role-Based Access Control (RBAC)................................... 209 ii 13 Services 215 14 Customizing for Your Environment 217 14.1 Cortex.................................................. 217 14.2 Proxy Configuration........................................... 218 14.3 Firewall.................................................. 219 14.4 Email Configuration........................................... 224 14.5 NTP.................................................... 226 14.6 SSH.................................................... 226 14.7 Changing IP Addresses.......................................... 227 14.8 Changing Web Access URL....................................... 227 15 Tuning 229 15.1 Salt.................................................... 229 15.2 Homenet................................................. 231 15.3 BPF.................................................... 232 15.4 Managing Rules............................................. 234 15.5 Adding Local Rules........................................... 236 15.6 Managing Alerts............................................. 237 15.7 High Performance Tuning........................................ 245 16 Tricks and Tips 247 16.1 Backups................................................. 247 16.2 Docker.................................................. 248 16.3 DNS Anomaly Detection......................................... 250 16.4 ICMP Anomaly Detection........................................ 251 16.5 Adding a new disk............................................ 251 16.6 PCAPs for Testing............................................ 252 16.7 Removing a Node............................................ 253 16.8 Syslog Output.............................................. 254 16.9 UTC and Time Zones.......................................... 255 17 Utilities 257 17.1 jq..................................................... 257 17.2 so-allow................................................. 257 17.3 so-elastic-auth.............................................. 258 17.4 so-elasticsearch-query.......................................... 259 17.5 so-import-pcap.............................................. 260 17.6 so-import-evtx.............................................. 261 17.7 so-monitor-add.............................................. 261 17.8 so-test................................................... 261 17.9 so-zeek-logs............................................... 263 18 Help 265 18.1 FAQ.................................................... 265 18.2 Directory Structure............................................ 269 18.3 Tools................................................... 270 18.4 Support.................................................. 271 18.5 Community Support........................................... 271 18.6 Help Wanted............................................... 272 19 Security 275 19.1 Vulnerability Disclosure......................................... 275 19.2 Product and Supply Chain Integrity................................... 275 iii 20 Appendix 277 21 Release Notes 281 21.1 2.3.80 Changes.............................................. 281 21.2 2.3.70 Hotfix [WAZUH]......................................... 282 21.3 2.3.70 Hotfix [GRAFANA_DASH_ALLOW].............................. 282 21.4 2.3.70 Hotfix [CURATOR]........................................ 282 21.5 2.3.70 Changes.............................................. 282 21.6 2.3.61 Hotfix [STENO, MSEARCH].................................. 283 21.7 2.3.61 Changes.............................................. 283 21.8 2.3.60 Hotfix [ECSFIX, HEAVYNODE, FBPIPELINE, CURATORAUTH] Changes......... 283 21.9 2.3.60 Changes.............................................. 284 21.10 2.3.52 Changes.............................................. 285 21.11 2.3.51 Changes.............................................. 285 21.12 2.3.50 Changes.............................................. 285 21.13 2.3.50 Known Issues........................................... 287 21.14 2.3.40 Changes.............................................. 287 21.15 2.3.40 Known Issues........................................... 288 21.16 2.3.30 Changes.............................................. 288 21.17 2.3.30 Known Issues........................................... 290 21.18 2.3.21 Changes.............................................. 290 21.19 2.3.10 Changes.............................................. 292 21.20 2.3.10 Known Issues........................................... 294 21.21 2.3.2 Changes.............................................. 294 21.22 2.3.1 Changes.............................................. 294 21.23 2.3.1 Known Issues............................................ 294 21.24 2.3.0 Changes.............................................
Load more

Recommended publications
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • Securing Infrastructure-As-A-Service Public Clouds Using Security Onion
    Securing Infrastructure-as-a-Service Public Clouds Using Security Onion MIKAIL, Abdullahi and PRANGGONO, Bernardi <http://orcid.org/0000-0002- 2992-697X> Available from Sheffield Hallam University Research Archive (SHURA) at: http://shura.shu.ac.uk/23927/ This document is the author deposited version. You are advised to consult the publisher's version if you wish to cite from it. Published version MIKAIL, Abdullahi and PRANGGONO, Bernardi (2019). Securing Infrastructure-as-a- Service Public Clouds Using Security Onion. Applied System Innovation, 2 (1). Copyright and re-use policy See http://shura.shu.ac.uk/information.html Sheffield Hallam University Research Archive http://shura.shu.ac.uk Article Securing Infrastructure-as-a-Service Public Clouds Using Security Onion Abdullahi Mikail and Bernardi Pranggono * Department of Engineering and Mathematics, Sheffield Hallam University, Howard Street, Sheffield S1 1WB, UK; [email protected] * Correspondence: [email protected] Received: 17 December 2018; Accepted: 23 January 2019; Published: 30 January 2019 Abstract: The shift to Cloud computing has brought with it its specific security challenges concerning the loss of control, trust and multi-tenancy especially in Infrastructure-as-a-Service (IaaS) Cloud model. This article focuses on the design and development of an intrusion detection system (IDS) that can handle security challenges in IaaS Cloud model using an open source IDS. We have implemented a proof-of-concept prototype on the most deployed hypervisor—VMware ESXi—and performed various real-world cyber-attacks, such as port scanning and denial of service (DoS) attacks to validate the practicality and effectiveness of our proposed IDS architecture.
    [Show full text]
  • Running Bro on BSD
    Running Bro on BSD An analysis of high performance solutions running on BSD operating systems. Michael Shirk BroCon 2016 @Shirkdog http://github.com/Shirkdog Agenda l Introduction l Bro is awesome l Why FreeBSD? l High Performance and FreeBSD l FreeBSD at the Berkley Lab l PF_RING vs. netmap l OpenBSD Rant Warning l Whenever you see the beastie with a hammer, there is a potential for some BSD bias to slip in. l The goal is to minimize this throughout the talk. l All information not cited in this talk is based on personal experience or opinion (marked with an asterisk *). Introduction l Worked in IDS/IPS since 2003 (various positions including consulting) - Engines: Snort, Suricata, Dragon and now Bro (also had to work with McAfee, ISS, NFR … others) - Signatures for Emerging Threats (since they were Bleeding Edge Snort) l Support Open Source Security Tools and Software - Maintain pulledpork for Snort/Suricata (rule updating script): http://github.com/shirkdog/pulledpork - Active community member of open source projects: l Operating Systems: FreeBSD, OpenBSD, HardenedBSD l Security Tools: Snort, Suricata, AIDE, Bro (starting) Bro Beginnings l 2013 – Bro setup on Linux with PF_RING and Suricata ( Dell R610 12 Core 32GB Appliance) - PoC was Security Onion, the production setup was on Ubuntu with PF_RING, Suricata and nothing else. - Gigamon TAP aggregated data to a single 10Gb Fiber interface fed to the Bro/Suricata sensor. - ~700Mbps peak, ~350Mbps non-peak l Bro logs were fed into Splunk (modified Splunk_TA_Bro to work with log formats) l Set it and forget it, it's just that simple.
    [Show full text]
  • Evaluating the Availability of Forensic Evidence from Three Idss: Tool Ability
    Evaluating the Availability of Forensic Evidence from Three IDSs: Tool Ability EMAD ABDULLAH ALSAIARI A thesis submitted to the Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Masters of Forensic Information Technology School of Engineering, Computer and Mathematical Sciences Auckland, New Zealand 2016 i Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. Emad Abdullah Alsaiari ii Acknowledgement At the beginning and foremost, the researcher would like to thank almighty Allah. Additionally, I would like to thank everyone who helped me to conduct this thesis starting from my family, supervisor, all relatives and friends. I would also like to express my thorough appreciation to all the members of Saudi Culture Mission for facilitating the process of studying in a foreign country. I would also like to express my thorough appreciation to all the staff of Saudi Culture Mission for facilitating the process of studying in Auckland University of Technology. Especially, the pervious head principal of the Saudi Culture Mission Dr. Satam Al- Otaibi for all his motivation, advice and support to students from Saudi in New Zealand as well as Saudi Arabia Cultural Attaché Dr. Saud Theyab the head principal of the Saudi Culture Mission.
    [Show full text]
  • Ipv6 Security Training Course
    IPv6 Security Training Course References March 2021 Introduction During the IPv6 Security Course, many references are given, mostly IETF RFCs (Internet Engineering Task Force)(Request For Comments). You can also find useful references for RIPE NCC documents, security tools and sources of relevant security information. This document contain more details about those references, allowing the course participants to go deeper into details. In the case of RFCs, updated information about them, like the date of publication or if it still valid or has been obsoleted or update by another RFC, could be found in the www.rfc-editor.org web site. IETF Standards References [RFC2827] P. Ferguson, D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, May 2000, Best Current Practice [RFC3704] F. Baker, P. Savola, “Ingress Filtering for Multihomed Networks”, March 2004, Best Current Practice [RFC3756] P. Nikander, Ed., J. Kempf, E. Nordmark, “IPv6 Neighbor Discovery (ND) Trust Models and Threats”, May 2004, Informational [RFC3849] G. Huston, A. Lord, P. Smith, "IPv6 Address Prefix Reserved for Documentation", July 2004 [RFC3971] J. Arkko, Ed., J. Kempf, B. Zill, P. Nikander, SEcure Neighbor Discovery (SEND), March 2005, Proposed Standard [RFC3972] T. Aura, “Cryptographically Generated Addresses (CGA)”, March 2005, Proposed Standard [RFC4191] R. Draves, D. Thaler, “Default Router Preferences and More- Specific Routes”, November 2005, Proposed Standard [RFC4301] S. Kent, K. Seo, "Security Architecture for the Internet Protocol”, December 2005, Proposed Standard [RFC4302] S. Kent, “IP Authentication Header”, December 2005, Obsoletes RFC 2402, Proposed Standard [RFC4303] S. Kent, “IP Encapsulating Security Payload (ESP)”, December 2005, Obsoletes RFC 2406, Proposed Standard [RFC4443] A.
    [Show full text]
  • Part Iii Network Security Monitoring Processes
    Bejtlich_book.fm Page 345 Thursday, June 17, 2004 8:40 AM PART III NETWORK SECURITY MONITORING PROCESSES 345 Bejtlich_book.fm Page 346 Thursday, June 17, 2004 8:40 AM Bejtlich_book.fm Page 347 Thursday, June 17, 2004 8:40 AM Best11 Practices In Parts I and II we explored NSM theory and some tools for conducting NSM. Part III is intended for people who manage NSM operations. It presents best practices for assess- ment, protection, detection, and response, as far as NSM is concerned. While elements of NSM best practices appear throughout the book, this chapter focuses exclusively on the mind-set needed to conduct NSM operations. Chapter 12 brings these principles to life in several case studies. Chapter 1 introduced the security process in general. In this chapter, I explain the NSM-specific aspects of each security process step (see Figure 11.1). First, I describe the benefits of developing a well-defined security policy during assessment. Then I explain protection with respect to access control, traffic scrubbing, and proxies. Next, detection is expanded to include collection, identification, validation, and escalation of suspicious events. I elaborate on response within the context of short-term incident containment and emergency NSM. Finally, I conclude by returning to the assessment phase by high- lighting analyst feedback as a component of planning for the next cycle. ASSESSMENT Assessment involves taking steps to ensure the probability of successfully defending an enterprise. Within the NSM model, assessment means implementing products, people, and processes most conducive to accurately identifying and mitigating intrusions. Part II illustrated NSM tools, and Part IV will offer suggestions for training people.
    [Show full text]
  • Intrusion Detection System and Intrusion Prevention System with Snort Provided by Security Onion
    Bezborodov Sergey Intrusion Detection System and Intrusion Prevention System with Snort provided by Security Onion. Bachelor’s Thesis Information Technology May 2016 DESCRIPTION Date of the bachelor's thesis 06.05.2016 Author(s) Degree programme and option Bezborodov Sergey Information Technology Name of the bachelor's thesis Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. Abstract In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion environment and check what features it provides for processing with Snort. During the work I needed to figure out the pros and cons of using Security Onion with Snort as a security system for network. I compared it with alternatives and briefly describe it. As result I installed Security Onion, work with the environment, configured different features, created and modified rules and so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make comparison with another one and just get familiar with the network security tools. Also, this thesis can be a part of big research of network security tools, because now is impossible to find such detailed guides and literatures about any IDS/IPS tools. It is a good idea to combine many researches about it and make a good library. This thesis can be used for further development of Snort and Security Onion as it only on the development phase now, it will provide base for new researching with new versions.
    [Show full text]
  • Analyzing Offensive and Defensive Networking Tools in a Laboratory Environment
    NIKO HEIKURA ANALYZING OFFENSIVE AND DEFENSIVE NETWORKING TOOLS IN A LABORATORY ENVIRONMENT Master of Science thesis Examiners: prof. Jarmo Harju and M.Sc. Markku Vajaranta Examiners and topic approved by the Faculty Council of the Faculty of Computing and Electrical Engineer- ing on 8th October 2014 i ABSTRACT NIKO HEIKURA : Analyzing Offensive and Defensive Networking Tools in a La- boratory Environment Tampere University of Technology Master of Science Thesis, 93 pages March 2015 Master’s Degree Programme in Signal Processing and Communications Engi- neering Major: Communications Networks and Protocols Examiners: Professor Jarmo Harju and M.Sc. Markku Vajaranta Keywords: denial of service, network security, network security monitoring, ex- ploits, vulnerabilities The safest way of conducting network security testing is to do it in a closed laboratory environment that is isolated from the production network, and whose network configu- ration can be easily modified according to needs. Such an environment was built to the Department of Pervasive Computing in the fall of 2014 as part of TUTCyberLabs. In addition to the networking hardware, computers and servers, two purchases were made: Ruge, a traffic generator, and Clarified Analyzer, a network security monitor. Open source alternatives were researched for comparison and the chosen tools were Ostinato and Security Onion respectively. A hacking lab exercise was created for Computer Network and Security course employing various tools found in Kali Linux that was in- stalled on the computers. Different attack scenarios were designed for the traffic genera- tors and Kali Linux, and they were then monitored on the network security monitors. Finally a comparison was made between the monitoring applications.
    [Show full text]
  • Logging and Monitoring at Home Who Am I
    Defending the Homeland Logging and Monitoring at home Who am I @nullthreat Offensive Red Team for a major company I break stuff Started security @ CNDSP ADT for networks @ DOD Designed and Deployed NSM on DOD net Talking Points Perimeter Firewall Central Logging Host IDS Network IDS Basic Honeypots Deployment Strategies Disclaimer: The ideas and solutions presented are my opinion, feel free to disagree. OS'es I use all Linux and Macs at home I will not be talking about Windows at all, deal with it Won't matter once we are talking NIDS Firewalls on the Cheap As I see it there is only one good solution in this space PFSense http://www.pfsense.org ● Fork of MonoWall ● Robust Firewall based on PF(FreeBSD) ● Multiple VPN Support built-in ○ OpenVPN, IPSec, L2TP, PPTP ● Package based add-ons ○ pfBlocker(block netblocks), Snort, Squid ● Runs on almost anything, Full PC or Embedded Embedded Solutions ALIX 2D3/2D13 ~ 200$ @ store.netgate.com PFsense on Alix Setup Pauldotcom.com tech segement from episode 220 Google "alix pfsense pauldotcom" and you'll find the show notes Spark notes: Download IMG, Write to CF Card, Boot, Use Serial Terminal to do initial setup PFSense on Alix Setup Pro Tip: Don't put the box together until you flash the OS onto the card, You have to take the entire box apart to get the CF Card in and out. PFSense Demo Other Options Surplus Cisco/Juniper/Checkpoint Hardware Consumer Firewall Solutions http://en.wikipedia. org/wiki/List_of_router_or_firewall_distributions Firewalls Questions? Central Logging I do this on my servers and VPSs Could do on clients but....meh Usually the same box that hosts my NIDS stuff Lots of options syslogd Ol' reliable Been around since the dawn of freaking time originally part of sendmail circa 1980s UDP Only(in most cases) Easy-ish to configure but hard to really dial in syslogd Server: set -r flag in /etc/sysconfig/syslog ex.
    [Show full text]
  • Evaluation of Intrusion Detection Systems in Ipv6 Networks
    Evaluation of Intrusion Detection Systems in IPv6 Networks Max Schrotter¨ 1, Thomas Scheffler2 and Bettina Schnor1 1Operating Systems and Distributed Systems, University of Potsdam, Potsdam, Germany 2School of Engineering - Energy and Information, Hochschule fur¨ Technik und Wirtschaft Berlin, Berlin, Germany Keywords: IDS, IDSv6, Benchmark, IPv6. Abstract: This paper introduces a benchmark suite for the evaluation of intrusion detection systems in IPv6 environ- ments. We use this benchmark to evaluate the prominent intrusion detection systems Snort, Zeek and Suricata. Further, an IPv6 Plugin Suite is presented and evaluated which enhances Snort by stateful attack detection. The results of our evaluation demonstrate the current abilities to detect IPv6 link-local attacks. 1 INTRODUCTION This leads to a third approach, that focuses on network monitoring and anomaly detection. Work Relatively early after the finalization of the IPv6 stan- started with (Beck et al., 2007), which introduced the dard, it became apparent, that the automatic host con- host-based tool ndpmon that listens to all NDP mes- figuration mechanism defined in the protocol did not sages in order to detect NDP anomalies and report work well with the proposed IPsec security mech- them. Another suitable approach is based on the ex- anisms and that the Neighbor Discovery Protocol tension of Intrusion Detection Systems (IDS) with ad- (NDP) (Narten et al., 2007) suffered from similar se- equate protocol support for the detection of specific curity problems as the Address Resolution Protocol IPv6-attacks. The authors of (Schutte¨ et al., 2012) (ARP) in IPv4 (Arkko et al., 2002). developed an IPv6 Plugin Suite for the well known IDS Snort 2.
    [Show full text]
  • Open Source Network Security Monitoring with Sguil
    Open Source Network Security Monitoring With Sguil David J. Bianco Cybersecurity Analyst Jeferson Lab [email protected] Thomas Jefferson National Accelerator Facility Cyber Security Review, April 23-24, 2002, Operated by Jefferson Science Associates, LLC. for the U.S. Depart. Of Energy 1 Table of Contents • Intro to Network Security Monitoring (NSM) • NSM with Sguil • Sguil architecture • Working with Sguil • Sguil in action • Try it yourself! • Summary • More Information • Questions Thomas Jefferson National Accelerator Facility Cyber Security Review, April 23-24, 2002, Operated by Jefferson Science Associates, LLC. for the U.S. Depart. Of Energy 2 Network Monitoring • Most mid/large-sized organizations perform network monitoring • Intrusion Detection Systems (IDS) • Syslogs/Event Logs • NetFlow/SFlow • Other sources(?) • Lots of information but no coherence • Hard to correlate into usable intelligence • Difficult to reassemble the puzzle • Research & analysis takes lots of analyst time Thomas Jefferson National Accelerator Facility Cyber Security Review, April 23-24, 2002, Operated by Jefferson Science Associates, LLC. for the U.S. Depart. Of Energy 3 Network Security Monitoring The collection, analysis and escalation of indications and warnings to detect and respond to intrusions. Thomas Jefferson National Accelerator Facility Cyber Security Review, April 23-24, 2002, Operated by Jefferson Science Associates, LLC. for the U.S. Depart. Of Energy 4 NSM in a Nutshell • NSM is a methodology, not a product • An extension/evolution of traditional network monitoring • Integrates different sources into a single view • Easier to understand • Speeds the research process Thomas Jefferson National Accelerator Facility Cyber Security Review, April 23-24, 2002, Operated by Jefferson Science Associates, LLC.
    [Show full text]
  • Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment
    Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment Log Management and Intrusion Detection solutions have been evolving for years. Yet, it remains a challenge for organizations of all sizes to meet the operational, audit and security needs using these solutions. This paper presents a solution to bridge logging, log based intrusion detection and network based intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting approach necessary for security, compliance and q... Copyright SANS Institute Author Retains Full Rights AD Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment . ts h g ri GIAC (GCIA) Gold Certification ll u f Author: Sunil Gupta, [email protected] s Advisor: Dr. Kees Leune in ta re r Accepted: July 4, 2012o th u , A te tu ti Abstract s n Log Management and Intrusion I Detection solutions have been evolving for years. Yet, it remains a challenge for organizationsS of all sizes to meet the operational, audit and security needs using these solutions. ThisN paper presents a solution to bridge logging, log based intrusion detection A and network Sbased intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting 12 approach0 necessary for security, compliance and quality of service.
    [Show full text]