Enterprise
73 views
Skip to first unread message
Mohammed El Azzouzi
May 22, 2012, 6:10:59 PM5/22/12
to security-onion
Dear Doug,
I'm kind new to the IDS world and fighting at the moment very hard to
understand it.
So far I have tested the sensor ,server roles and works fine.
But know I get pressure when to role out.
Know is my question what do you advice can I start role out the
sensors and server after the installation is done, so I can tune the
IDS's step by step when they are started monitoring at location and
gunning remotely.
Please advice how start and what to do, please keep in mind enterprise
and 20 sensors over EMEA.
Thx
I'm kind new to the IDS world and fighting at the moment very hard to
understand it.
So far I have tested the sensor ,server roles and works fine.
But know I get pressure when to role out.
Know is my question what do you advice can I start role out the
sensors and server after the installation is done, so I can tune the
IDS's step by step when they are started monitoring at location and
gunning remotely.
Please advice how start and what to do, please keep in mind enterprise
and 20 sensors over EMEA.
Thx
Doug Burks
May 23, 2012, 5:01:43 PM5/23/12
to securit...@googlegroups.com
Hi Mohammed,
I don't understand your questions. Perhaps the following links will assist you.
http://code.google.com/p/security-onion/wiki/Installation
http://securityonion.blogspot.com/2011/04/security-onion-20110321-distributed.html
http://vimeo.com/35993348
http://code.google.com/p/security-onion/w/list
Hope that helps!
Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
I don't understand your questions. Perhaps the following links will assist you.
http://code.google.com/p/security-onion/wiki/Installation
http://securityonion.blogspot.com/2011/04/security-onion-20110321-distributed.html
http://vimeo.com/35993348
http://code.google.com/p/security-onion/w/list
Hope that helps!
Thanks,
Doug
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Scott
May 24, 2012, 1:10:08 PM5/24/12
to securit...@googlegroups.com
Hello Mohammed.
Correct me if I'm wrong, but it looks like you're asking for advice on how to determine if your SO deployment is ready for production, including what kind of monitoring policy to start with (full rule set that you would tune in the field OR partial rule set that you would build up as needed). Is this correct?
If so, these aren't purely technical questions and are subjective to your environment. 20 IDS sensors throughout EMEA is a decent sized starting deployment. It has potential to generate an overwhelming amount alert data (not to mention all the other data SO collects). The following questions might help determine your deployment readiness:
1. Team size and roles - Are you the only person managing this deployment (including responding to and investigating alerts) or do you have a team to work with? If you're alone I recommend scaling back the number of sensors initially deployed. Start with 5 or less (perhaps even 1) and develop your operations workflow using that small initial deployment. Even a single busy sensor can produce alert data volumes that outpace a small team of analysts. If you don't have an established operations process, it's easier to develop one with a lower volume of alert data to analyze. If you have a team, do they have defined roles (some manage the deployment, others analyze alert data)? Will the roles rotate periodically throughout the team?
2. Security Policy - Do you have a security policy stating what event types are relevant to the company and how they're prioritized? For example, you're company may allow employees to use outside instant messaging services but restrict the use of P2P software. Based on that policy, P2P monitoring and alerting would be higher priority than IM monitoring (if you enable it at all). That's not the best example but it makes the point. If you already know areas you don't monitor or the company doesn't care about, consider dropping those from your initial monitoring or alerting configurations. When you've got the high priority security concerns covered, then look at what additional monitoring you could add (depending on available resources).
3. NSM Policy - Since Security Onion is more than just an IDS, have you considered if and how you'll use the other NSM tools it provides (full packet capture, statistical data, anomaly detection, etc.)? If you're not ready or able to utilize the additional data then consider if you'll still deploy them in addition to IDS monitoring. If enabled, you'll have the extra data to support event analysis but you'll have to consider available storage space. If you don't enable them, you'll save on storage space but may lack critical data during a future investigation. I think most people here would agree disk space is cheap and even if you don't use the data, it's better to collect than not.
4. Incident Response Plan - Does your company have one? Many companies lack a solid IR plan or the established plan is outdated compared to their deployed security technologies. If you have an established IR plan, does it include responding to IDS alerts and related investigations? If there's no IR plan what will you do with alerts from your SO deployment?
If that's not what you were asking about then I apologize for the lengthy response. Hope this helps.
Scott
Correct me if I'm wrong, but it looks like you're asking for advice on how to determine if your SO deployment is ready for production, including what kind of monitoring policy to start with (full rule set that you would tune in the field OR partial rule set that you would build up as needed). Is this correct?
If so, these aren't purely technical questions and are subjective to your environment. 20 IDS sensors throughout EMEA is a decent sized starting deployment. It has potential to generate an overwhelming amount alert data (not to mention all the other data SO collects). The following questions might help determine your deployment readiness:
1. Team size and roles - Are you the only person managing this deployment (including responding to and investigating alerts) or do you have a team to work with? If you're alone I recommend scaling back the number of sensors initially deployed. Start with 5 or less (perhaps even 1) and develop your operations workflow using that small initial deployment. Even a single busy sensor can produce alert data volumes that outpace a small team of analysts. If you don't have an established operations process, it's easier to develop one with a lower volume of alert data to analyze. If you have a team, do they have defined roles (some manage the deployment, others analyze alert data)? Will the roles rotate periodically throughout the team?
2. Security Policy - Do you have a security policy stating what event types are relevant to the company and how they're prioritized? For example, you're company may allow employees to use outside instant messaging services but restrict the use of P2P software. Based on that policy, P2P monitoring and alerting would be higher priority than IM monitoring (if you enable it at all). That's not the best example but it makes the point. If you already know areas you don't monitor or the company doesn't care about, consider dropping those from your initial monitoring or alerting configurations. When you've got the high priority security concerns covered, then look at what additional monitoring you could add (depending on available resources).
3. NSM Policy - Since Security Onion is more than just an IDS, have you considered if and how you'll use the other NSM tools it provides (full packet capture, statistical data, anomaly detection, etc.)? If you're not ready or able to utilize the additional data then consider if you'll still deploy them in addition to IDS monitoring. If enabled, you'll have the extra data to support event analysis but you'll have to consider available storage space. If you don't enable them, you'll save on storage space but may lack critical data during a future investigation. I think most people here would agree disk space is cheap and even if you don't use the data, it's better to collect than not.
4. Incident Response Plan - Does your company have one? Many companies lack a solid IR plan or the established plan is outdated compared to their deployed security technologies. If you have an established IR plan, does it include responding to IDS alerts and related investigations? If there's no IR plan what will you do with alerts from your SO deployment?
If that's not what you were asking about then I apologize for the lengthy response. Hope this helps.
Scott
On Tue, May 22, 2012 at 6:10 PM, Mohammed El Azzouzi <mohammed....@gmail.com> wrote:
Mohammed El Azzouzi
Jun 4, 2012, 3:26:15 PM6/4/12
to securit...@googlegroups.com
Dear Doug.
Thx for explaining.
3 questions.
- do you know a good reference for rules to config.
Are the rules that are configured and after update a good start.
And just to be sure where are the placed and how to get there.
Just see me as a starter to be sure what I'm doing
Thx for you're patients
Doug Burks
Jun 5, 2012, 6:26:06 AM6/5/12
to securit...@googlegroups.com
Hi Mohammed,
Replies inline.
On Mon, Jun 4, 2012 at 3:26 PM, Mohammed El Azzouzi
<mohammed....@gmail.com> wrote:
<snip>
websites and mailing lists:
http://www.snort.org/vrt
http://www.emergingthreats.net/
> Are the rules that are configured and after update a good start.
That all depends on your network and what you're trying to protect.
> And just to be sure where are the placed and how to get there.
Rules are downloaded by Pulledpork and placed in:
/etc/nsm/rules/downloaded.rules
You can add your own rules to:
/etc/nsm/rules/local.rules
You can configure PulledPork using the config files in:
/etc/pulledpork/
Hope that helps!
Thanks,
Doug
>
Replies inline.
On Mon, Jun 4, 2012 at 3:26 PM, Mohammed El Azzouzi
<mohammed....@gmail.com> wrote:
<snip>
> - do you know a good reference for rules to config.
The best references for the IDS rulesets would be their respective
websites and mailing lists:
http://www.snort.org/vrt
http://www.emergingthreats.net/
> Are the rules that are configured and after update a good start.
> And just to be sure where are the placed and how to get there.
/etc/nsm/rules/downloaded.rules
You can add your own rules to:
/etc/nsm/rules/local.rules
You can configure PulledPork using the config files in:
/etc/pulledpork/
Hope that helps!
Thanks,
Doug
>
Mohammed El Azzouzi
Jun 5, 2012, 9:33:58 AM6/5/12
to securit...@googlegroups.com
Dear Doug,
Thx for youre support really appreciate big time. Doug 1 question where can i find requirments for So Server to manage all the sensors.
And the best would be an VM server--
M.El.Azzouzi
Thx for youre support really appreciate big time. Doug 1 question where can i find requirments for So Server to manage all the sensors.
And the best would be an VM server
M.El.Azzouzi
Doug Burks
Jun 5, 2012, 7:26:01 PM6/5/12
to securit...@googlegroups.com
Yes, you can run the SO server in a VM. Be sure to allocate plenty of
RAM to the VM. Since it won't be doing full packet capture, it won't
need as much disk space as a sensor would. However, the MySQL
database can grow quite large (100GB or more) so size your storage
appropriately. This is mentioned in the Installation procedure:
http://code.google.com/p/security-onion/wiki/Installation
Hope that helps!
Doug
On Tue, Jun 5, 2012 at 9:33 AM, Mohammed El Azzouzi
RAM to the VM. Since it won't be doing full packet capture, it won't
need as much disk space as a sensor would. However, the MySQL
database can grow quite large (100GB or more) so size your storage
appropriately. This is mentioned in the Installation procedure:
http://code.google.com/p/security-onion/wiki/Installation
Hope that helps!
Doug
On Tue, Jun 5, 2012 at 9:33 AM, Mohammed El Azzouzi
Joseph Hargis
Jun 6, 2012, 7:21:12 AM6/6/12
to securit...@googlegroups.com
Hello Mohammed,
I am working on documentation describing the setup and configuration of
OSSEC Agents (both Ubuntu- and Windows-based agents) that will report to
the Security Onion OSSEC server. I hope to have these documents complete
very soon. They will be posted to the wiki page
(http://code.google.com/p/security-onion/w/list) when complete. I hope
this answers the question you were asking!
Joe
I am working on documentation describing the setup and configuration of
OSSEC Agents (both Ubuntu- and Windows-based agents) that will report to
the Security Onion OSSEC server. I hope to have these documents complete
very soon. They will be posted to the wiki page
(http://code.google.com/p/security-onion/w/list) when complete. I hope
this answers the question you were asking!
Joe
Reply all
Reply to author
Forward
0 new messages