Security Onion queries

[Saptarshi Biswas]

Hi All,

I have been using Alient vault Ossim USM as well as community version since last 5 years.

Recently I came across Security Onion and really liked ELSA integration.

I have following queries which are based on my comparison with Ossim. Will be great if someone can answer my below queries.

Is Security Onion a complete SIEM with correlation rules or a NSM?

Can Security Onion be integrated with other SIEM tools?

Does it have single admin login form or separate for SGUIl SQUERT etc?

Does it have IP reputation?

Can we separate/remove ELSA and use ELK stack instead?

Cheers
SB

[Doug Burks]

Replies inline.

On Sun, Jul 19, 2015 at 1:26 PM, Saptarshi Biswas <ran...@gmail.com> wrote:
> Hi All,
>
> I have been using Alient vault Ossim USM as well as community version since last 5 years.
>
> Recently I came across Security Onion and really liked ELSA integration.
>
> I have following queries which are based on my comparison with Ossim. Will be great if someone can answer my below queries.
>
> Is Security Onion a complete SIEM with correlation rules or a NSM?

Correlation can be done via OSSEC or ELSA:
http://ossectools.blogspot.com/2012/03/correlation-in-elsa.html

> Can Security Onion be integrated with other SIEM tools?

Yes, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration

> Does it have single admin login form or separate for SGUIl SQUERT etc?

I'm not sure I understand your question, but you can have multiple
users in the Sguil database. The Sguil user database is used for
authentication in Squert and ELSA.

> Does it have IP reputation?

Yes, you can do IP reputation via Snort, Suricata, or Bro.

> Can we separate/remove ELSA and use ELK stack instead?

Yes, ELSA is easily disabled, but please keep in mind that ELK
hardware requirements are generally higher than ELSA.

Any particular reason you don't want to use ELSA?

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Saptarshi Biswas]

Hi Doug,

Thanks for your reply, does security onion supports multi tenancy.

Lets say my team is monitoring two different networks belonging to Office A and Office B.

We create separate admin logins for Office A & B.
Now when admin for Office A logs into security Onion console, he/she should be able to see only logs and alerts and alarms for his network i.r Office A network

Is the above multi tenant feature supported in Security Onion.

Regarding my One page login, what I meant was in SIEM which we use (Ossim USM) to login to OSSIM web console, there is only one login form, which we use for login.

Where as in security onion I suppose there is login for SGUIL SQUERT, I might be wrong though.
SO my query was is there a single login (in Security Onion) from where we can see all dashboards and menus

Cheers
SB

[Doug Burks]

Replies inline.

On Mon, Jul 20, 2015 at 4:07 AM, Saptarshi Biswas <ran...@gmail.com> wrote:
> Hi Doug,
>
> Thanks for your reply, does security onion supports multi tenancy.
>
> Lets say my team is monitoring two different networks belonging to Office A and Office B.
>
> We create separate admin logins for Office A & B.
> Now when admin for Office A logs into security Onion console, he/she should be able to see only logs and alerts and alarms for his network i.r Office A network
>
> Is the above multi tenant feature supported in Security Onion.

One option would be to use ELSA's ability to do recursive searches:

Create a Security Onion deployment for Office A.

Create a separate Security Onion deployment for Office B.

Each deployment would have their own users/alerts/alarms.

If you need to be able to view logs across both Office A and Office B
at the same time, then you could create a third deployment and
configure ELSA on this third deployment to query the ELSA deployments
in Office A and Office B.

> Regarding my One page login, what I meant was in SIEM which we use (Ossim USM) to login to OSSIM web console, there is only one login form, which we use for login.
>
> Where as in security onion I suppose there is login for SGUIL SQUERT, I might be wrong though.
> SO my query was is there a single login (in Security Onion) from where we can see all dashboards and menus

Most users don't use Sguil and Squert at the same time. Squert is a
web interface to the Sguil database, so they are two different
interfaces to the same data. Most users settle on a preferred
interface (either Squert or Sguil) and use it all the time.

[Saptarshi Biswas]

On Sunday, July 19, 2015 at 11:29:37 PM UTC+5:30, Saptarshi Biswas wrote:

Hi Doug,

Do you mean that we deploy security onion sensor one for Office A and another for Office B. But the server remains the same for both sensors??

Cheers
SB

[Doug Burks]

If Office A and Office B are both small offices where a single sensor
would suffice, then:

- create a Standalone server/sensor at Office A and a separate
Standalone server/sensor at Office B

- build a new Master server totally separate from Office A and Office B

- configure the new Master server's /etc/elsa_web.conf to query the
Standalone server/sensor boxes at Office A and Office B.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Jesse Cail]

Looking at SO as a provider, this is definitely of interest to us, and this was the question I was asked by others - "Does it support multi-tenancy? Can we generate segregated reports based on the sensor?"

If we're looking at deploying SO as Master with multiple sensors, where each sensor (or set of sensors) is a different client, how do we create site specific reporting for each client?

[Wes Lambert]

Jesse,

Right now, the only way to "report" on something like this would be from the use of ELSA queries and exporting the results, or using a specific dashboard with only results from certain sensors.  Additionally, in Sguil, you could select only the networks you wish to monitor at a time.

This will likely become easier as we make our move to the Elastic stack.

Thanks,

Wes

On Tue, Aug 1, 2017 at 2:38 PM, Jesse Cail <jesse....@gmail.com> wrote:

Looking at SO as a provider, this is definitely of interest to us, and this was the question I was asked by others - "Does it support multi-tenancy?  Can we generate segregated reports based on the sensor?"

  If we're looking at deploying SO as Master with multiple sensors, where each sensor (or set of sensors) is a different client, how do we create site specific reporting for each client?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.

[Jesse Cail]

Thanks Wes - trying to find ways to make SIEM/NSM attainable for cash strapped clients.  I'm not one for beta stuff, but I am excited to see where we go with the Elastic stuff!

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/8R7OGazBIN4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.