Security Onion Installed. How do i monitor our different networks ?

[Michel Laporte]

Hi,

We have a company of about 400 + Users and we want to monitor our network with a IDS.

I have security onion installed with Snorby, Sguil , ELSA & Squert.

However, i am only getting a few messages (About 12 IP Addresses) in Snorby.

However, we have offices globally all on the same subnet connected via leased line and VPN tunnels on the 192.168.X.X addresses and it can only see logs frmo a few IP addresses from our network in our London office.

Does any one know how to start setting it up so it can log messages and monitor packets and become a IDS respectively.

Do i edit the snort.conf to add the networks or not? I've seen that it already has all private addresses to monitor (192.168.0.0) which all our networks reside on that address as it is.

Thank you,
Michel
--
-------------------------------------
essencedigital.com <http://www.essencedigital.com/>
Google+ <https://plus.google.com/102138558390623994587/about> • Facebook
<http://www.facebook.com/essencedigital> • Twitter
<https://twitter.com/essencedigital> • YouTube
<http://www.youtube.com/essencedigitalvideos>
-------------------------------------
Essence Digital Ltd Registered in England No. 5467689
Registered Office as above
-------------------------------------
This email may be confidential or privileged. If you received this
communication by mistake, please don't forward it to anyone else, please
erase all copies and attachments and please let me know that it went to the
wrong person. Thank you.

[Doug Burks]

Hi Michel,

Do you have at least two network interfaces, one for management and
one or more dedicated to sniffing? Is the sniffing NIC connected to a
tap or span port?

Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.

Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Lee Sharp]

On 10/07/2014 09:50 AM, Michel Laporte wrote:
> Hi,
>
> We have a company of about 400 + Users and we want to monitor our network with a IDS.
>
> I have security onion installed with Snorby, Sguil , ELSA & Squert.
>
> However, i am only getting a few messages (About 12 IP Addresses) in Snorby.
>
> However, we have offices globally all on the same subnet connected via leased line and VPN tunnels on the 192.168.X.X addresses and it can only see logs frmo a few IP addresses from our network in our London office.
>
> Does any one know how to start setting it up so it can log messages and monitor packets and become a IDS respectively.
>
> Do i edit the snort.conf to add the networks or not? I've seen that it already has all private addresses to monitor (192.168.0.0) which all our networks reside on that address as it is.

It only sees traffic that hits it's nic. So if you have routed subnets,
it may never see it. Direct traffic is filtered by switches, so you
would only get broadcast. You will need a mirror port, or a tap/span
port to see everything on a given port. (Usually the default route for
that subnet.) You would not see everything on a network unless you
mirror ALL ports to a sensor. (Which would cut down on your possible
bandwidth.) You may also need additional sensors for each subnet.

Another option (That is totally not supported) may be to use pairs of
nics set up as bridges in a sensor and place them inline, and then use
the bridge port (br0) for a sensor. I have done this with components,
but not with the security onion package itself. Almost not worth the
trouble as a netgear switch with mirror capability is available for less
than an hour of my time. :)

Lee

[Michel Laporte]

Hi Doug,

Its running off a Proxmox VM.

I have 1 Ethernet NIC Allocated. Its sniffing and for Management also.

Is a possibility allowing Snorby to read off a Rsyslog server? (We have one running at the moment but all it's doing is logging everything from our servers/switches etc)

Please find attached .txt File of the command sudo sostat-redacted you asked me to run.



@LeeSharp,

Do you mean all traffic go through 1 nic, then link with another link and the middle bit is what it sniffs?

[Michel Laporte]

Hi LeeSharp,

Do you mean put the IDS system near the perimeter device? Betweeen the Firewall and Switch to the LAN?

Is there a way of getting Snorby / Snort to read information from a Syslog Server? We have a Ubuntu Server running with rSyslog which collects all logs from our servers.

Thanks

[Doug Burks]

https://code.google.com/p/security-onion/wiki/Hardware#NIC

You'll need at least two network interfaces: one for management
(preferably connected to a dedicated management network) and then one
or more for sniffing (connected to tap or span).

[Lee Sharp]

On 10/07/2014 10:46 AM, Michel Laporte wrote:
> Hi LeeSharp,
>
> Do you mean put the IDS system near the perimeter device? Betweeen the Firewall and Switch to the LAN?

The IDS system, or a sensor, or a tap port, or a mirror port, or...
Somehow you have to get all the traffic crossing a given link into the
system. Based on your above response on your existing environment, that
means a sensor system with two nics.

> Is there a way of getting Snorby / Snort to read information from a Syslog Server? We have a Ubuntu Server running with rSyslog which collects all logs from our servers.

No. Snorby and snort are looking at packets, not logs. It is ELSA that
looks at logs, and is quite usefull. But only a small part of Security
Onion. The sniffing of the wire is the real power.

Lee

[Michel Laporte]

Thanks Doug, i will add another NIC to the VM :)

Where would the IDS sit then on the network. Between Switch to lan and Firewall?

@LeeSharp,

How do you enable ELSA to look at Rsyslog information and analyze it? Does it have an output method or just assess it and that's it?

Thanks for your help so far! Really appreciate it.

Michel

[Doug Burks]

Replies inline.

On Tue, Oct 7, 2014 at 12:58 PM, Michel Laporte
<michel....@essencedigital.com> wrote:
> Thanks Doug, i will add another NIC to the VM :)
>
> Where would the IDS sit then on the network. Between Switch to lan and Firewall?

Yes, you want to catch traffic leaving your network before it has any
NAT applied.

> @LeeSharp,
>
> How do you enable ELSA to look at Rsyslog information and analyze it? Does it have an output method or just assess it and that's it?

ELSA is based on syslog-ng which can collect standard syslog. So just
send your syslog to the IP address of your Security Onion box and it
will then be available via the ELSA web interface.

[Michel Laporte]

Ah Thank you!

Let me try that in the morning and report back to you :)

Thank you so much.

Michel

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/1-7K4ytPM8Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Michel Laporte

Essence

 

t: +44 20 7758 7162

UK House • 180 Oxford Street • London • W1D 1NN

-------------------------------------

essencedigital.com

Google+ • Facebook • Twitter • YouTube

[Heine Lysemose]

Hi

Also have a  look at  the SecurityOnion Wiki page, https://code.google.com/p/security-onion/wiki/IntroductionToSecurityOnion.

And

https://code.google.com/p/security-onion/wiki/IntroductionWalkthrough

These are good resources...

Regards,
Lysemose

You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

[Michel Laporte]

Thanks Heine,

Ill work on the rSyslog and ELSA now and report back.


Thanks

--
-------------------------------------
essencedigital.com <http://www.essencedigital.com/>
Google+ <https://plus.google.com/102138558390623994587/about> • Facebook
<http://www.facebook.com/essencedigital> • Twitter
<https://twitter.com/essencedigital> • YouTube
<http://www.youtube.com/essencedigitalvideos>

[Michel Laporte]

Hi Doug,

We are now thinking of setting up Security Onion and putting it before the firewall before  NAT'ing occurs.

However, where are the log files kept? Or if it's written into a Mysql databaes, how do we archive the information as i gather the tables will get populated extremely quickly.

Is there a script or online recourse to archive the database in any way?

Thanks

On 7 October 2014 18:05, Doug Burks <doug....@gmail.com> wrote:

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/1-7K4ytPM8Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Michel Laporte

Essence

 

t: +44 20 7758 7162

UK House • 180 Oxford Street • London • W1D 1NN

-------------------------------------

essencedigital.com

Google+ • Facebook • Twitter • YouTube

[Doug Burks]

Most data is stored in /nsm.

What are you wanting to do with the data after archiving it? We may
be able to offer better guidance if we understand your use case.

> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--

[Michel Laporte]

We just want a retention for a while (Maybe 39 days) then compress it somewhere and store it offsite.

Is that possible?

Thanks

[Doug Burks]

Some of the data lives in standard files (Bro logs, pcaps) and can
easily be copied offsite for storage. Other data lives in MySQL
databases, which might be a little more cumbersome if you need to
refer back to that data after archiving it. As an alternative, you
may want to consider using the entire hard drive (OS and all data) as
your archive for offsite storage. Some folks pop out the hard drive,
install a new hard drive with a fresh installation of Security Onion,
and are back up and running in a few minutes. You might also consider
disk imaging and/or VM snapshotting.

On Thu, Oct 9, 2014 at 11:03 AM, Michel Laporte

[Michel Laporte]

Yeah we are thinking of running it through a VM in proxmox. We will be trying that in the next week or two and will report back! 

Thank you so much for your help Doug!

Michel