using securityonion for analysing the home network traffic

[Style Stylex]

Recently i installed and configured securityonion for my home laptop and everything seems to be working. I'm just wondering if its possible to use these tools to capture any inbound or outbound traffic which is coming through the home router? if its how I can analyse what traffic is good and safe what traffic is not?

[Wes]

On Sunday, March 13, 2016 at 1:59:12 PM UTC-4, Style Stylex wrote:
> Recently i installed and configured securityonion for my home laptop and everything seems to be working. I'm just wondering if its possible to use these tools to capture any inbound or outbound traffic which is coming through the home router? if its how I can analyse what traffic is good and safe what traffic is not?

You could try having a look here for an example in regard to home setup:

https://groups.google.com/forum/#!searchin/security-onion/home$20router%7Csort:date/security-onion/kxvnQ3QeoqY/QllRy0DSFAAJ

As far as what traffic is good or not depends on knowing what type of traffic you expect on your network. Of course you have the alerts based on various signatures, but you will need to observe the traffic you are capturing and compare it with the activities you perform to establish a baseline of legitimate traffic and what may constitute a false positive in your environment.

The main interfaces available (Sguil, Squert, and ELSA) should provide you some good data to begin with. From there, you can prune your Snort rules and maybe apply BPF based on traffic you may wish to ignore.

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF

Hope this helps.

Thanks,
Wes