Re: [security-onion] Security Onion Data Flow Architecture Scheme
860 views
Skip to first unread message
Doug Burks
May 28, 2013, 10:53:48 PM5/28/13
to securit...@googlegroups.com
Hi Wayne,
Replies inline.
On Tue, May 28, 2013 at 10:40 AM, Wayne Veilleux
<wayne.v...@gmail.com> wrote:
> Hi,
>
> We are planning a PoC to deploy an Enterprise SO server with multiple sensors and I need to describe how SO Data Flow is working. I read a few doc on the wiki but I did not find any SO Data Flow Scheme on a distributed sensors framework. On the Sguil wiki there is some scheme like those http://nsmwiki.org/File:Sguil-0.7.dfd.png and http://nsmwiki.org/File:Ids.png . Is there scheme like this for SO ?
Our Sguil architecture is similar to what's shown in those links, with
a few exceptions:
- netsniff-ng provides full packet capture, so it replaces "snort in
packet logging mode"
- sancp data and pads data are both provided by prads
> I need to describe and understand how netsniff-ng,
netsniff-ng sniffs traffic and writes packets to disk
> ossec_agent (sguil)
ossec_agent sends OSSEC alerts to sguild
>, Bro
Bro sniffs traffic and writes logs to /nsm/bro/logs/
> , pcap_agent (sguil)
pcap_agent pulls pcaps from the netsniff-ng pcap store and sends them
to sguild when requested
> , snort_agent (sguil),
snort_agent receives IDS alerts from barnyard2 and sends them to sguild
> snort (alert data),
snort sniffs traffic and writes IDS alerts to disk in unified2 format
> barnyard2 (spooler, unified2 format),
barnyard2 reads the snort unified2 output and sends IDS alerts to
snort_agent, syslog, and to the Snorby database
> prads (sessions/assets),
prads sniffs traffic and output session and asset data
> sancp_agent (sguil),
sancp_agent takes the session data from prads and sends it to sguild
> pads_agent (sguil),
pads_agent takes the asset data from prads and sends it to sguild
> argus,
argus sniffs traffic and writes session data to disk
> http_agent (sguil),
http_agent takes Bro's HTTP logs and sends them to sguild
> all interact between each other process and how it is sent to the SO server (ssh tunnel to myslq).
sensors create an ssh tunnel to the server that is used for sending
IDS alerts to the central Snorby database and for the central ELSA web
interface to query the remote mysql/sphinx databases on the sensor(s)
--
Doug Burks
http://securityonion.blogspot.com
Replies inline.
On Tue, May 28, 2013 at 10:40 AM, Wayne Veilleux
<wayne.v...@gmail.com> wrote:
> Hi,
>
> We are planning a PoC to deploy an Enterprise SO server with multiple sensors and I need to describe how SO Data Flow is working. I read a few doc on the wiki but I did not find any SO Data Flow Scheme on a distributed sensors framework. On the Sguil wiki there is some scheme like those http://nsmwiki.org/File:Sguil-0.7.dfd.png and http://nsmwiki.org/File:Ids.png . Is there scheme like this for SO ?
Our Sguil architecture is similar to what's shown in those links, with
a few exceptions:
- netsniff-ng provides full packet capture, so it replaces "snort in
packet logging mode"
- sancp data and pads data are both provided by prads
> I need to describe and understand how netsniff-ng,
netsniff-ng sniffs traffic and writes packets to disk
> ossec_agent (sguil)
ossec_agent sends OSSEC alerts to sguild
>, Bro
Bro sniffs traffic and writes logs to /nsm/bro/logs/
> , pcap_agent (sguil)
pcap_agent pulls pcaps from the netsniff-ng pcap store and sends them
to sguild when requested
> , snort_agent (sguil),
snort_agent receives IDS alerts from barnyard2 and sends them to sguild
> snort (alert data),
snort sniffs traffic and writes IDS alerts to disk in unified2 format
> barnyard2 (spooler, unified2 format),
barnyard2 reads the snort unified2 output and sends IDS alerts to
snort_agent, syslog, and to the Snorby database
> prads (sessions/assets),
prads sniffs traffic and output session and asset data
> sancp_agent (sguil),
sancp_agent takes the session data from prads and sends it to sguild
> pads_agent (sguil),
pads_agent takes the asset data from prads and sends it to sguild
> argus,
argus sniffs traffic and writes session data to disk
> http_agent (sguil),
http_agent takes Bro's HTTP logs and sends them to sguild
> all interact between each other process and how it is sent to the SO server (ssh tunnel to myslq).
sensors create an ssh tunnel to the server that is used for sending
IDS alerts to the central Snorby database and for the central ELSA web
interface to query the remote mysql/sphinx databases on the sensor(s)
--
Doug Burks
http://securityonion.blogspot.com
Karolis
Jun 3, 2013, 1:59:29 AM6/3/13
to securit...@googlegroups.com
Hi Wayne,
Some time ago I was trying to do secuyrityonion internals scheme but I have failed :(.
I hope you will find it usefull. Use it as you wish.
Karolis
On Wed, May 29, 2013 at 2:43 PM, Wayne Veilleux <wayne.v...@gmail.com> wrote:
Thanks Doug !
This is exacly what I was looking for. I'll do a functional scheme based on those information and I'll post it :)
Regards,
--
Wayne
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
DefensiveDepth
Oct 9, 2014, 2:14:42 PM10/9/14
to securit...@googlegroups.com
On Wednesday, May 29, 2013 7:43:33 AM UTC-4, Wayne Veilleux wrote:
> Thanks Doug !
>
>
>
> This is exacly what I was looking for. I'll do a functional scheme based on those information and I'll post it :)
>
>
>
> Regards,
>
> --
>
> Wayne
>
> Le mardi 28 mai 2013 22:53:48 UTC-4, Doug Burks a écrit :
>
> Thanks Doug !
>
>
>
> This is exacly what I was looking for. I'll do a functional scheme based on those information and I'll post it :)
>
>
>
> Regards,
>
> --
>
> Wayne
>
> Le mardi 28 mai 2013 22:53:48 UTC-4, Doug Burks a écrit :
>
Did you ever finish/post this?
Thanks
-Josh
Wayne Veilleux
Oct 9, 2014, 2:22:18 PM10/9/14
to securit...@googlegroups.com
Unfortunately not :( time missing…. sorry.
—
Wayne
> --
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/Jc-cY8TfZ_0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
—
Wayne
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/Jc-cY8TfZ_0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Josh Brower
Oct 9, 2014, 2:30:32 PM10/9/14
to securit...@googlegroups.com
No worries, thanks
On Thu, Oct 9, 2014 at 2:22 PM, Wayne Veilleux <wayne.v...@gmail.com> wrote:
Unfortunately not :( time missing.... sorry.
--
Victor-Alexandru Truică
Oct 10, 2014, 3:30:05 AM10/10/14
to securit...@googlegroups.com
I needed a diagram for one of my projects that would show how is the traffic passing from the network to the analyst. I have it in this blog post with an appropriate description - http://truica-victor.com/security-onion-traffic-to-analyst/
It doesn't have info on prads, http agent, sancp_agent, pads_agent but i think you can use it as a reference for what you need.
Josh Brower
Oct 10, 2014, 9:46:31 AM10/10/14
to securit...@googlegroups.com
Fantastic, thanks
-Josh
On Fri, Oct 10, 2014 at 3:30 AM, Victor-Alexandru Truică <truica.vict...@gmail.com> wrote:
I needed a diagram for one of my projects that would show how is the traffic passing from the network to the analyst. I have it in this blog post with an appropriate description - http://truica-victor.com/security-onion-traffic-to-analyst/
It doesn't have info on prads, http agent, sancp_agent, pads_agent but i think you can use it as a reference for what you need.
Ionathan Noblins
Apr 15, 2015, 3:36:25 PM4/15/15
to securit...@googlegroups.com
Brilliant, thanks a lot.
Reply all
Reply to author
Forward
0 new messages