Re: [security-onion] Tuning Security Onion IDS to be More Sensitive
1,067 views
Skip to first unread message
Doug Burks
Jun 28, 2012, 1:00:29 PM6/28/12
to securit...@googlegroups.com
Hi Jason,
Did you follow the Installation Guide (especially Step 16 regarding
configuring your HOME_NET variables for the network ranges you are
protecting)?
http://code.google.com/p/security-onion/wiki/Installation
Hope that helps!
Thanks,
Doug
On Thu, Jun 28, 2012 at 12:49 PM, Jason <test.accou...@gmail.com> wrote:
> Friends,
>
> I have set up Snort in Security Onion to receive a copy of ALL the traffic which is hitting my public WAN IP address (cable modem). This traffic includes many (mostly automated) hacking attempts from foreign IPs trying identify services running on my network. My goal is to get a good view into all of these intrusion attempts.
>
> It seems that by default Snort in Security Onion does not show much in the way of alerts which originate from external WAN interface. I do not typically see brute force SSH attempts, or external IPs running port scanners like Nmap against my public IP. This is an educational project where I would want to see all this attempted malicious activity (the closest I have been able to do is run a VM with Windows running NetWitness Investigator Freeware from the same span feed, which does show these attempted brute force attacks, but not in "real time", it's more of a post-incident analysis tool).
>
> If anyone knows how I can make Security Onion more sensitive (to inbound attacks) I would very much appreciate it. I am considering installing another SO instance with Suricata (instead of Snort) to see if I get better visibility.
>
> Please chime in, I am looking forward to your feedback. As always, a big thanks for Doug for his work on this project.
--
Doug Burks
http://securityonion.blogspot.com
Did you follow the Installation Guide (especially Step 16 regarding
configuring your HOME_NET variables for the network ranges you are
protecting)?
http://code.google.com/p/security-onion/wiki/Installation
Hope that helps!
Thanks,
Doug
On Thu, Jun 28, 2012 at 12:49 PM, Jason <test.accou...@gmail.com> wrote:
> Friends,
>
> I have set up Snort in Security Onion to receive a copy of ALL the traffic which is hitting my public WAN IP address (cable modem). This traffic includes many (mostly automated) hacking attempts from foreign IPs trying identify services running on my network. My goal is to get a good view into all of these intrusion attempts.
>
> It seems that by default Snort in Security Onion does not show much in the way of alerts which originate from external WAN interface. I do not typically see brute force SSH attempts, or external IPs running port scanners like Nmap against my public IP. This is an educational project where I would want to see all this attempted malicious activity (the closest I have been able to do is run a VM with Windows running NetWitness Investigator Freeware from the same span feed, which does show these attempted brute force attacks, but not in "real time", it's more of a post-incident analysis tool).
>
> If anyone knows how I can make Security Onion more sensitive (to inbound attacks) I would very much appreciate it. I am considering installing another SO instance with Suricata (instead of Snort) to see if I get better visibility.
>
> Please chime in, I am looking forward to your feedback. As always, a big thanks for Doug for his work on this project.
--
Doug Burks
http://securityonion.blogspot.com
Jason
Jun 28, 2012, 2:43:11 PM6/28/12
to security-onion
Doug,
Thank you for your very quick response. You are correct in that I
neglected to change the HOME_NET variables (I had the standard
RFC-1918 addresses in there), which would explain why I wasn't seeing
many alerts.
If possible, I would like to seek more of your advice in assisting an
IDS newbie (myself, and some of the folks on the list) with this next
step we would very much appreciate it.
Following your instructions on step 16 of setup instructions (http://
code.google.com/p/security-onion/wiki/Installation) we would do the
following:
1. Modify the snort.conf file in /etc/nsm/HOSTNAME-INTERFACE/,
specifically the line which reads "ipvar HOME_NET". Can we simply set
this line to "ipvar HOME_NET any" and leave the rest of the file at
the default? Please let us know how this line should be modified.
2. In the same directory, we are to modify the "sancp.conf" file. Do
we modify the "var HOME_NET" line? This line currently lists a
67.11.xxx.xxx address (which maps to the Road Runner ISP, not my ISP,
I'm not sure if this is an unintended artifact). Please let us know
how this line should be modified.
3. In the same directory, we are to modify the "pads.conf" file. Do
we modify the "network" line to read "network any"? The line
currently lists RFC-1918 addresses. Please let us know how this line
should be modified.
4. We are to modify the "/usr/local/etc/networks.cfg" file. The file
currently lists the three RFC-1918 address ranges followed by "Private
IP space". Please let us know how to properly modify this file to
include "all addresses", as we are intending in this project.
5. Finally, we are to run "sudo nsm_sensor_ps-restart" and hope all
the status's are green and read "OK". I'm pretty sure this part I can
handle :)
I tried to modify all the above files with "any" but the Snort process
would not start. I am certain that I am running into a syntax issue.
If you could please point me in the right direction on the above
indicated syntax I would very much appreciate it.
Thank you very much in advance, Doug.
On 28 June, 13:00, Doug Burks <doug.bu...@gmail.com> wrote:
> Hi Jason,
>
> Did you follow the Installation Guide (especially Step 16 regarding
> configuring your HOME_NET variables for the network ranges you are
> protecting)?http://code.google.com/p/security-onion/wiki/Installation
Thank you for your very quick response. You are correct in that I
neglected to change the HOME_NET variables (I had the standard
RFC-1918 addresses in there), which would explain why I wasn't seeing
many alerts.
If possible, I would like to seek more of your advice in assisting an
IDS newbie (myself, and some of the folks on the list) with this next
step we would very much appreciate it.
Following your instructions on step 16 of setup instructions (http://
code.google.com/p/security-onion/wiki/Installation) we would do the
following:
1. Modify the snort.conf file in /etc/nsm/HOSTNAME-INTERFACE/,
specifically the line which reads "ipvar HOME_NET". Can we simply set
this line to "ipvar HOME_NET any" and leave the rest of the file at
the default? Please let us know how this line should be modified.
2. In the same directory, we are to modify the "sancp.conf" file. Do
we modify the "var HOME_NET" line? This line currently lists a
67.11.xxx.xxx address (which maps to the Road Runner ISP, not my ISP,
I'm not sure if this is an unintended artifact). Please let us know
how this line should be modified.
3. In the same directory, we are to modify the "pads.conf" file. Do
we modify the "network" line to read "network any"? The line
currently lists RFC-1918 addresses. Please let us know how this line
should be modified.
4. We are to modify the "/usr/local/etc/networks.cfg" file. The file
currently lists the three RFC-1918 address ranges followed by "Private
IP space". Please let us know how to properly modify this file to
include "all addresses", as we are intending in this project.
5. Finally, we are to run "sudo nsm_sensor_ps-restart" and hope all
the status's are green and read "OK". I'm pretty sure this part I can
handle :)
I tried to modify all the above files with "any" but the Snort process
would not start. I am certain that I am running into a syntax issue.
If you could please point me in the right direction on the above
indicated syntax I would very much appreciate it.
Thank you very much in advance, Doug.
On 28 June, 13:00, Doug Burks <doug.bu...@gmail.com> wrote:
> Hi Jason,
>
> Did you follow the Installation Guide (especially Step 16 regarding
> configuring your HOME_NET variables for the network ranges you are
>
> Hope that helps!
>
> Thanks,
> Doug
>
> Hope that helps!
>
> Thanks,
> Doug
>
Doug Burks
Jun 29, 2012, 6:30:23 AM6/29/12
to securit...@googlegroups.com
Hi Jason,
Some rules are written using "!$HOME_NET". So if you try to use "any"
as your HOME_NET, you end up with "!any" which is not allowed, causing
Snort to error out. It should have indicated this in its log file
(/var/log/nsm/HOSTNAME-INTERFACE/snortu.log).
HOME_NET should be defined as the actual network range(s) that you are
trying to monitor. Since you are monitoring traffic that hits the
public IP address of your cable modem, you should use that as your
HOME_NET.
Hope that helps!
Thanks,
Doug
Some rules are written using "!$HOME_NET". So if you try to use "any"
as your HOME_NET, you end up with "!any" which is not allowed, causing
Snort to error out. It should have indicated this in its log file
(/var/log/nsm/HOSTNAME-INTERFACE/snortu.log).
HOME_NET should be defined as the actual network range(s) that you are
trying to monitor. Since you are monitoring traffic that hits the
public IP address of your cable modem, you should use that as your
HOME_NET.
Hope that helps!
Thanks,
Doug
Jason
Jun 29, 2012, 1:42:41 PM6/29/12
to security-onion
Doug,
As always, your advice is spot-on. I entered my public IP address as
the "HOME_NET" in all the above listed config files and everything
appears to be working great! I am now seeing alerts from folks
running port scanners on my public IP address, which was the goal.
The next challenge is to figure out how to update the "HOME_NET"
address every time my cable modem ISP decides to give my modem a new
IP address (many broadband ISPs give out short-term DHCP leases,
especially outside of North America).
While brainstorming this problem, I wonder if we can somehow tie in
DynDNS in Security Onion, where a script would periodically run saying
"who has my_domain.dyndns.com" and if it reports a new IP address
mapping to the dynamic domain it would update the "HOME_NET" field in
the appropriate config files. A DynDNS client is available for every
nearly platform, including Linux.
As a side note, so far the only thing I had to adjust back to the
RFC-1918 address range was the "pads.conf" file because PADS fires an
alert every time I access a new web server from behind the same IP
which I'm sniffing (I could not find a straight-forward way to disable
services such as PADS independently in SO, so I did the next seemingly
logical thing).
Regards,
As always, your advice is spot-on. I entered my public IP address as
the "HOME_NET" in all the above listed config files and everything
appears to be working great! I am now seeing alerts from folks
running port scanners on my public IP address, which was the goal.
The next challenge is to figure out how to update the "HOME_NET"
address every time my cable modem ISP decides to give my modem a new
IP address (many broadband ISPs give out short-term DHCP leases,
especially outside of North America).
While brainstorming this problem, I wonder if we can somehow tie in
DynDNS in Security Onion, where a script would periodically run saying
"who has my_domain.dyndns.com" and if it reports a new IP address
mapping to the dynamic domain it would update the "HOME_NET" field in
the appropriate config files. A DynDNS client is available for every
nearly platform, including Linux.
As a side note, so far the only thing I had to adjust back to the
RFC-1918 address range was the "pads.conf" file because PADS fires an
alert every time I access a new web server from behind the same IP
which I'm sniffing (I could not find a straight-forward way to disable
services such as PADS independently in SO, so I did the next seemingly
logical thing).
Regards,
Doug Burks
Jun 29, 2012, 2:48:04 PM6/29/12
to securit...@googlegroups.com
You probably wouldn't even need to tie in to DynDNS. You could
probably just write a simple script that would do "curl ifconfig.me"
and update HOME_NET as necessary.
Thanks,
Doug
probably just write a simple script that would do "curl ifconfig.me"
and update HOME_NET as necessary.
Thanks,
Doug
Doug Burks
Jul 12, 2012, 1:56:39 PM7/12/12
to securit...@googlegroups.com
Hi Jason,
The "HOME_NET 0.0.0.0" recommendation was for sancp (not
Snort/Suricata). For Snort/Suricata, you'll want to use the real IP
address (or range) that you're trying to protect. As I mentioned
before, it shouldn't be that difficult to write a simple script that
would do "curl ifconfig.me" and update the config file with the
current address. Alternatively, if you know that your ISP is always
going to give you an address in a particular range, you might be able
to get away with using that range.
Hope that helps!
Thanks,
Doug
> Reading a recent post of yours, you recommended to someone to set "HOME_NET 0.0.0.0" if they are looking to monitor non RFC-1918 (non private) addresses. Per your suggestion a few weeks ago, I set my HOME_NET address to the IP address which is assigned to my cable modem (which has been working great, thank you!). The issue is that my public IP address is not static and does occasionally change, I am wondering if the "HOME_NET 0.0.0.0" method would possibly eliminate the need to keep updating my cable modem's over-changing IP address.
>
> If you could provide any input I would very much appreciate it.
>
> On Friday, 29 June 2012 14:48:04 UTC-4, Doug Burks wrote:
>> You probably wouldn't even need to tie in to DynDNS. You could
>> probably just write a simple script that would do "curl ifconfig.me"
>> > Doug,
>> >
>> > As always, your advice is spot-on. I entered my public IP address as
>> > the "HOME_NET" in all the above listed config files and everything
>> > appears to be working great! I am now seeing alerts from folks
>> > running port scanners on my public IP address, which was the goal.
>> >
>> > The next challenge is to figure out how to update the "HOME_NET"
>> > address every time my cable modem ISP decides to give my modem a new
>> > IP address (many broadband ISPs give out short-term DHCP leases,
>> > especially outside of North America).
>> >
>> > While brainstorming this problem, I wonder if we can somehow tie in
>> > DynDNS in Security Onion, where a script would periodically run saying
>> > "who has my_domain.dyndns.com" and if it reports a new IP address
>> > mapping to the dynamic domain it would update the "HOME_NET" field in
>> > the appropriate config files. A DynDNS client is available for every
>> > nearly platform, including Linux.
>> >
>> > As a side note, so far the only thing I had to adjust back to the
>> > RFC-1918 address range was the "pads.conf" file because PADS fires an
>> > alert every time I access a new web server from behind the same IP
>> > which I'm sniffing (I could not find a straight-forward way to disable
>> > services such as PADS independently in SO, so I did the next seemingly
>> > logical thing).
>> >
>> > Regards,
>> >
>> > On Jun 29, 6:30 am, Doug Burks <doug.bu...@gmail.com> wrote:
>> >> Hi Jason,
>> >>
>> >> Some rules are written using "!$HOME_NET". So if you try to use "any"
>> >> as your HOME_NET, you end up with "!any" which is not allowed, causing
>> >> Snort to error out. It should have indicated this in its log file
>> >> (/var/log/nsm/HOSTNAME-INTERFACE/snortu.log).
>> >>
>> >> HOME_NET should be defined as the actual network range(s) that you are
>> >> trying to monitor. Since you are monitoring traffic that hits the
>> >> public IP address of your cable modem, you should use that as your
>> >> HOME_NET.
>> >>
>> >> Hope that helps!
>> >>
>> >> Thanks,
>> >> Doug
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Thu, Jun 28, 2012 at 2:43 PM, Jason <test.accountgalaxy...@gmail.com> wrote:
>> >> > Doug,
>> >>
>> >> > Thank you for your very quick response. You are correct in that I
>> >> > neglected to change the HOME_NET variables (I had the standard
>> >> > RFC-1918 addresses in there), which would explain why I wasn't seeing
>> >> > many alerts.
>> >>
>> >> > If possible, I would like to seek more of your advice in assisting an
>> >> > IDS newbie (myself, and some of the folks on the list) with this next
>> >> > step we would very much appreciate it.
>> >>
>> >> > Following your instructions on step 16 of setup instructions (http://
>> >> > code.google.com/p/security-onion/wiki/Installation) we would do the
>> >> > following:
>> >>
>> >> > 1. Modify the snort.conf file in /etc/nsm/HOSTNAME-INTERFACE/,
>> >> > specifically the line which reads "ipvar HOME_NET". Can we simply set
>> >> > this line to "ipvar HOME_NET any" and leave the rest of the file at
>> >> > the default? Please let us know how this line should be modified.
>> >>
>> >> > 2. In the same directory, we are to modify the "sancp.conf" file. Do
>> >> > we modify the "var HOME_NET" line? This line currently lists a
>> >> > 67.11.xxx.xxx address (which maps to the Road Runner ISP, not my ISP,
>> >> > I'm not sure if this is an unintended artifact). Please let us know
>> >> > how this line should be modified.
>> >>
>> >> > 3. In the same directory, we are to modify the "pads.conf" file. Do
>> >> > we modify the "network" line to read "network any"? The line
>> >> > currently lists RFC-1918 addresses. Please let us know how this line
>> >> > should be modified.
>> >>
>> >> > 4. We are to modify the "/usr/local/etc/networks.cfg" file. The file
>> >> > currently lists the three RFC-1918 address ranges followed by "Private
>> >> > IP space". Please let us know how to properly modify this file to
>> >> > include "all addresses", as we are intending in this project.
>> >>
>> >> > 5. Finally, we are to run "sudo nsm_sensor_ps-restart" and hope all
>> >> > the status's are green and read "OK". I'm pretty sure this part I can
>> >> > handle :)
>> >>
>> >> > I tried to modify all the above files with "any" but the Snort process
>> >> > would not start. I am certain that I am running into a syntax issue.
>> >> > If you could please point me in the right direction on the above
>> >> > indicated syntax I would very much appreciate it.
>> >>
>> >> > Thank you very much in advance, Doug.
>> >>
>> >> > On 28 June, 13:00, Doug Burks <doug.bu...@gmail.com> wrote:
>> >> >> Hi Jason,
>> >>
>> >> >> Did you follow the Installation Guide (especially Step 16 regarding
>> >> >> configuring your HOME_NET variables for the network ranges you are
>> >> >> protecting)?http://code.google.com/p/security-onion/wiki/Installation
>> >>
>> >> >> Hope that helps!
>> >>
>> >> >> Thanks,
>> >> >> Doug
>> >>
>> >> >> On Thu, Jun 28, 2012 at 12:49 PM, Jason <test.accountgalaxy...@gmail.com> wrote:
>> >> >> > Friends,
>> >>
>> >> >> > I have set up Snort in Security Onion to receive a copy of ALL the traffic which is hitting my public WAN IP address (cable modem). This traffic includes many (mostly automated) hacking attempts from foreign IPs trying identify services running on my network. My goal is to get a good view into all of these intrusion attempts.
>> >>
>> >> >> > It seems that by default Snort in Security Onion does not show much in the way of alerts which originate from external WAN interface. I do not typically see brute force SSH attempts, or external IPs running port scanners like Nmap against my public IP. This is an educational project where I would want to see all this attempted malicious activity (the closest I have been able to do is run a VM with Windows running NetWitness Investigator Freeware from the same span feed, which does show these attempted brute force attacks, but not in "real time", it's more of a post-incident analysis tool).
>> >>
>> >> >> > If anyone knows how I can make Security Onion more sensitive (to inbound attacks) I would very much appreciate it. I am considering installing another SO instance with Suricata (instead of Snort) to see if I get better visibility.
>> >>
>> >> >> > Please chime in, I am looking forward to your feedback. As always, a big thanks for Doug for his work on this project.
>> >>
>> >> >> --
>> >> >> Doug Burkshttp://securityonion.blogspot.com
>> >>
>> >> --
>> >> Doug Burkshttp://securityonion.blogspot.com
The "HOME_NET 0.0.0.0" recommendation was for sancp (not
Snort/Suricata). For Snort/Suricata, you'll want to use the real IP
address (or range) that you're trying to protect. As I mentioned
before, it shouldn't be that difficult to write a simple script that
would do "curl ifconfig.me" and update the config file with the
current address. Alternatively, if you know that your ISP is always
going to give you an address in a particular range, you might be able
to get away with using that range.
Hope that helps!
Thanks,
Doug
>
> If you could provide any input I would very much appreciate it.
>
> On Friday, 29 June 2012 14:48:04 UTC-4, Doug Burks wrote:
>> You probably wouldn't even need to tie in to DynDNS. You could
>> probably just write a simple script that would do "curl ifconfig.me"
>> and update HOME_NET as necessary.
>>
>> Thanks,
>> Doug
>>
>> On Fri, Jun 29, 2012 at 1:42 PM, Jason <test.accou...@gmail.com> wrote:
>>
>> Thanks,
>> Doug
>>
>> > Doug,
>> >
>> > As always, your advice is spot-on. I entered my public IP address as
>> > the "HOME_NET" in all the above listed config files and everything
>> > appears to be working great! I am now seeing alerts from folks
>> > running port scanners on my public IP address, which was the goal.
>> >
>> > The next challenge is to figure out how to update the "HOME_NET"
>> > address every time my cable modem ISP decides to give my modem a new
>> > IP address (many broadband ISPs give out short-term DHCP leases,
>> > especially outside of North America).
>> >
>> > While brainstorming this problem, I wonder if we can somehow tie in
>> > DynDNS in Security Onion, where a script would periodically run saying
>> > "who has my_domain.dyndns.com" and if it reports a new IP address
>> > mapping to the dynamic domain it would update the "HOME_NET" field in
>> > the appropriate config files. A DynDNS client is available for every
>> > nearly platform, including Linux.
>> >
>> > As a side note, so far the only thing I had to adjust back to the
>> > RFC-1918 address range was the "pads.conf" file because PADS fires an
>> > alert every time I access a new web server from behind the same IP
>> > which I'm sniffing (I could not find a straight-forward way to disable
>> > services such as PADS independently in SO, so I did the next seemingly
>> > logical thing).
>> >
>> > Regards,
>> >
>> > On Jun 29, 6:30 am, Doug Burks <doug.bu...@gmail.com> wrote:
>> >> Hi Jason,
>> >>
>> >> Some rules are written using "!$HOME_NET". So if you try to use "any"
>> >> as your HOME_NET, you end up with "!any" which is not allowed, causing
>> >> Snort to error out. It should have indicated this in its log file
>> >> (/var/log/nsm/HOSTNAME-INTERFACE/snortu.log).
>> >>
>> >> HOME_NET should be defined as the actual network range(s) that you are
>> >> trying to monitor. Since you are monitoring traffic that hits the
>> >> public IP address of your cable modem, you should use that as your
>> >> HOME_NET.
>> >>
>> >> Hope that helps!
>> >>
>> >> Thanks,
>> >> Doug
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Thu, Jun 28, 2012 at 2:43 PM, Jason <test.accountgalaxy...@gmail.com> wrote:
>> >> > Doug,
>> >>
>> >> > Thank you for your very quick response. You are correct in that I
>> >> > neglected to change the HOME_NET variables (I had the standard
>> >> > RFC-1918 addresses in there), which would explain why I wasn't seeing
>> >> > many alerts.
>> >>
>> >> > If possible, I would like to seek more of your advice in assisting an
>> >> > IDS newbie (myself, and some of the folks on the list) with this next
>> >> > step we would very much appreciate it.
>> >>
>> >> > Following your instructions on step 16 of setup instructions (http://
>> >> > code.google.com/p/security-onion/wiki/Installation) we would do the
>> >> > following:
>> >>
>> >> > 1. Modify the snort.conf file in /etc/nsm/HOSTNAME-INTERFACE/,
>> >> > specifically the line which reads "ipvar HOME_NET". Can we simply set
>> >> > this line to "ipvar HOME_NET any" and leave the rest of the file at
>> >> > the default? Please let us know how this line should be modified.
>> >>
>> >> > 2. In the same directory, we are to modify the "sancp.conf" file. Do
>> >> > we modify the "var HOME_NET" line? This line currently lists a
>> >> > 67.11.xxx.xxx address (which maps to the Road Runner ISP, not my ISP,
>> >> > I'm not sure if this is an unintended artifact). Please let us know
>> >> > how this line should be modified.
>> >>
>> >> > 3. In the same directory, we are to modify the "pads.conf" file. Do
>> >> > we modify the "network" line to read "network any"? The line
>> >> > currently lists RFC-1918 addresses. Please let us know how this line
>> >> > should be modified.
>> >>
>> >> > 4. We are to modify the "/usr/local/etc/networks.cfg" file. The file
>> >> > currently lists the three RFC-1918 address ranges followed by "Private
>> >> > IP space". Please let us know how to properly modify this file to
>> >> > include "all addresses", as we are intending in this project.
>> >>
>> >> > 5. Finally, we are to run "sudo nsm_sensor_ps-restart" and hope all
>> >> > the status's are green and read "OK". I'm pretty sure this part I can
>> >> > handle :)
>> >>
>> >> > I tried to modify all the above files with "any" but the Snort process
>> >> > would not start. I am certain that I am running into a syntax issue.
>> >> > If you could please point me in the right direction on the above
>> >> > indicated syntax I would very much appreciate it.
>> >>
>> >> > Thank you very much in advance, Doug.
>> >>
>> >> > On 28 June, 13:00, Doug Burks <doug.bu...@gmail.com> wrote:
>> >> >> Hi Jason,
>> >>
>> >> >> Did you follow the Installation Guide (especially Step 16 regarding
>> >> >> configuring your HOME_NET variables for the network ranges you are
>> >> >> protecting)?http://code.google.com/p/security-onion/wiki/Installation
>> >>
>> >> >> Hope that helps!
>> >>
>> >> >> Thanks,
>> >> >> Doug
>> >>
>> >> >> On Thu, Jun 28, 2012 at 12:49 PM, Jason <test.accountgalaxy...@gmail.com> wrote:
>> >> >> > Friends,
>> >>
>> >> >> > I have set up Snort in Security Onion to receive a copy of ALL the traffic which is hitting my public WAN IP address (cable modem). This traffic includes many (mostly automated) hacking attempts from foreign IPs trying identify services running on my network. My goal is to get a good view into all of these intrusion attempts.
>> >>
>> >> >> > It seems that by default Snort in Security Onion does not show much in the way of alerts which originate from external WAN interface. I do not typically see brute force SSH attempts, or external IPs running port scanners like Nmap against my public IP. This is an educational project where I would want to see all this attempted malicious activity (the closest I have been able to do is run a VM with Windows running NetWitness Investigator Freeware from the same span feed, which does show these attempted brute force attacks, but not in "real time", it's more of a post-incident analysis tool).
>> >>
>> >> >> > If anyone knows how I can make Security Onion more sensitive (to inbound attacks) I would very much appreciate it. I am considering installing another SO instance with Suricata (instead of Snort) to see if I get better visibility.
>> >>
>> >> >> > Please chime in, I am looking forward to your feedback. As always, a big thanks for Doug for his work on this project.
>> >>
>> >> >> --
>> >> >> Doug Burkshttp://securityonion.blogspot.com
>> >>
>> >> --
>> >> Doug Burkshttp://securityonion.blogspot.com
Reply all
Reply to author
Forward
0 new messages