SO in MSSP environment

461 views
Skip to first unread message

Blason R

unread,
Oct 16, 2017, 1:10:39 PM10/16/17
to security-onion
Hi Guys,

Can this be possible as SO can be deployed in MSSP environment? that means we would like to implement SO sensor at multiple locations which will collect data and send it to centralised master server?

In this case -

1. How multi-tenancy would work?
2. How can I differentiate between multiple sensors?
3. Assuming I have 5 sensors which will have 30-60 Mb/s traffic what should be sizing of master server for retaining logs upto 1 years?

Wes Lambert

unread,
Oct 16, 2017, 1:38:04 PM10/16/17
to securit...@googlegroups.com
Blason,

While I can not offer any advice on the absolute best way to do this, I can assure you several members of the mailing list have done this (and still do).

I would imagine you differentiate between the sensors by naming this as you please -- not really sure I understand the question here.

The master server does not traditionally store the bulk of data collected by Security Onion -- the sensors do, so it is dependent on the size of each sensor and its associated (monitoring) bandwidth, mostly.

Sensor storage recommendations can be found here:


Also see:

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Blason R

unread,
Oct 16, 2017, 10:54:50 PM10/16/17
to security-onion
On Monday, October 16, 2017 at 11:08:04 PM UTC+5:30, Wes wrote:
> Blason,
>
>
> While I can not offer any advice on the absolute best way to do this, I can assure you several members of the mailing list have done this (and still do).
>
>
> I would imagine you differentiate between the sensors by naming this as you please -- not really sure I understand the question here.
>
>
> The master server does not traditionally store the bulk of data collected by Security Onion -- the sensors do, so it is dependent on the size of each sensor and its associated (monitoring) bandwidth, mostly.
>
>
> Sensor storage recommendations can be found here:
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#storage
>
>
>
> Also see:
> https://groups.google.com/d/msg/security-onion/LS6UiRCCoqY/_FP7kkEuAgAJ
>
>
>
> Thanks,
> Wes
>
>
> On Mon, Oct 16, 2017 at 1:10 PM, Blason R <blas...@gmail.com> wrote:
> Hi Guys,
>
>
>
> Can this be possible as SO can be deployed in MSSP environment? that means we would like to implement SO sensor at multiple locations which will collect data and send it to centralised master server?
>
>
>
> In this case -
>
>
>
> 1. How multi-tenancy would work?
>
> 2. How can I differentiate between multiple sensors?
>
> 3. Assuming I have 5 sensors which will have 30-60 Mb/s traffic what should be sizing of master server for retaining logs upto 1 years?
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Well that is what is partially needed. I wanted to see by deploying sensor at my customer places and fetch data in our SOC and agents then monitor that or do Threat hunting.

In that case wondering on the sizing of master server since we are considering multiple options as to keep the server in house or on AWS/Azure cloud. [Need your inputs here as well]

So the data is kept at sensor right? And they talk to master on port 22. Only thing that if I need to fetch up the report for multiple sensors for different customers how do I do that? That is the question related to multi-tenant option.

Wes Lambert

unread,
Oct 17, 2017, 7:04:11 AM10/17/17
to securit...@googlegroups.com
The master sizing recommendation(s) can also be found on the wiki:


I mentioned that *most* of the data is kept on the sensor(s).  The sensor(s) also send(s) alert data back to the master server, which is stored in securityonion_db.  This data is not as large, in comparison, to that of PCAPs, Bro logs, etc., but it still needs to be accounted for.  I cannot give you a hard recommendation on that, as it all depends on how long you plan to store the data for and how many events are fed into the database.

They talk to the master on port 22, in addition to several other ports (at the moment -- in the future, this communication may all ride through a single autossh tunnel), so you of course would need a secure tunnel for the machines to be able to communicate securely and effectively.

Also see:


I'm not sure what you mean by reports, but you can certainly query all of the sensors from the master, targeting each one, as necessary.

Thanks,
Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

KennyWap

unread,
Oct 17, 2017, 10:35:38 AM10/17/17
to security-onion
Blason,

I plugged this little line into the google search bar.

((60 megabit per second) * 365 days) in terabytes = 236.52 terabytes

236.52 terabytes * 5 sensors = 1.1826 Petabyte for FULL PCAP.

Richard Bejtlich's The Practice of Network Security Monitoring preaches that text based data (Bro logs) is ~1/20th the size of full PCAP and required database (MySQL/ELSA) storage is ~1/10th of full PCAP.

As far as differentiating between sensors, giving them a meaningful name will be applied with interfaces after setup is run e.g. /nsm/sensor_data/CHANGME-eth1

I apologize if my math is off but you can play with the formula if you'd like.

Credit for the google trick is to Phil Hagen from my SANS FOR572 course:
https://www.evernote.com/pub/philh/for572notebook

Reply all
Reply to author
Forward
0 new messages