Observations on Nessus and Security Onion
499 views
Skip to first unread message
Castle, Shane
Mar 29, 2012, 11:41:35 AM3/29/12
to securit...@googlegroups.com
I recently ran a Nessus scan against the downtown user networks, on one of which my test instance of Security Onion is installed. Interestingly, only one Snort rule fired, but many OSSEC Sguil events occurred. Screen shot attached.
The test NSM is not on a SPAN port or a tap; otherwise I think I'd see much more.
If anything, this is a strong argument for deploying OSSEC sensors/agents on as many systems as you can. This has been on a back burner here for a while. When SO is deployed as the IDS replacement that's going to get higher priority from me.
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
Brett Cunningham
Mar 29, 2012, 12:01:19 PM3/29/12
to securit...@googlegroups.com
This is misleading. OSSEC is able to see the traffic. In this case, snort has been limited from seeing the traffic by improper configuration.
Castle, Shane
Mar 29, 2012, 12:06:48 PM3/29/12
to securit...@googlegroups.com
Yep, as I said. NOT a production/properly installed instance.
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
Doug Burks
Mar 29, 2012, 12:19:06 PM3/29/12
to securit...@googlegroups.com
I think this is a great illustration of the value of NSM methodology
and not relying solely on NIDS alerts. Even if the attacker evades
your NIDS (or your NIDS is misconfigured), you still have visibility.
and not relying solely on NIDS alerts. Even if the attacker evades
your NIDS (or your NIDS is misconfigured), you still have visibility.
Thanks for sharing, Shane!
Regards,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Reply all
Reply to author
Forward
0 new messages