Intrusion Detection recommendations

• Previous message (by thread): Intrusion Detection recommendations
• Next message (by thread): Customer fiber for FTT* deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I now have a few moments to discuss Security Onion, and why it works well
for a many small and mid-sided organization.


Security Onion is a Linux distro for IDS, NSM, and log management. The
whole thing can be run on a single, or separated systems, based on the
needs, network and security architecture, and budget. From a IDS sensor
standpoint it contains;1.    Snort, Suricata – Focused on network-based
signature detection, or what I call “the barn door is open, and the horse
is gone” detection. This is because someone needs to be compromised, take
to time to send out signatures (or purchase them) before you can use them.
Great if the attack is against everyone, or a small community of people
that will share this information, but not so good if you are the target.2.
    Bro – Network based packet and protocol classifier, which when
configured, preform:a.    Internal intelligence analysisb.    Full session,
Bidirectional net flow analysisc.     File extractiond.    Network
Reconnaissancee.    Behavior and statically analysis on the flowf.      And
much more3.    OSSEC – A comprehensive host based intrusion detection
system with fine grained application/server specific policies across
multiple platforms such as Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac
and Vmware ESX. To catch the traffic, you have:1.    Sguil: The Analyst
Console for Network Security Monitoring2.    Squert is a web application
that is used to query and view event data stored in a Sguil database
(typically IDS alert data). Squert is a visual tool that attempts to
provide additional context to events through the use of metadata, time
series representations and weighted and logically grouped result sets. The
hope is that these views will prompt questions that otherwise may not have
been asked.3.  Snorby is a ruby on rails web application for network
security monitoring that interfaces with current popular intrusion
detection systems (Snort, Suricata and Sagan). The basic fundamental
concepts behind Snorby are *simplicity*, organization and power. The
project goal is to create a free, open source and highly competitive
application for network monitoring for both private and enterprise use.4.
    ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and
Sphinx full-text search. It provides a fully asynchronous web-based query
interface that normalizes logs and makes searching billions of them for
arbitrary strings as easy as searching the web. Packet Capture and analysis:
1.    Xplico is a network forensics analysis tool (NFAT), which is a
software that reconstructs the contents of acquisitions performed with a
packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).2.    NetworkMiner is
a Network Forensic Analysis Tool (NFAT) for Windows (but also works in
Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network
sniffer/packet capturing tool in order to detect operating systems,
sessions, hostnames, open ports etc. without putting any traffic on the
network. NetworkMiner can also parse PCAP files for off-line analysis and
to regenerate/reassemble transmitted files and certificates from PCAP files.
 The only thing you are missing is a SEIM, which I recommend the ELK stack.
This includes:1.    elasticsearch - for distributed restful search and
analytics2.    logstash - manage events and logs - elasticsearch works
seamlessly with logstash to collect, parse, index, and search logs3.    kibana
- visualize logs and time-stamped data - elasticsearch works seamlessly
with kibana to let you see and interact with your dataAll of the above
items are Open Source, have free and paid training and support, if needed.
One can save millions of dollars and get the newest capabilities.
Contact me off list if you have questions.

Disclosure: I do not sell these products, but I use them.

Joe Klein
"Inveniam viam aut faciam"

On Fri, Feb 13, 2015 at 12:40 PM, Andy Ringsmuth <andy at newslink.com> wrote:

> NANOG'ers,
>
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based.
> Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
> world. We are protected by a FreeBSD firewall setup, and we stay current on
> updates/patches from Apple and FreeBSD, but that's as far as my expertise
> goes.
>
> Initially, what do people recommend for:
>
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or
> software
> 3. Other things I'm likely overlooking
>
> Thank you all in advance for your wisdom.
>
>
> ----
> Andy Ringsmuth
> andy at newslink.com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397    (402) 304-0083 cellular
>
>

• Previous message (by thread): Intrusion Detection recommendations
• Next message (by thread): Customer fiber for FTT* deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]