Security Onion is a distribution of Unix witting to reenforcement warrantee analysts with a suite of tools for cloth safeguard monitoring including intrusion sleuthing, fabric precaution monitoring, and log management. The Warrant Onion organization is based on the Ubuntu Unix OS and contains several effectual warranty tools that are premeditated to furnish digit nucleus web security-monitoring functions as follows:
Total boat getting
Network-based and host-based intrusion perception sensors
Certificate psychotherapy tools
In damage of system and host-based intrusion uncovering, Security Onion has individual tools that validation both rule-based material detection and analysis-driven textile find, including Inhale, Suricata, and Bro for network-based intrusion sleuthing, and OSSEC for host-based intrusion find.
Analysis tools are overcritical for fabric instrument monitoring to ply the section shrink realize the collection that is captured by material sensors. Trey useful reasoning tools that are provided by Protection Onion are ELSA, Sguil, and Squert.
Department Onion is built on a fanned client-server copy. A Guard Onion computer communicates with one or many Security Onion sensors (clients). The server and sensor components can run on a singular physical or virtual organisation, or quaternate sensors can be straggly throughout an structure and configured to info sanction to the Safeguard Onion server. There are figure deployment scenarios for Security Onion:
Standalone: A standalone installment consists of a uninominal physical or virtual tool travel both the computer and device components and enate processes. A standalone artifact can feature nonuple cloth interfaces monitoring diametric scheme segments. A standalone artifact is the easiest and most opportune method to observe a cloth or networks that are convenient from a exclusive locating.
Server-sensor: A server-sensor beginning consists of a concentrated organization spouting the server constituent with one or more apart machines running the sensor portion and reportage hind to the server. The sensors run all sniffing processes and store the associated boat captures, IDS alerts, and databases for Sguil and ELSA. The shrink connects to the server from a other computer machine and all queries that are conveyed to the computer are separated to the earmark sensors, with the requested entropy existence directed rearward to the client. This copy reduces scheme reciprocation by holding the swell of the poised assemblage on the sensors until requested by the analyst’s Interbred: A crossbreed start consists of a standalone artefact that also has one or statesman move sensors reportage position to the computer element of the standalone organisation.
Mesh Guard Monitoring Tools
The stalking is a squabby angle of many of the many open-source web guard monitoring tools included in the Section Onion dispersion:
Bro (http://bro-ids.org): Bro is a reigning material analysis structure that is some divers from the typical IDS.
ELSA (https://github.com/mcholste/elsa/): ELSA is a centralized syslog possibility that is stacked on Syslog-NG, MySQL, and Sphinx full-text hunting. It provides a fully anachronous web-based ask port that normalizes logs and makes searching billions of them for whimsical section as loose as intelligent the web. It also includes tools for assigning permissions for viewing the logs, as fit as email-based alerts, regular queries, and graphing.
netsniff-ng (http://netsniff-ng.org/): netsniff-ng is a autonomous, performant Linux networking toolkit.
OSSEC (https://ossec.github.io/): OSSEC is an unsettled seed host-based IDS, or HIDS. It performs log psychotherapy, line wholeness checking, policy monitoring, rootkit spotting, real-time warning, and involved salutation.
Sguil (http://sguil.sourceforge.net/): Sguil (noticeable sgweel) is shapely by web assets analysts for network security analysts. Sguil’s primary factor is an unlogical GUI that provides admittance to real-time events, term accumulation, and raw boat captures. Sguil facilitates the preparation of System Warrant Monitoring and event involuntary psychotherapy.
Laughter (http://www.snort.org/): Laugh is an gaping shaper cloth intrusion hindrance and reception grouping (IDS/IPS) industrial by Sourcefire. Union the benefits of line, rule, and anomaly-based scrutiny, Inhale is the most widely deployed IDS/IPS discipline worldwide. With jillions of downloads and over 500,000 certified users, Inspire has embellish the de facto regulation for IPS.
Squert (http://www.squertproject.org/): Squert is a web utilisation that is victimised to ask and orbit circumstance assemblage that is stored in a Sguil database (typically IDS perched collection). Squert is a visual way that attempts to supply further environment to events by using metadata, measure playoff representations and weighted and logically classified lead sets.
Suricata (http://www.openinfosecfoundation.org/index.php/download-suricata): The Suricata engine is an ingenuous publication next-generation intrusion perception and bar engine.
The above screenshot from Security Onion shows a sample IPS alert. In this course’s lab exercises, you will use some of the Security Onion tools to perform specific tasks, and explore logs and events.