Peeling Your Network Layers With { _id: “Mark Hillick”, “company”: “Kybeire” } Friday 23 November 12
Jan 15, 2015
Peeling Your Network Layers With
{ _id: “Mark Hillick”, “company”: “Kybeire” }
Friday 23 November 12
> db.whoam.findOne()
{ "contact": { "email": "[email protected]", "web": "www.hackeire.net", "twitter": "markofu" }, "work" : { "10gen" : "MongoDB" }, "cert" : { "GIAC GSE" : true }, "state" : { "Nervous" : true, "Relaxed" : false }, "tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1}, {"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ], "try-to-help" : [ { "IrissCert" : "not very well"} , {"Security Onion" : "not well enough"} ]}
Friday 23 November 12
Last Presentation - need humour!!!
Or at least an attempt at it :)
SO @ IrissCon
Friday 23 November 12
Four Things
This talk is NOT an IDS talk!
This talk will be fairly technical :)
And fast :)
If you don’t like Lego or Star Wars, you might want to leave
Friday 23 November 12
Creator
Doug Burks - the guy is incredible, he does not sleep :)
Grew out of SANS Gold Paper
Wanted to help make Sguil & NSM “easier” to deploy!
Friday 23 November 12
Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM (Network Security Monitoring).
New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit
Old version => Xubuntu 10.04 [LTS], 32 bit only
Contains many security tools.
The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Open-Source : so it’s all there!!!!
So, what is it?
Friday 23 November 12
Traditionally
DEFENCE-IN-DEPTH
Layers, layers & more layers:
Firewalls; IDS/IPS; WAF
Restrict inbound, allow all outbound
Different FW tech
ACLs on Routers
But what is going on?
Friday 23 November 12
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
IDS Alert, what now?
Friday 23 November 12
NSM, Old-Style :(
WTF???????
Ah man, this sucks!
grep this, awk that, sed this, pipe to cvs, scp & open excel :(
Then make pretty for mgmt :)
Friday 23 November 12
State of IDS
Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg
Friday 23 November 12
State of IDS
Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg
Friday 23 November 12
NSM != IDS
Clarity!!!
“the collection, analysis, and escalation of indications and warnings (I&W) to detect and respond to intrusions”
Richard Bejtlich, TaoSecurity Blog
http://taosecurity.blogspot.com/2007/04/networksecurity-monitoring-history.html
NSM
Friday 23 November 12
NSM, ONION-STYLE :)
Friday 23 November 12
NSM, ONION-STYLE :)
Friday 23 November 12
NSM, ONION-STYLE :)
Friday 23 November 12
NSM, ONION-STYLE :)
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
CHILDS-PLAY
Friday 23 November 12
Architecture
Server, Sensors or Both
Ultimate Analyst Workstation
Friday 23 November 12
Deploy, Build & Use
Aggregate or Tap
Use Cases:
Production - traditional DCs on VM
Cloud Infrastructure
Personally: HackEire & @ home ETC
Admin - aptitude & upstart :)
Friday 23 November 12
Haz Tools 1
IDS: Snort or Suricata - your choice :)
Friday 23 November 12
Bro: powerful network analysis framework with amazingly detailed logs
Haz Tools 2
OSSEC monitors local logs, file integrity & rootkits
Can receive logs from OSSEC Agents and standard Syslog
Friday 23 November 12
Haz Tools 3
Complete List: http://code.google.com/p/security-onion/wiki/Tools
Friday 23 November 12
Directory Structure
Data : /nsm
backup, bro, server data &sensor data
By sensor name “$hostname-$interface”
Config : /etc/nsm
ossec, pulledpork, securityonion
$hostname-$interface
pads, snort, suricata, barnyard etc
Logs: /var/log/nsm
Friday 23 November 12
NSM
sudo service nsm restart
bro
ossec
sguil
sudo service nsm-server restart
sudo service nsm-sensor restart
Friday 23 November 12
Pivot To Wireshark
Friday 23 November 12
Pivot To Wireshark
Friday 23 November 12
Pivot To Wireshark
Friday 23 November 12
Pivot To Wireshark
Friday 23 November 12
Pivot To Wireshark
Friday 23 November 12
Attack : Client-Side
Friday 23 November 12
Innocence
Attack : Client-Side
Friday 23 November 12
Oops, now inside!Innocence
Attack : Client-Side
Friday 23 November 12
Sit Back, Relax & Enjoy
Upcoming Demo of Client-side attack
User clicks on link
Channel is created back to attacker
Friday 23 November 12
CS Attack: Sguil
Friday 23 November 12
CS Attack: Sguil
Friday 23 November 12
CS Attack: Sguil
Friday 23 November 12
CS Attack: Sguil
Friday 23 November 12
CS Attack: Snorby
Friday 23 November 12
CS Attack: Snorby
Friday 23 November 12
CS Attack: Snorby
Friday 23 November 12
CS Attack: Snorby
Friday 23 November 12
CS Attack: Snorby
Friday 23 November 12
bash/bro scripting
framework & built-in scripts
/nsm/bro/logs/current
http.log
conn.log
CS Attack: Bro 1
Friday 23 November 12
CS Attack: Bro 2
DETAIL, DETAIL, DETAIL......
Friday 23 November 12
CS Attack: Bro 2
DETAIL, DETAIL, DETAIL......
Friday 23 November 12
CS Attack: Bro 2
DETAIL, DETAIL, DETAIL......
Friday 23 November 12
CS Attack: Elsa
Friday 23 November 12
CS Attack: Elsa
Friday 23 November 12
CS Attack: Elsa
Friday 23 November 12
CS Attack: Elsa
Friday 23 November 12
CS Attack: Elsa
Friday 23 November 12
CS Attack: Network Miner
Friday 23 November 12
CS Attack: Network Miner
$ ls -lart | grep 4444
-rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.raw
Friday 23 November 12
CS Attack: Network Miner
$ ls -lart | grep 4444
-rw-rw-r-- 1 nsmadmin nsmadmin 1291079 Nov 4 21:22 10.20.0.111:4444_10.20.0.165:1804-6.raw
Friday 23 November 12
Ah, yeah, now.......
Friday 23 November 12
Ah, yeah, now.......
How many clicks does it take you to get from an alert to the packet????
Can you pivot?
Could you take a Windows Administrator off the street???
Friday 23 November 12
Don’t Forget
Friday 23 November 12
All Wrapped Up
Thanks to Doug & the team
No more
compiling
messing with installations
sorting out pre-requisites
Significantly reduced testing
Point & Click
Friday 23 November 12
Conclusion
Easy Peasy
Powerful - haz tools
Nice pictures, GUIs & graphs for management ;-)
Open-Source is possible & SO viable
Commodity H/W
Support - mixture!
Friday 23 November 12
Want to join?
Security Onion needs:
Documentation & Artwork
Web Interface
Package Maintainers
Performance Benchmarks
Me -> “GetOpts -> sosetup & Chef”
http://code.google.com/p/security-onion/wiki/TeamMembers
Friday 23 November 12
Further Reading!!!
Project Home: https://code.google.com/p/security-onion/
Blog: http://securityonion.blogspot.com
GG: https://groups.google.com/forum/?fromgroups#!forum/security-onion
Wiki: http://code.google.com/p/security-onion/w/list
Mailing Lists: http://code.google.com/p/security-onion/wiki/MailingLists
IRC: #securityonion on irc.freenode.net
The Future: https://code.google.com/p/security-onion/wiki/Roadmap
Friday 23 November 12
Contact Me
@markofu
BTW, Star Wars Fan :)
Friday 23 November 12
Pics Links
Onion: https://secure.flickr.com/photos/7157427@N03/3248129452/
Star Wars Lego: http://imgur.com/a/0XvKw (Huge thanks to Mike Stimpson -> www.mikestimpson.com:) )
Book -> “Stormtroopers, we love you”
Friday 23 November 12
Thank You!!!
Friday 23 November 12