Offline analysis in Security Onion

I’ve mentioned in a previous posts about how useful is Security Onion as it is, but for different reasons one might have to tweat it in order to suit his needs. In my case, I had the problem of big drop rates on network packets from Snort and BRO in a temporary production deployment. Since I couldn’t rely on the BRO and Snort logs I would have to generate them again. The good thing was that netsniff-ng had an almost 0 drop rate and I could use the PCAP files for offline analysis. Continue reading “Offline analysis in Security Onion”

Snort alerts – passing through the Onion

Snort is a pretty interesting piece of software, with multiple features. Understanding the Snort architecture might help better understand this post. It is also the de-facto standard when it comes to IDS and the default sensor used in Security Onion. The present article will present the overview of how Snort and additional programs are being used in Security Onion. The purpose of Snort in Security Onion is to provide IDS data which will be analyzed by the user in one of the user-interfaces available in the operating system. The following is also an example of a network security monitoring system. Continue reading “Snort alerts – passing through the Onion”

How ELSA works

ELSA stands for Enterprise Log Search and Archive. It’s a really powerful syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It’s one of the main tools that I’m relying on when using Security Onion. On a previous post I’ve put some words on the big picture in Security Onion , but in the present one I’m going to focus on details related to how ELSA works in Security Onion. The main reason for this article is to understand the differences between standard ELSA and Security Onion ELSA, where people (including me) might get confused with file paths and configuration details. Continue reading “How ELSA works”

Security Onion – from traffic to analyst

In the past months I’ve been using Security Onion in relation to one of my school projects and lately to my internship. Security Onion has a lot of useful programs, on which you could literally spend days to configure to work properly on the same server. The fact that it just works, does not save you the headaches of figuring out how it works and tweaking it to suit your needs. (but it saved me from a lot of headaches caused by other issues). Continue reading “Security Onion – from traffic to analyst”