Offline analysis in Security Onion

I’ve mentioned in a previous posts about how useful is Security Onion as it is, but for different reasons one might have to tweat it in order to suit his needs. In my case, I had the problem of big drop rates on network packets from Snort and BRO in a temporary production deployment. Since I couldn’t rely on the BRO and Snort logs I would have to generate them again. The good thing was that netsniff-ng had an almost 0 drop rate and I could use the PCAP files for offline analysis. Continue reading “Offline analysis in Security Onion”

Snort alerts – passing through the Onion

Snort is a pretty interesting piece of software, with multiple features. Understanding the Snort architecture might help better understand this post. It is also the de-facto standard when it comes to IDS and the default sensor used in Security Onion. The present article will present the overview of how Snort and additional programs are being used in Security Onion. The purpose of Snort in Security Onion is to provide IDS data which will be analyzed by the user in one of the user-interfaces available in the operating system. The following is also an example of a network security monitoring system. Continue reading “Snort alerts – passing through the Onion”

How ELSA works

ELSA stands for Enterprise Log Search and Archive. It’s a really powerful syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It’s one of the main tools that I’m relying on when using Security Onion. On a previous post I’ve put some words on the big picture in Security Onion , but in the present one I’m going to focus on details related to how ELSA works in Security Onion. The main reason for this article is to understand the differences between standard ELSA and Security Onion ELSA, where people (including me) might get confused with file paths and configuration details. Continue reading “How ELSA works”

Ubuntu 12.04 desktop hang because of gnome-session

I’m running Ubuntu 12.04 and i’m using Gnome 3 instead of the default Unity. I like the Debian interface much more than Unity. Anyway, every once in a while, when i boot up my laptop and after i log in, everything hangs. In other words, the wallpaper loads up fine and the menu bar also but wherever i click or whatever i try to do, it does not work. I can easily recognize this by the network icon, which looks like my networks adapters are disabled. Continue reading “Ubuntu 12.04 desktop hang because of gnome-session”

Custom laptop battery notifications

Since i bought my laptop, i was concernead of the long-term effects of keeping it plugged in constantly. A lot of people do this and apparently, it shortens the battery life. I wanted an app or a script that could show me the battery notifications that i wanted – notify me when the battery is charged or discharged at a custom level. I think it’s optimal to keep it charged until 90% and not let it discharge below 20%. Since i didn’t find anything that fitted my needs i decided to make my own script. Continue reading “Custom laptop battery notifications”

Protect against ARP-spoofing

In a previous article i’ve talked about how you can sniff traffic on LAN using ARP. In this article we are going to see how we can prevent our traffic from being sniffed.

ARP-spoofing works because of the big flaw in ARP, which is that of anybody on the network having the posibilty to repsond to ARP-requests. To prevent machines on the network and routers getting confused we must set up static ARP table and/or configure each of the machines separately. Continue reading “Protect against ARP-spoofing”

Sniff traffic from LAN using ARP

What is ARP

ARP stands for Adress Resolution Protocol. It is the protocol that associates MAC addresses with IP addresses. It is a low-level protocol (Layer 2) that is still very vulnerable to spoofing, even though it is quite old (being defined defined by RFC 826 in 1982). ARP spoofing is a favourite to use in MITM (man-in-the-middle) attacks and it is simple to implement (using automated tools). Plus, it’s a great way to have fun when you are using the same LAN as others (like in dorms, classes etc). Continue reading “Sniff traffic from LAN using ARP”