While looking for the Snort GUI that will suit my needs, i came across various software and linux distros. Two of these distros are SmoothSec and SecurityOnion. Both of them are IDS/IPS linux distribution equipped with all sorts of tools that one would find necesary for NSM.
- based on Debian
- 2 network intrusion sensors (Snort, Suricata)
- 1 GUI (Snorby)
- manual rule management
- based on Ubuntu
- 2 network intrusion sensors + 1 host intrusion sensor (Snort, Suricata, OSSEC)
- 3 GUIs (Snorby, Squert, Sguil)
- automated rule management
- includes multiple log analysis/management tools
Opinions after usage
Both distributions have the same “back-engine”, having the posibility to run either Snort, Suricata or both.
As for installation, the procedure is the same with both, being installed like any (standard) Debian/Ubuntu. SmoothSec can be deployed a bit faster, as it does not have a desktop graphical interface – so by running the “smoothsec.first.startup” command, everything will be in place after several minutes. SecurityOnion can also be configured right after the first boot, by using an intuitive GUI that guides the user through the tool instalation process. The user can choose a “typical” or an “advanced” type of installation, where questions related to major tools are being prompted. While in SmoothSec the rule management is being done manual, in SecurityOnion this is fully automated, the user having the posibility of choosing between several sources (including Snort VRT where a personal oinkmaster code is required). Another bonus is that there are cronjobs scheldued to update the rules daily.
SmoothSecs’ toolbox is the standard one for NSM solution (sensor, rule management, database, GUI) while SecurityOnions is fully equipped for NSM, NSM testing (e.g. inundator) log dissection, packet crafting, network scanning and others. You can check the full list of tools here.
Both are network-based IDS solutions, but SecurityOnion also offers the posibilty of host-based IDS delpoyment, using OSSEC. As for placement, SmoothSec also offers posibility of in-line deployment, transforming it into an IPS.
SecurityOnion is better when it comes to technical features and community backing, being more automated, having more tools and more online support/resources .
If you just want an out-of-the-box, ready to go NSM solution for a relatively small network – go for SmoothSec
If the scenario requires a more proffesional approach to your NSM solution, regardless of the network size – go for SecurityOnion