
Security Onion – A Linux distro for intrusion detection - telecomix
https://security-onion-solutions.github.io/security-onion/
======
bbayles
I've been a fan of Security Onion for a while. Richard Bejtlich's book
"Practice of Network Security Monitoring" discusses setting it up and how to
incorporate it into an operations center's routine.

Notably, Security Onion and other tools are very difficult to use in cloud
environments where you don't control the network! There are ways of getting a
sensor access to the relevant traffic, but they require careful architecture.
Even when set up properly, encrypted traffic defeats much of the deep packet
inspection-based monitoring.

~~~
pkaeding
Do you have any other resources to point me toward describing how you would
set something like this up in a cloud environment? Are there other tools
better suited for cloud environments?

~~~
bbayles
SANS has a slightly dated paper ([1]) about setting up this sort of thing that
gives a flavor for how it can work.

I think AWS's VPC Flow Logs are the foundation for better tools (disclaimer,
my company develops these tools - [2]). I hope Azure and others follow suit.

[1] [https://www.sans.org/reading-
room/whitepapers/cloud/security...](https://www.sans.org/reading-
room/whitepapers/cloud/security-onion-cloud-client-network-security-
monitoring-cloud-34335)

[2] [https://observable.net/blog/vpc-flow-logs-virtual-private-
cl...](https://observable.net/blog/vpc-flow-logs-virtual-private-clouds-in-
aws/)

~~~
spydum
In fact Azure security center does quite a lot of threat and malicious traffic
analysis. OMS is going to be rather interesting as it matures as well.

------
unethical_ban
I deployed it at home a few years ago - a hardware server on a mirrored
switchport. Really easy to set up. And from what I hear, the multi-node setup
with manager is easy, too. If you want IDS but don't have a high software
budget for Cisco FirePOWER or Palo Alto or $VENDORIPS, this would be a good
start.

It will still take a lot of personnel time, though. Tuning alerts is critical.

~~~
Tharkun
Could you use this, for instance, to detect an infected Windows host talking
to a botnet? Or would that sort of connection info be lost as noise in the
presumably large amount of data captured?

~~~
bbayles
You could definitely use Security Onion's tools for that. The full SO
distribution is a little bit overkill for that. You could run YAF ([1]) on a
box attached to a mirror port to log IP headers and then periodically check it
against a tracker.

NetFlow or VPC Flow Logs (in AWS) would work just as well for this also.

[1]
[http://tools.netsa.cert.org/yaf/index.html](http://tools.netsa.cert.org/yaf/index.html)

------
banksecopsguy
I work in a major bank SecOps. Here we use RSA Security Analytics for
aggregating packets and logs from all over the network, fire alerts and do our
analysis.

I would like to know if someone here has used both RSA Security Analytics and
Security Onion, and what they think about how they compare against one
another. The last time (which was about 2 years ago) RSA Sales people came to
our site and showed the capabilities of their product, it seemed to exceed the
capabilities of Security Onion, but I am still a junior guy in SecOps and I
still have a lot to catch up and learn, so I don't have the sufficient
knowledge and expertise to determine how they compare against one another and
what the pros and cons of each product are.

~~~
ethbro
As someone not in SecOps, and to the extent that you feel comfortable, how
transparent are the commercial vendors about technical details?

Id imagine management / sales is probably "it's a black box and does good
stuff", but curious about what level of detail is shared with the customer.

------
rrggrr
Turn this into a small appliance I don't have to manage and take my money.
Send me alerts via Slack and ask me to confirm suggested corrective actions.

~~~
616c
I see you got downvoted, but the reason someone wants something for free: many
powerful expensive appliances exist. But if someone needs to stand something
up quickly and effective for an investigation or frequent analysis, that gets
expensive.

I am sure other people with Cisco Sourcefire and competitors will agree here.

~~~
rrggrr
Okay. For those down voters this... for those of us without the time, skills
and money for expensive solutions or free solutions a _Reasonably Priced_
appliance would really, really be great. That market is pretty much everyone
with an internet connection who conducts business or confidential
communications online.

------
phantom_oracle
Can someone explain what is the use-case for this OS?

Do I use it as an OS to monitor my infrastructure?

Eg. I use this OS to monitor and analyze my servers, containers, etc (which
are running their own host/container OSes)

OR

Do I use this as an OS for my servers and my containers?

Eg. Security-Onion as the Host and Security-Onion containers on my
infrastructure

It isn't quite clear from what I read/see on the landing-page.

~~~
detaro
The first. The tools that come with it are used to analyze network traffic,
logs etc from other hosts, with a focus on security.

~~~
dave2000
So I stick this on an old laptop and connect it to a spare Ethernet port on my
router?

~~~
andrewstuart2
Ideally you use a mirror port so that all traffic being routed also gets sent
to the SecurityOnion services for automated analysis, reporting, and alerts
(depending on how SO is configured).

~~~
awqrre
Would it be efficient to create iptables rules to mirror traffic on a router
that doesn't have a mirroring port?

------
LinuxFreedom
A few years ago many people understood that retroactive monitoring will not
give you any security related benefit, as it is always _too late_ when you get
an alert.

Some of these interesting products then also put "intrusion prevention" into
their product descriptions.

Isn't that too a questionable promise?

------
hsnewman
Ok, not to start a OS war, but I run pfsense, which has snort (and IPS), and
pretty much any other security tool you can imagine, and it's based on BSD
rather than Linux, which has a history of being more secure.

~~~
nxzero
General speaking, most systems are as secure as the intent to make them secure
divided by the intent to make them not secure; there's no reason to believe
BSD is an exception.

~~~
ethbro
Where "intent to make them not secure" can also be written as intent to make
them easy to use without thinking about security.

------
toss1941
The best part of Security Onion 12.04 for me was the pre-built Snorby
instance, which was pure hell to install manually due to all the old
Ruby/Rails dependencies that it had.

------
startuphacker
Security Onion intrigued me a couple years back when I heard about it. I think
it was on the Linux Action Show.

I have been using Alien Vault OSSIM
([https://www.alienvault.com](https://www.alienvault.com)) for a few years and
haven't seen any reason to switch. But this does look like a great project
still.

